At this time last year, no one could have predicted how 2020 would play out and how we all, individuals and organizations alike, would be dealing with one of the most disruptive forces to arise in most of our lifetimes. It’s a safe bet that “pandemic” wasn’t on many risk assessment reports as 2019 ended, at least not in the United States. While the start of vaccinations brings some hope that the COVID-19 pandemic will begin to subside, 2021 is still set to arrive with much uncertainty on the horizon. And we all know that if there is one thing business managers abhor, it is uncertainty. Identifying the top risks that companies will need to consider during this coming year is no easy task, given this unpredictability, but that hasn’t stopped some organizations from trying. The following discussion derives from surveys of what risk-management, internal audit, finance, and other executives consider to be the top risks of 2021 conducted by such organizations as AuditBoard, the Institute of Internal Auditors, Protiviti, and others. Some of the risks organizations will be forced to grapple with in 2021 are among the usual suspects that perennially appear on lists of the top risks, such as cybersecurity, regulatory risks, and risks that stem from third-party relationships. Other risks that will be on radar screens in the coming year extend from the unique conditions created by the Coronavirus Crisis and businesses’ reactions to it. For example, those COVID-related risks include mandated business disruptions, supply-chain disruptions, technology security issues created by a remote workforce, and more. It’s also true that there will likely be a wide divergence in the risks some organizations will face in 2021 compared to others—probably the most deviation in some time. By this, we mean that some companies, such as those in the hospitality, transportation, and restaurant industries, face existential risks related to COVID-19 disruptions, while companies in other sectors, such as technology, healthcare, and financial companies, are dealing with a completely different set of risks, as well as opportunities.
While the risks different organizations are dealing with may be divergent, no company is safe from the uncertainty that complicates decision making at least for the early part of 2021.
Uncertainty itself may not be a specific risk, but it certainly makes risk assessments more difficult. Survey results released by software platform AuditBoard, find that the risk landscape will remain greatly amorphous next year rather than returning to more stable pre-pandemic conditions, even if communities begin to bring the pandemic under control. The findings come from a series of surveys conducted at AuditBoard’s recent Audit & Beyond virtual conference, attended by more than 5,000 audit, risk, and compliance practitioners in October. The responses illustrate the long-term changes audit and risk professionals will experience in their roles due to the pandemic and how crucial those individuals will be in helping organizations overcome risk challenges despite gaps in enterprise risk management (ERM) programs.
“Conditions this year have changed drastically due to the pandemic, and audit, risk, and compliance organizations have had to act quickly to adapt to the dynamic risk environment while maintaining operational continuity,” said John Reese, senior vice president of marketing at AuditBoard. “AuditBoard survey responses overwhelmingly showcase how quickly the workplace mindset is shifting, and how important modern audit, risk, and compliance technology has become to support a more remote and connected future.”
The following are risks that should be evaluated entirely and will likely have a considerable influence on audit plans in the coming year:
Cybersecurity Cybersecurity is typically at or near the top of any risk list, regardless of the circumstances. The pandemic, however, has only served to heighten such risks. With employees still working remotely at most organizations, work networks reach far and wide with many more nodes and vulnerability points. IT organizations have a difficult job already securing the networks contained within their facilities. Now they have to ensure the security of various devices and networks used by remote workers. Meanwhile, the growing sophistication and variety of cyberattacks, like phishing scams and ransomware attacks, continue to wreak havoc on organizations’ brands and reputations, often resulting in disastrous financial and productivity loss. “This risk examines whether organizations are sufficiently prepared to manage cyber threats that could cause disruption and reputational harm,” the IIA wrote in its OnRisk 2021 report.
Business Continuity and Crisis Management According to the OnRisk 2021 report published by the Institute of Internal Auditors, business continuity is at the top of the list of risks along with cybersecurity. Certainly it is one of the risks that have been elevated by the pandemic. “Organizations face significant existential challenges, from cyber breaches and pandemics to reputational scandals and succession planning. This risk examines organizations’ abilities to prepare, react, respond, and recover,” the IIA wrote in its report. The emergence of greater business continuity risk puts pressure on organizations to dust off those business continuity and disaster recovery plans and ensure they are up to date and tailored to the current circumstances. Hopefully, most companies have done this already during 2020. It also demonstrates the interconnectedness of risks. For example, it is impossible to talk about business continuity without addressing cybersecurity, supply chain risk, third-party risk, and other considerations.
