For four years, the Chartered Institute of Internal Auditors has been producing an “annual barometer of what Chief Audit Executives (CAEs) perceive as their organisations risk priorities” with ‘Risk in Focus’. This year, with more responses than ever before, they have broken down the 10 key risks which are and should be referenced within forthcoming audit plans.
Within the top ten, there are very few risks which are mismatched, in that higher priority risks are given more audit time and effort and vice versa. The top 3 in the first category (‘What are the top five risks to your organisation?’ as opposed to ‘What are the top five risk areas on which internal audit currently spends more time and effort?’) are the areas which we will be focussing on within this summary article, along with environment and climate change, which has seen an unprecedented rise since last year.
Cyber Security and Data Security
Due to the implementation of GDPR, we can see that cybersecurity is no longer just a problem for finance and those in charge of company reputation. Taking on a compliance dimension also, it’s not surprising to see that it was seen as the single biggest risk to 21% of the organisations that took part, taking the top spot. It’s reassuring then to see that it also placed first in the amount of time and effort being spent upon it.
Major cyber security incidents over the past few years have meant that auditors no longer have to fight to increase recognition of this risk and 78% of CAEs interviewed anticipated including cybersecurity assessments in their upcoming plans. This number isn’t likely to decrease over the years either, as breaches are constantly evolving and continuously growing.
One estimate suggests that 93% of breaches can be avoided by utilising simple steps, such as training employees and regularly updating software. It is important then that internal auditors keep track of efforts to mitigate information security risks and of any operational changes which might impact upon the businesses risk profile.
Within the first 8 months of the introduction of GDPR, there were 10,600 data breaches in the UK and 59,000 across Europe, decimating many reputations across the way. It is those companies which are seen to be putting in place great defences which are able to thrive, building trust with customers and stakeholders. This is just one of the many reasons the Chartered Institute of Internal Auditors are urging CAEs to equip their departments with the “necessary technical resources, either by sourcing temporary external expertise, recruiting permanent information security auditors, or taking an expertise-first approach by recruiting a technical security specialist who can then be trained to audit.” They advise that any cyber security assurance will ideally not be fully outsourced, as understanding the nature of the organisations changing environment and operations is crucial.
Regulatory Change and Compliance
“In 2008 there were 8,704 financial regulatory publications, changes and announcements globally; by 2016, this figure had surged to 52,606”.
This deluge has meant that over one in ten respondents agreed that regulatory change and compliance is the single biggest risk, whilst more than half put it within their top five.
2018 saw the introduction of core pieces of regulation, not just GDPR but also MiFID II and the Payment Services Directive 2. These combined with a rise in enforcement has led to an increased pressure for organisations to keep up with the changing landscape and avoid fines like that levied against ING or Standard Chartered (€775m and £102m respectively). In order to manage this, internal auditors should be seeking evidence that the compliance function is updating processes to keep them inline with changing regulations and laws.
Digitalisation and Business Model Disruption
One of the few risks which saw a marked mismatch between the risk reported and the risk seeing the most time and effort, Digitalisation and Business Model Disruption is currently not garnering enough attention. 58% of CAEs saw it as a top five risk and yet only 30% reported it was one of the top five areas which they spent the most time on.
Complacency and a fear that new technologies may fail to return on investment has led to some companies falling behind and whilst there are perils to change, not ‘keeping up with the Joneses’ may also lead a company down a dead-end track. Using the example of Netflix as a disruptor, Risk in Focus suggests that Blockbusters inability to change and adapt was its downfall. Whilst understanding how, why and when to disrupt, or retaliate against existing disruptors, may be a challenge, internal auditors will most likely feel increasing expectations from boards to support digitalisation efforts. Even though this may increase in priority as a strategic threat, it also represents a significant opportunity to innovate and evolve.
Representing a 75% annual increase on the number of CAEs who referenced the environment and climate change as a priority risk last year, 14% now view this issue as deserving of a top five position.
As the issue has gained traction with the general public and within the media, businesses must be careful to be open to public opinion, updating their own processes to ensure they are doing all they can to be more environmentally friendly. This isn’t the only factor contributing to the rise in risk however, as depending on the sector and geography, climate change “precipitates an array of direct business risks, including physical and operational (e.g. business continuity and supply chain disruption from weather events), regulatory and legislative (e.g. China, India and various European governments placing bans on future fossil fuel car sales), strategic (e.g. the existential threat to fossil fuel producers or consumer companies that ignore shifting customer preferences), financial (e.g. the potential for carbon pricing initiatives to be rolled out worldwide) and so on.”
Last year we saw the first “climate change related bankruptcy” when, facing billions of dollars in claims for a wildfire that claimed 86 lives and 14,000 homes, Pacific Gas and Electric folded. It’s possible that in the future we may see more of these stories, not all of it due to company negligence. In fact, the financial services sector is already reporting a rise in the volume of weather-related claims which could be damaging in the future.
Internal Auditors should then be investigating whether risk assessments have been carried out to determine any potential impacts, making senior management aware that companies with strong sustainability credentials are favoured by both investors and customers. Like disruption, climate change is not only a risk but a big business opportunity.
Please click here for the full report