In 2019, I authored a blog titled “The 5 C’s That Should be Keeping Boards (and Auditors) Awake at Night.” I first shared the list at an Institute of Directors (IOD) event in Johannesburg, South Africa. The ensuing blog was very popular, and was shared widely among the internal audit and corporate director communities at the time.
In the blog I noted that the question I dread most in the wake of a high-profile corporate failure is: “Where were the internal auditors?” I also noted a companion question: “Where was the board?” As we all know, there is never a shortage of risks that can come to fruition and create substantial damage to shareholder/stakeholder value in our organizations. While the 5 C’s that I shared then are still risks to many organizations, because the world has changed dramatically since 2019, I have added 2 more C’s (Covid-19 and Climate Change) to the list. So, as we prepare to round the corner into the second half of 2021, here are the 7 C’s worth watching:
Covid-19. Much has been said and written about this pandemic and its far reaching impact on the world and our lives. Covid has spawned twin health and safety and financial crises. By the time the world has navigated the pandemic, it will likely have changed our lives forever. While progress in administering vaccines is being made across the globe, we are certainly not out of the woods. Risk assessments should continue to focus on the health and safety of customers and employees; volatility of supply chains; and business continuity.
Change Velocity. If the past two years have shown us anything, it is that the velocity of change is a direct contributor to the speed of risk. It is influenced by many things, including the Covid pandemic, technology, geopolitics, and natural disasters. All players in the risk management process should be keenly aware of how rapidly a significant disruption can emerge and impact the organization. The risk here is as much about the organization’s ability to cope with the unexpected as the disruption itself, which leads me to the third C on the list, crisis management.
Crisis Management. Covid-19 has repeatedly challenged the ability of organizations to navigate a crisis. As I argued in 2019, how an organization survives a crisis is directly tied to how it plans for one. It is therefore essential to have a vigilant internal audit function with a proactive vision of crisis management. This starts with providing assurance that disaster preparedness plans are in place and are flexible enough to handle sudden upheaval such as the ones experienced in 2020, but robust and detailed enough to give sufficient guidance. When a crisis like Covid occurs, internal audit must actively provide assurance on how crisis management plans are executed.
As with change velocity, organizations must identify and look for the early warning signs of developing crises. Equally as important is for internal audit to help position the organization to look for the silver lining in the clouds by helping to identify the fleeting moments when crisis can be turned to opportunity. Many technology companies and online retailers have done exactly that over the past 18 months.
Cybersecurity. As I wrote in a blog last month:
In this day and age, how anyone can be surprised by a cyberattack is beyond me. Yet, according to IIA research, corporate board members often maintain a misplaced level of confidence in the effectiveness of cybersecurity risk management. From my experience, internal auditors are often not much help because they struggle with adequate resources and a lack of expertise to assess the effectiveness of this critical risk.
In little more than a decade, cybersecurity has grown from an obscure IT issue to one that dominates the risk landscape of nearly every organization. The potential for financial, reputational, and increasingly regulatory damage seems to grow exponentially each year. Indeed, in just the past five years, risk management involving cybersecurity has evolved from preventing cyberattacks to responding to the inevitable cyber breach, protecting data, and complying with increasingly stringent data privacy laws and regulations. In the last week alone, the cyberattack against the United States’ largest oil pipeline has exposed once again the serious vulnerabilities to our infrastructure.
Compliance. Regulatory compliance is listed among the top five risks of virtually every survey of C-suites and boards. The new US president and his administration are likely to pursue new regulatory, enforcement, and legislative priorities that will affect businesses across the nation. As we all know, new legislation and regulation begets new compliance risks. These new and emerging compliance risks only promise to become more complex and demanding in the years ahead. I have written in the past that the arc of the regulatory pendulum tends to swing wider in times of crisis. We are certainly living through one of those times.
Culture. Culture continues to be one of the most overlooked yet substantial risks that organizations face because it plays a significant role in so many other risks. An organization’s culture influences every aspect of risk management, from efforts to stop simple phishing attacks to the organization’s overall ability to collect, manage, leverage, and protect data.
Internal audit must become more comfortable and skillful about auditing culture, but it also must educate stakeholders about its pervasive impact throughout the risk portfolio.
Climate Change Although climate change was certainly a risk in 2019, I didn’t include it in the 5 C’s in my blog. However, two year later the potential for impacts of climate change on our lives is becoming every clearer. Climate change is clearly going to be a priority of the new administration. As an article in JDSupra.com recently reported:
The Biden-Harris administration has set its sights on an ambitious environmental policy agenda, focusing on climate change and environmental justice as key initiatives, and intends to implement its agenda through an “all of government” approach. The all-of-government strategy employs a coordinated, multi-department, multi-agency approach to address particularly complex problems.
The 7C’s of risk that should be on our radar are inevitably interconnected. Just as Covid-19 and change velocity impact and dictate crisis management, so does culture influence cybersecurity, compliance and how we address issues like climate change. Boards must remain on high alert regarding these risks, and internal audit must educate stakeholders on this complex web of related risks and be prepared to provide assurance and insight to help the organization navigate them.
As always, I look forward to your comments.