Regulatory Risk A changing of the guard in the White House could put a spotlight back on regulatory risk. The Trump Administration worked to roll back regulations on environmental issues, securities law, financial institutions, labor rules, and other areas. The new Biden administration is likely to restore regulations in some areas and create new regulations in others. Regardless, compliance is sure to require some additional emphasis and oversight as regulations continue to change. It’s too early to tell if enforcement actions in such areas as Foreign Corrupt Practices Act and securities law will intensify and bring new regulatory risks to companies. Even without a change in U.S. leaders, regulatory risk continues to grow in significance, partly due to the increasingly global nature of business and international regulators' willingness to enact new rules. For example, many companies are still digesting the landmark EU General Data Protection Regulation, even though it went into effect in May of 2018. Look for increased regulation around the globe related to data governance, climate change and sustainability initiatives, bribery, money laundering, and other areas.
Economic Decline Another risk that extends directly from the pandemic is the potential in 2021 for economic decline and a related potential decline in product demand. Many prognosticators have predicted a quick economic recovery caused by to COVID-19 disruptions, but it's also possible that the economy does not bounce right back. The pandemic has crippled several industries, including airlines, hotels, restaurants, cruise ship companies, and many others. The effects could last well into the new year and beyond. Some companies have reacted with layoffs and reductions in capital expenditures that could further contribute to a challenging economic environment. Undoubtedly, internal audit leaders will need to keep a finger on the economy's pulse and consider how economic conditions—as well as related factors such as interest rates, currency exchange rates, and the labor market—could impact strategic plans and company objectives.
Fraud Fraud is another risk that has been affected by the pandemic. The Coronavirus Crisis, bringing about an increase in remote work and large employee furloughs, has opened up new avenues for fraud. The global economic contraction harms employee morale and has heightened vulnerability to overstep ethical bounds. The potential for an increase in fraud is such that the IIA has recently issued a report to address that heightened risk, titled A Blueprint to Managing Corporate Fraud. The guide uses the fraud triangle, where opportunity, pressure, and rationalization factor into the occurrence of fraud, and examines how COVID-19 increases the possibility for all three elements. “Anyone with the slightest understanding of fraud is familiar with the concept of the fraud triangle, which identifies pressure, opportunity, and rationalization as the key ingredients,” Richard Chambers, president and CEO of the IIA said. “The pandemic is fueling the first—pressure—in myriad ways, as its impact on economies threatens the financial well-being of millions of organizations and billions of workers globally,” he said. With more limited management oversight working from home, employees have more opportunities to circumvent controls. With layoffs to staff, segregation of duties might become more lax. Because of other challenges, organizations may not prioritize risk management and the budgets for risk control may decrease.
Supply Chain Disruption A relative of business continuity risk is supply chain disruption. Closures or problems can quickly migrate up the chain and affect companies anywhere in the world. “Major companies have also had to assess the ongoing viability of key suppliers and, where appropriate, offer financial assistance by paying upfront to ensure their own operations do not go offline,” the Chartered IIA wrote in its recent report, “Risk in Focus 2021. “Vendor insolvencies have the potential to cause massive disruption.” As the pandemic has wreaked havoc on supply chains, companies have been busy diversifying and seeking new avenues for supplies and materials. They have also had to evaluate existing suppliers' risk profile and consider the geopolitical risks in the countries where they are located.
Climate Change and Sustainability From the massive fires in California, Australia, and elsewhere to the most active hurricane season in years, the risks that stem from climate change don’t appear to be abating and will likely intensify in the coming years. Some say risks related to climate change and sustainability are the next big issue on the horizon to have the disruptive force that the COVID-19 pandemic has had this year. Severe weather events will continue to wreak havoc more frequently and impact businesses worldwide in many ways. Climate-related risks are already impacting many organizations. Internal audit can add significant value by assuring identification, mitigation, and management of such risks. Internal audit can also assure climate-related threats and opportunities in four ways: strategy, risk analysis, meeting green finance principles, and reviewing sustainability metrics.
This article is by no means a comprehensive list, but instead an attempt to highlight some of the risks at the forefront of risk assessments and the audit planning process in 2021. Other risks to consider include talent management, data governance, the lasting effects of a remote workforce, digital disruption, and several more.
2021 will likely be a year of rapid change as we look to get the pandemic behind us and deal with its lasting effects. Suppose there is a silver lining from the pandemic. In that case, companies have—hopefully—become better at coping with rapid change and more adept at dealing with quickly arising disruptions.
“Businesses are operating in extraordinary times and have had to adapt to new challenges this year like never before,” John Wood, chief executive of the Chartered IIA, said. “Coronavirus has exacerbated existing risks, forcing organizations to think from completely new angles or assign new levels of priority to them. Cybersecurity is a case in point. Though a perennial front-of-mind risk for boards, the rise in remote working means cybersecurity issues have taken on a new dimension, and IT infrastructure has had to adapt in record time.”
To face 2021’s top risks, an agile risk management function that can detect and react to emerging risks as they develop is critical. Having an agile internal audit function assess those risks and conduct audits to ensure the controls and processes to deal with them effectively is just as important.