Boards are under increasing pressure from
investors, regulators, and the general public to adapt to and better manage the
factors that influence how organizations are created, grow, and succeed—and to
do so with transparency and accountability. This requires unparalleled
collaboration and harmony of purpose among those charged with risk management.
But findings from a new Institute of
Internal Auditors (IIA) report paint a troubling picture that is anything but
harmonious. Worse yet, the report’s key findings suggest that boards generally
have an overly optimistic—and potentially dangerously skewed—view of how risks
OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk uses quantitative and qualitative surveys to determine how boards, executive management, and chief audit executives view key risks based on their personal knowledge of the risks and their views of their organizations’ capabilities to address them. Importantly, the report offers an analysis of how those views differ and what that means to an organization’s risk management.
Data analysis for this year’s report reveals
varying levels of misalignment among respondents on 11 primary risks. Some of the
report’s most important findings include:
Boards have a consistently rosier outlook than others who walk the halls. Executive management’s views on risk management capabilities are consistently more conservative than the board’s, which suggests an even more disconcerting condition: Boards don’t grasp the complexity of the risks their organizations face, aren’t getting the right information to fully understand the organization’s risk posture, or simply take what information is presented to them about risk management at face value. Furthermore, directors are more likely than executive management and chief audit executives to think their organization’s risks are well managed. This suggests better communication pipelines are needed between management and the board to ensure that directors see the full risk picture.
Most survey respondents believe a certain level of misalignment on risk perceptions is acceptable. The qualitative survey found approximately 7 in 10 respondents expressed the view that some level of misalignment is “healthy”. While some misalignment around individual knowledge is to be expected, a cavalier attitude that that misalignment is somehow healthy is troubling, in particular with respect to misaligned perceptions of an organization’s ability to manage risk.
Certain industries are falling behind when it comes to integrating enterprise risk management processes. Overall, 67% of respondents reported using a systematic approach to identifying, managing, and monitoring risk. However, some industries that struggle to develop coordinated risk management strategy include health care (51%), retail/wholesale (47%), and public/municipal (38%).
Cybersecurity and data are increasingly important for proper board oversight, but respondents seem to have little understanding of these areas. Boards and C-suite executives reported minimal knowledge in cybersecurity and data, which were rated among the most relevant to companies today. For example, less than a third of board members and executives interviewed rated their knowledge of cybersecurity at either a six or seven on a seven-point scale (top two). Organizations should make improving their understanding in these areas a top priority. Moreover, predictions by chief audit executives about the growing influence of three risk areas—data and new technology, data ethics, and sustainability—offer organizations an opportunity to proactively address them.
Talent management is on the radar of all OnRisk 2020 respondents. They understand that finding and keeping talent, particularly workers with data and information technology skills, will drive future success.
The Time for Action Is Now
Internal audit is often unfairly criticized
as identifying problems without offering solutions. Indeed, a long-standing macabre
joke among risk managers is that internal audit’s job is to come in to bayonet
One of OnRisk 2020’s significant benefits is that it offers solutions. Through careful analysis of survey data, as well as additional research, the IIA has identified actions each respondent group could take to improve their alignment on risk management and, ultimately, enhance their organization’s ability to address each of the 11 risks examined in the report. One theme for recommendations across a number of key risk areas was for boards to press executive management for more information or more frequent updates on risk management efforts. Another was a push for greater transparency and timeliness from executive management when reporting on key risks. OnRisk 2020’s overarching message is that all organizations can benefit from conducting reviews of risk knowledge and capability perspectives among their boards, C-suites, and internal audit functions.
One definition of risk management is to
identify and evaluate risks based on impact and likelihood, then implement
necessary controls and processes to leverage or minimize them. Any weakness in
an organization’s risk management strategy or its execution is, in itself, a
risk. Misalignment among the board, executive management, and internal audit on
risk is one such weakness that can and must be corrected.
F. Chambers (CIA, QIAL, CGAP, CCSA, CRMA) is CEO and president of The Institute
of Internal Auditors. He has worked as a risk management and internal audit
leader for more than four decades.