Home > Risk > Identifying the risks for 2021

Identifying the risks for 2021

October 12, 2020 Leave a comment Go to comments

Richard Chambers has shared his valuable insights in another post.  In Europe’s Internal Auditors Are Already Identifying the Risks for 2021 he makes a number of excellent observations, especially his opening paragraph:

As we enter the fourth quarter of a historically difficult and disruptive year, internal audit leaders around the world are looking to next year with some degree of trepidation. If the COVID-19 pandemic has taught us anything, it is that new risks can emerge at lightning speed and have profound impacts on our organizations and lives.

I also like that he pointed out that internal auditors (at least in Europe, which is where the data is from) are spending their time addressing what were perceived as the top risks.

While he references a report from a consortium of European internal audit associations (ECIIA) that sought to understand what practitioners believed were the top five risks to address in 2021, he said:

As the COVID-19 marathon continues to reshape the risk landscape, internal auditors must be keen to the changing needs of the organization and pivot to address those quickly and effectively.

It’s not just COVID that could be “reshaping the risk landscape”. Organizations and practitioners should be thinking about an uncertain global and national economy, the potential for unrest and civil disruption, and more.

Organizations and practitioners need to have:

  • the ability to sense and anticipate what might happen and how it could affect the organization (this is the essence of risk management); and
  • the agility to respond promptly and effectively.

Risk management needs to be continuous (at the speed of risk and the business) and internal audit planning similarly agile.

To some extent, this makes any survey that purports to identify risks further into the future than a quarter, let alone for all of 2021, prima facie ridiculous – especially as the survey was completed at least 4 months ago, six months before the start of 2021.

But the report has some interesting points to make.

Perhaps the most stunning is that neither in this nor in the 2020 report was risk management identified as one of the top five risks.

If you can’t anticipate and address the risks and opportunities ahead, how do you expect to succeed?

Similarly, there doesn’t seem to be any attention paid to the organization’s ability to react when conditions change. While we are talking about internal audit agility, why are we not also talking about the ability of our leaders to change strategies, objectives, and tactics as needed? Do they continue to be rewarded for achieving goals set and agreed with the board during a different time?

Information security remains at the top of the priority list, but I wish that auditors would place a higher level of priority on determining whether the organization has actually assessed the risk to the organization (i.e., not just to information assets). Are they putting sufficient resources or too many towards cyber?

The question posed by the report is totally inadequate:

Has the business performed a risk assessment to identify possible network weaknesses and data assets whose susceptibility to attacks and theft has increased in the last 12 months?

The questions should be:

Has the business performed a risk assessment to understand how a breach might affect the business and the likelihood of an unacceptable effect?

Are prevention, detection, and response measures appropriate to the level of risk?

Is the investment in prevention, detection, and response appropriate to the level of risk?

I am encouraged that liquidity was identified as one of the top three risks for non-financial companies. I would go one step further and include capital and credit risk and I like how a CAE in Belgium referred to ‘financial resilience’.

I said earlier that “Organizations and practitioners should be thinking about an uncertain global and national economy, the potential for unrest and civil disruption, and more.”

The ECIIA report talks about “macroeconomic and geopolitical uncertainty” and I am pleased to see 33% of CAEs rated it as a top five risk – while disappointed that 67% did not. I encourage you to read the section from page 35 to 41, including supply chain disruption.

Overall, the ECIIA report is an interesting read for internal auditors.

But our attention should be on continuous audit planning.

I suggest meeting with the CEO and other executives at least monthly and keeping eyes, ears, and noses open and alert.

What are the risks and opportunities that leaders are (or should be) focused on today and expect to be focused on tomorrow?

How can we help with assurance, advice, and insight?

I welcome your thoughts.

  1. October 13, 2020 at 6:24 AM

    ‘How can we help with assurance, advice, and insight?’
    Norman, you ask the question above, ‘Is the investment in prevention, detection, and response appropriate to the level of risk?’ That investment should be directed towards information and that is how IA can help:
    – Has the information required to identify imminent threats and opportunities been identified?
    – Is this information being collected? Such information would include global news, competitors’ press releases, information monitoring the success of decisions made and forecasts.
    – Is this information being sent to the right people?
    – Is the information used as soon as possible?
    – Are staff properly trained in information management and decision making?

    Asking these questions should cover the most significant opportunity/risk: the failure of the governing body to make the correct decisions.

    In addition, you have mentioned regular meetings with the CEO and relevant senior managers. Where there is a Risk Management Function, close liaison is essential. I would have thought meetings to brief each other should be held at least weekly, although I rarely see this emphasised. In the ECIIA report, Risk Management as a function is mentioned only once, by a bank (page 42).

    • Norman Marks
      October 13, 2020 at 7:36 AM

      Well said, David

  2. Bill Spoehr
    October 13, 2020 at 7:07 AM

    Norman – You’ve written many times before that “the annual audit plan is dead”. Absolutely – unless you really enjoy planning for that hard-hitting travel expense audit, that is.

    We’ve never had an annual audit plan since I’ve been CAE – my team reviews our 60-90 day risks and projects with the Audit Committee at quarterly formal meetings and updates sr mgt and the Committee between those meetings via phone calls.

    Our business has evolved rapidly (and successfully) during the pandemic and being “agile” has gone from a concept to a reality for everyone, not just internal audit. Those who refuse to keep up will be forever left behind in irrelevancy.

    • Norman Marks
      October 13, 2020 at 7:37 AM

      Congrats, Bill

    • Abigail Kaseram-Bhagwandeen
      October 15, 2020 at 8:05 AM

      Never had an annual audit plan? This concept is very new to me and sounds extremely interesting. Can you please expand? I am very willing to learn.

  3. Nicholas
    October 16, 2020 at 11:44 AM

    The statement “Those who refuse to keep up will be forever left behind in irrelevancy.” mentioned above is a reality today.

  1. October 15, 2020 at 7:09 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: