This past year was a busy one for those involved in the risk assessment process, such as internal auditors, risk management executives, compliance officers, and others who have responsibility for assurance and risk management. After the COVID-19 pandemic and its disruptive effects caught nearly every company off guard, they set out to rethink the risk assessment process and many companies have overhauled such systems this year. They are working to make risk assessments more accurate, more encumbering, and more responsive to the quickly changing risk environment of a dynamic and rapidly evolving business world.
As 2021 draws to an end, many companies are setting their sights on 2022 and looking to get a better handle on what risks they are likely to be considering in the coming year. Luckily, they have some help. Along with the beginning of the holiday season comes a raft of surveys and reports that attempt to gaze out beyond the risk horizon and predict the risks and issues that companies will be grappling with for the next 12 months or so.
To be sure, there are some usual suspects that have tended to sit atop most lists of risks to consider for the last few years, such as cybersecurity, managing third-party relationships, and regulatory change. You will find those here, albeit with some new wrinkles. Yet, there are other risks that are growing in concern or landing on such lists for the first time, including a few that are the direct result of the massive disruption and fallout in the wake of the worldwide pandemic.
“COVID-19 created what is arguably the greatest disruption for organizations as well as for internal auditors, due to their enterprise-wide role,” said Richard Chambers, AuditBoard Senior Internal Audit Advisor, in his introduction to a risk survey by AuditBoard, a provider of cloud-based audit, risk, and compliance platforms. “The pandemic heightened risks in virtually every facet of enterprise operations. We’re glad to see that internal auditors have met many of the challenges through transformation and resiliency.”
Indeed, internal audit functions are responding to the more complex risk picture in many ways, including expanding their capabilities. According to AuditBoard’s report, “2022 Focus on the Future, Internal Audit Resilience and Readiness in the New Age of Risk,” internal audit is reacting to existing and new challenges by increasing resources, a trend that’s expected to continue through at least 2025. For example, in 2021 twice as many internal audit leaders (36 percent) reported increased budgets compared with those seeing declines (18 percent), and nearly three times as many (29 percent) increased staff as decreased staff (10 percent). Over the next two years, 52 percent of survey participants forecast budget increases and 46 percent expect to expand their teams, with an emphasis on highly sought skills.
While internal audit functions look to be adding resources, the news isn’t all good. Another report, “OnRisk 2022: A Guide to Understanding, Aligning, and Optimizing Risk,” from the Institute of Internal Auditors (IIA), found some big gaps between what internal auditors identified as the top risks to consider in the coming year and their organization's capabilities to deal with such risks. For example, while more than 90 percent of all survey respondents identified cybersecurity as a top risk for 2022, just 45 percent rated their capability to address cybersecurity risks as high.
Another finding of the OnRisk 2022 report from the IIA is that companies are paying more attention to risks that may have a lower probability of occurring, but could have a massive impact on the organization should they materialize. That trend is likely a direct result of the pandemic, which wasn’t on many risk radar screens, but later proved to be the most disruptive force most companies have ever had to deal with.
“Board members, C-suite executives, and chief audit executives—the key players in risk management—now know that low likelihood and high impact risks must be given greater consideration,” the report’s authors write. “This realization has jolted boards into greater awareness of risk management weaknesses, energized senior management to build more nimble and resilient organizations, and positioned internal audit to deliver broader value.”
As it has for the last three-to-five years, cybersecurity once again tops nearly every list of the top risks for 2022. And while many of these lists consider cybersecurity and data privacy separately, we are combining them here as they tend to be two sides of the same coin. Protecting the privacy of the data of customers and employees relies heavily on the same network security systems and data governance principles that are designed to protect the data of the company itself.
Despite the time, energy, and money that organizations have spent on cybersecurity over the last several years, the issues they face in the area are far from solved. According to IIA’s OnRisk 2022 survey, cybersecurity remains far above other issues as “risks likely to affect organizations in 2022.” Indeed, 97 percent of chief audit executives ranked it a 6 or 7 on a 7-point scale of relevance, the highest rating.
“The growing sophistication and variety of cyberattacks continue to wreak havoc on organizations’ brands and reputations, often resulting in disastrous financial impacts,” the report’s authors wrote. “This risk examines whether organizations are sufficiently prepared to manage cyber threats that could cause disruption and reputational harm.”
Interestingly, it doesn’t appear that cybersecurity and data privacy will be receding as top risks anytime soon. Respondents to the AuditBoard “Focus on the Future” survey said that cybersecurity would continue to be a difficult issue in the years to come. More than 80 percent said it would be an “above average risk” in 2025.
Perhaps the big story in 2021, along with inflation and supply chain disruptions, has been the difficulty hiring workers, and internal audit staffs have been no exception. The pandemic has forced employees to rethink their priorities, with some deciding they wanted to move to other professions or make fundamental changes to their careers. Many CAEs have reported difficulties in finding qualified candidates to fill internal audit jobs, and searches are taking longer than they have in the past. Add to that the use of a largely remote workforce, which is expected to continue into 2022, and you have the makings of some disruption and increased or changed risks in the hiring and talent management area. Indeed, both the OnRisk 2022 and AuditBoard surveys found that it was expected to be the second most pressing or relevant risk in 2022.
