By Dominic Falzon

For four years, the Chartered Institute of Internal Auditors has been producing an “annual barometer of what Chief Audit Executives (CAEs) perceive as their organisations risk priorities” with ‘Risk in Focus’. This year, with more responses than ever before, they have broken down the 10 key risks which are and should be referenced within forthcoming audit plans.

Within the top ten, there are very few risks which are mismatched, in that higher priority risks are given more audit time and effort and vice versa. The top 3 in the first category (‘What are the top five risks to your organisation?’ as opposed to ‘What are the top five risk areas on which internal audit currently spends more time and effort?’) are the areas which we will be focussing on within this summary article, along with environment and climate change, which has seen an unprecedented rise since last year.

Cyber Security and Data Security

Due to the implementation of GDPR, we can see that cybersecurity is no longer just a problem for finance and those in charge of company reputation. Taking on a compliance dimension also, it’s not surprising to see that it was seen as the single biggest risk to 21% of the organisations that took part, taking the top spot. It’s reassuring then to see that it also placed first in the amount of time and effort being spent upon it.

Major cyber security incidents over the past few years have meant that auditors no longer have to fight to increase recognition of this risk and 78% of CAEs interviewed anticipated including cybersecurity assessments in their upcoming plans. This number isn’t likely to decrease over the years either, as breaches are constantly evolving and continuously growing.

One estimate suggests that 93% of breaches can be avoided by utilising simple steps, such as training employees and regularly updating software. It is important then that internal auditors keep track of efforts to mitigate information security risks and of any operational changes which might impact upon the businesses risk profile.

Within the first 8 months of the introduction of GDPR, there were 10,600 data breaches in the UK and 59,000 across Europe, decimating many reputations across the way. It is those companies which are seen to be putting in place great defences which are able to thrive, building trust with customers and stakeholders. This is just one of the many reasons the Chartered Institute of Internal Auditors are urging CAEs to equip their departments with the “necessary technical resources, either by sourcing temporary external expertise, recruiting permanent information security auditors, or taking an expertise-first approach by recruiting a technical security specialist who can then be trained to audit.” They advise that any cyber security assurance will ideally not be fully outsourced, as understanding the nature of the organisations changing environment and operations is crucial.

Regulatory Change and Compliance

“In 2008 there were 8,704 financial regulatory publications, changes and announcements globally; by 2016, this figure had surged to 52,606”.

This deluge has meant that over one in ten respondents agreed that regulatory change and compliance is the single biggest risk, whilst more than half put it within their top five.

2018 saw the introduction of core pieces of regulation, not just GDPR but also MiFID II and the Payment Services Directive 2. These combined with a rise in enforcement has led to an increased pressure for organisations to keep up with the changing landscape and avoid fines like that levied against ING or Standard Chartered (€775m and £102m respectively). In order to manage this, internal auditors should be seeking evidence that the compliance function is updating processes to keep them inline with changing regulations and laws.

Digitalisation and Business Model Disruption

One of the few risks which saw a marked mismatch between the risk reported and the risk seeing the most time and effort, Digitalisation and Business Model Disruption is currently not garnering enough attention. 58% of CAEs saw it as a top five risk and yet only 30% reported it was one of the top five areas which they spent the most time on.

Complacency and a fear that new technologies may fail to return on investment has led to some companies falling behind and whilst there are perils to change, not ‘keeping up with the Joneses’ may also lead a company down a dead-end track. Using the example of Netflix as a disruptor, Risk in Focus suggests that Blockbusters inability to change and adapt was its downfall. Whilst understanding how, why and when to disrupt, or retaliate against existing disruptors, may be a challenge, internal auditors will most likely feel increasing expectations from boards to support digitalisation efforts. Even though this may increase in priority as a strategic threat, it also represents a significant opportunity to innovate and evolve.

Climate Change

Representing a 75% annual increase on the number of CAEs who referenced the environment and climate change as a priority risk last year, 14% now view this issue as deserving of a top five position.

As the issue has gained traction with the general public and within the media, businesses must be careful to be open to public opinion, updating their own processes to ensure they are doing all they can to be more environmentally friendly. This isn’t the only factor contributing to the rise in risk however, as depending on the sector and geography, climate change “precipitates an array of direct business risks, including physical and operational (e.g. business continuity and supply chain disruption from weather events), regulatory and legislative (e.g. China, India and various European governments placing bans on future fossil fuel car sales), strategic (e.g. the existential threat to fossil fuel producers or consumer companies that ignore shifting customer preferences), financial (e.g. the potential for carbon pricing initiatives to be rolled out worldwide) and so on.”

