One of the persistent challenges internal auditors face is finding alignment with stakeholders on the risks that most threaten their organizations. For many years, I have written about the importance of building relationships with those we work for and with to nurture communications that support alignment. Indeed, the most common advice I’ve offered to chief audit executives (CAEs) over the years is “know what is keeping our stakeholders up at night” and “follow the risks.”
A recently published report from Protiviti and the North Carolina State University ERM Initiative helps shed light on that alignment (or misalignment). Executive Perspectives on Top Risks: Key Issues Being Discussed in the Boardroom and C-suite (PDF) examines risks facing organizations in 2021 and beyond as seen by a wide variety of respondents, from board members to every position that makes up the C-suite, including CAEs.
Two key takeaways from the report offer a good news/bad news scenario. First the good news: There is encouraging uniformity across the respondent mix about the No. 1 risk facing organizations in 2021 — the impact of COVID-19-related policies and regulations on business performance. The bad news: That’s where the consensus ends. While this is not ideal from an ERM perspective, it is useful in building awareness of the critical need for alignment.
For example, the second-highest-rated risk as identified by CAEs — managing cyber threats — does not show up in any of the top five risks for CEOs, chief financial officers (CFOs), or chief risk officers (CROs). That is not to say cyber doesn’t continue to be a top risk, coming in at sixth overall. However, it is significant that, among C-suite respondents, only CAEs view it among the top five risks in 2021.
CAEs’ focus on cybersecurity also is reflected in the upcoming 2021 North American Pulse of Internal Audit report. Cybersecurity, in fact, has ranked as the highest-rated risk among Pulse respondents every year from 2016 through 2020. It is important to note that the survey for this year’s Pulse report was conducted in October/November, reflecting the significant influence of the pandemic on CAEs’ overall risk assessments. Yet, the Pulse data also shows that cybersecurity as a percentage of audit plan allocation remains a lower priority, ranging from 6% to 8% over the same five-year period.
So, what are the more significant risks on the minds of our stakeholders? Two additional risks made the top five for boards, CEOs, and CFOs in the Protiviti/NC State report: Economic conditions in markets may significantly restrict growth opportunities, and market conditions imposed by the pandemic may impact customer demand for products and services.
I should note that the survey grouped the 36 risks rated by respondents into three broad categories: macroeconomic, operational, and strategic. That also offers insights into how each respondent group views risk. For example, CEOs and CFOs rated three macroeconomic risks among their top five, while three of the top five CAE-rated risks were operational. Additionally, both CEOs and CFOs included one strategic risk — risk involving the pandemic’s impact on consumers’ demand for products and services. CAEs did not include any strategic risks in their top five.
However, we should take heart in that the three nonstrategic risks that show up in the boards’ top five matched those of CAEs, although not in the same order.
The Protiviti/NC State report is rich with data and provides voluminous analysis. In addition to the comparison of risk views for 2021, respondents also were asked for their longer term risk views (2030). What’s more, the report provides analysis by organization size, industry, geographic region, and public versus nonpublic. I encourage all my readers to download the free report and delve into the details.
One of the report’s key observations offers an important insight that all risk management players should understand and take to heart:
“The results reflect how different roles assess risks differently in different environments and economic periods, and emphasize the critical importance of bringing numerous stakeholder viewpoints to bear in risk discussions. It is of paramount importance that both the board and the management team engage in dialogue regarding the critical enterprise risks, given the different perspectives each brings to the table and the potential for a lack of consensus. Without clarity of focus, the executive team may not be aligned with the board on what the top risks are. Worse, they may not be appropriately addressing the most important risks facing the organization, thereby leaving the organization potentially vulnerable to certain risk events.”
The still-raging global pandemic provides two important lessons in relation to risk management: It has alerted most organizations to weaknesses in controls and crisis management planning, and it has heightened awareness of the value of risk alignment. CAEs would be well-served to examine the views of stakeholders in the Protiviti/NC State report and leverage the insights to improve risk alignment in their own organizations.
While all of this information provides valuable insight into the state of alignment in how internal audit and its stakeholders view risks, it doesn’t really help with one of the most significant challenges internal auditors face: How are we to follow the risks if everyone is pointing in a different direction? I believe there are three keys: communicate, communicate, communicate. When internal auditors see disparity in how risks are being rated by internal audit’s stakeholders, we should speak up and speak out. We must be courageous enough to alert board members and management when their perspectives on risks facing the organization diverge.
We may not have all the answers, but we are ideally positioned to ask the questions. To blindly undertake our own risk assessments and craft our own audit plans without questioning why we see risks where others don’t is a perilous course. We must be the voice our organizations need to hear.
Once we have highlighted the differences in views, we should offer an audit plan that addresses the risks most crucial to our organizations. There will be risks addressed on the audit plan that may not be high on the board’s or management’s radar. But such areas of focus should be clearly understood and not the product of silence or miscommunication.
As always, I look forward to your comments.