“The increased need for and acceptance of remote operations, including working from home, as well as continued dynamic labor conditions, are redefining how work gets done,” wrote the authors of the OnRisk 2022 report. “This risk examines the challenges organizations face in identifying, acquiring, upskilling, and retaining the right talent to achieve their objectives.”
This risk will only intensify. With organizations looking to hire more internal auditors in the next year from a potentially decreasing pool of candidates, expect the competition and the potential for “poaching” to increase. To combat this risk, internal audit functions may need to increase salaries for internal auditors and provide the added flexibility in schedules that many internal audit staffers are looking for.
Environmental, social, and governance topics, known collectively as ESG, and reporting on such issues are likely to grow dramatically in importance in 2022 and will also likely be heightened risk areas in the coming months. Last March, the Securities and Exchange Commission announced the creation of a Climate and ESG Task Force in the Division of Enforcement. If that’s not enough to heighten the concerns of internal auditors to the risks of climate change and ESG reporting, the SEC also said it was looking at developing new standards for improved climate change and ESG reporting, which could emerge as soon as next year. Getting those processes up to par and ensuring reliability and accuracy in ESG reporting in the coming months could be a mammoth undertaking for internal audit.
Certainly, climate change issues are climbing the ranks of risks that concern all organizations. From the massive fires in California, to the most active hurricane season in years, the risks that stem from climate change and sustainability will likely intensify in the years ahead. Indeed, some say risks related to climate change and sustainability are the next big issue on the horizon to have the potentially disruptive force that the COVID-19 pandemic has had during the last several months. Severe weather events will continue to wreak havoc more frequently and will impact businesses across the globe in many ways. And the focus on ESG reporting will force organizations to think more clearly and adopt better processes for defining and measuring their own climate change initiatives.
According to the authors of IIA’s OnRisk 2022 report, “organizations are facing increased pressure from stakeholders, including regulators, customers, and employees, to evaluate and disclose how they are impacting the environment in which they operate. This risk examines the ability of organizations to reliably measure, evaluate, and accurately report on their environmental impacts.”
Clearly, a top risk that has emerged this year is supplier and vendor management. Look no further than the thousands of containers backing up in ports around the world, along with product and parts shortages, along with the high costs of transportation, and it’s easy to see how supply change management has become a massive risk for organizations to manage and one that will likely continue well into 2022.
“The disruption to business-as-usual operations globally, rooted in the global pandemic, has highlighted the need for resilience in supply chains in support of organizations’ achievement of strategic objectives,” wrote the OnRisk 2022 report authors. “This risk examines whether organizations have built in the flexibility to adapt to current and future supply chain disruptions.”
Indeed, supply chain disruptions shows how one risk can affect others as the fall-out from the pandemic continues to wreak havoc on the transaction of business around the world.
As the pandemic has created disruptive waves through supply chains affecting most companies, those organizations have attempted to diversify suppliers and look for new providers for supplies and materials. They have also had to reevaluate the risk profiles of their existing suppliers and consider the geo-political risks in the countries where those suppliers are located, as well as the potential for further disruptions either related to logistics or to continued COVID-19 outbreaks.
Another perennial staple on the lists of top risks is regulatory change. We have already covered how the SEC plans to take a closer look at ESG and climate change disclosures, but that’s just the tip of the iceberg. Companies must deal with an array of regulatory changes from agencies including the FDA, EPA, and OSHA, not to mention the continued regulations that stem from the pandemic. Federal agencies are likely to get more involved in how organizations bring workers back to the office, including vaccine mandates, mask mandates, and increased accommodations for workers who are more vulnerable to the coronavirus due to health issues.
It’s not just U.S. regulators that create risks around regulatory changes. The E.U. is still ramping up enforcement of its General Data Protection Regulation (GDPR) and far more companies are likely to become ensnarled in its nets next year. The E.U. is also putting into effect its new Whistleblower Protection Directive, which takes effect in December, and many companies admit to not being prepared for it.
“Fundamental changes in government appetite for regulation can have a significant impact on organizations, including those not considered heavily regulated,” wrote the OnRisk 2022 authors. “This risk examines the challenges organizations face in a dynamic and ambiguous regulatory environment.”
While these are the risks that are expected to be front and center during 2022, there are sure to be many more, including fraud, economic volatility, political unrest, and many others that will confound companies. One thing is certain, we don’t yet know all of the risks that are likely to emerge in the coming months. If 2020 and 2021 are any indication, organizations must be prepared for almost anything. Along with concentrating on specific risks, organizations would be wise to continue to enhance their systems of identifying and managing risks and take the posture that almost anything is possible.
Joseph McCafferty is editor & publisher of Internal Audit 360.