Last year we saw the first “climate change related bankruptcy” when, facing billions of dollars in claims for a wildfire that claimed 86 lives and 14,000 homes, Pacific Gas and Electric folded. It’s possible that in the future we may see more of these stories, not all of it due to company negligence. In fact, the financial services sector is already reporting a rise in the volume of weather-related claims which could be damaging in the future.

Internal Auditors should then be investigating whether risk assessments have been carried out to determine any potential impacts, making senior management aware that companies with strong sustainability credentials are favoured by both investors and customers. Like disruption, climate change is not only a risk but a big business opportunity.

Please click here for the full report.

Related blogs

Swipe to view more

13th November 2020

It’s the most wonderful time of the year…to hire!

Read story
13th October 2020

Goodman Masson Salary Guides

Read story
12th October 2020

Recruiter insights: Gender diversity.

Read story
12th October 2020

Battling low self confidence at work.

Read story
12th October 2020

A day in the life of a Treasurer.

Read story
12th October 2020

Recruiter insights: Rec Tech.

Read story
12th October 2020

Should men take a pay cut to level the field?

Read story
12th October 2020

Why we finish early on Friday.

Read story
12th October 2020

Rise and shine: The best ways to start your day.

Read story
12th October 2020

A day in the life of an NHS Finance Business Partner.

Read story
12th October 2020

Why we’ve turned our back on formal dress codes.

Read story
12th October 2020

Being ignored at work.

Read story
12th October 2020

The importance of a good nights sleep.

Read story
12th October 2020

Creating trust between colleagues.

Read story
12th October 2020

The rise of insecure overachievers.

Read story
12th October 2020

Panicking over probation periods.

Read story
12th October 2020

Getting involved: Exploring collaborative working.

Read story
12th October 2020

4 ways to start a career in Compliance.

Read story
12th October 2020

A day in the life of a Management Accountant

Read story
12th October 2020

Imposter syndrome.

Read story
12th October 2020

Honesty online.

Read story
12th October 2020

Beating the unemployment blues.

Read story
12th October 2020

Four day weeks and flexible working.

Read story
12th October 2020

Views from the top: Taking back control of the development process.

Read story
12th October 2020

The pressure to be productive during isolation.

Read story
12th October 2020

Stepping up with Pascale Nicholls.

Read story
12th October 2020

Stepping up with Patrick Barker.

Read story
12th October 2020

Stepping up with Otto Balsiger.

Read story
12th October 2020

Stepping up with Catherine Fisher.

Read story
12th October 2020

Employee spotlight: Cheyne Cole.

Read story
12th October 2020

The happiest jobs in the UK.

Read story
12th October 2020

A day in the life of an ESG Investment Analyst.

Read story
1st October 2020

A day in the life of a Senior Internal Auditor.

Read story
1st October 2020

The ‘parent card’.

Read story
1st October 2020

A day in the life of a Credit Controller.

Read story
1st October 2020

Cancelling an interview.

Read story
1st October 2020

In-office benefits: Helping or hurting?

Read story
1st October 2020

Ageism in the workplace.

Read story
1st October 2020

Snow White and the seven bad candidates.

Read story
1st October 2020

Is silence really golden.

Read story
1st October 2020

Protecting your online reputation.

Read story
1st October 2020

A look at Risk in focus.

Read story
1st October 2020

Top tips for choosing a mentor.

Read story
1st October 2020

Battling burnout.

Read story
1st October 2020

Enemy employees.

Read story
1st October 2020

IR35 with Director Catherine Kellaway.

Read story
1st October 2020

5 celebrities that would make great recruiters.

Read story
1st October 2020

Learning from Stonewalls top LGBT employers.

Read story
1st October 2020

How AI is changing London.

Read story
1st October 2020

A day in the life of a Trade Support Analyst.

Read story
1st October 2020

Views from the top women in Tech with a Clinical Technology Director.

Read story
1st October 2020

Our Approach to Diversity and Inclusion.

Read story
1st October 2020

How AI is affecting your sector.

Read story
1st October 2020

Navigating difficult times utilising Technology?

Read story
1st October 2020

Working from home for a while.

Read story
×

Oops! We could not locate your form.