At the start of last year, no one could possibly have predicted how 2020 would play out, and how we all, individuals and organizations alike, would be dealing with one of the most disruptive forces to arise in most of our lifetimes. It’s a safe bet that “pandemic” wasn’t on many risk assessment reports as 2019 ended, at least not in the United States.
While the vaccination effort brings hope that the COVID-19 pandemic will begin to subside—and the data suggests that is indeed the case—there is still much uncertainty on the horizon. And we all know that if there is one thing business managers abhor it is uncertainty.
Identifying the top risks that companies will need to consider during the remainder of the year is no easy task, given this unpredictability, but that hasn’t stopped some organizations from trying. The following discussion is based on surveys of what risk-management, internal audit, finance, and other executives consider to be the top risks of 2021 conducted by such organizations as AuditBoard, the Institute of Internal Auditors, Protiviti, and others.
Some of the risks organization will be forced to grapple with this year are among the usual suspects that perennially appear on lists of the top risks, such as cybersecurity, regulatory risks, and risks that stem from third-party relationships. Other risks that will be on radar screens extend from the unique conditions created by the Coronavirus Crisis and businesses’ reactions to it. For example, those COVID-related risks include mandated business disruptions, supply-chain disruptions, technology security issues created by a remote workforce, and more.
It’s also true that there will likely be wide divergence in the risks some organizations will face in the coming months compared to others—probably the most divergence in some time. By this we mean that some companies, such as those in the hospitality, transportation, and restaurant industries face existential risks related to COVID-19 disruptions, while companies in other industries, such as technology, healthcare, and financial companies are dealing with a completely different set of risks, as well as opportunities.
Instability Reigns
While the risks different organizations are dealing with may be divergent, no company is safe from the uncertainty that threatens to cloud decision making at least for the next few months.
Uncertainty itself may not be a specific risk, but it certainly makes risk assessments more difficult. In fact, survey results released by software platform AuditBoard, find that the risk landscape will remain greatly amorphous next year rather than returning to more stable pre-pandemic conditions, even if communities begin to bring the pandemic under control. The findings come from a series of surveys conducted at AuditBoard’s recent Audit & Beyond virtual conference, which was attended by more than 5,000 audit, risk, and compliance practitioners in October. The responses illustrate the long-term changes audit and risk professionals will experience in their roles as a result of the pandemic, and how crucial those individuals will be in helping organizations overcome risk challenges despite gaps in enterprise risk management (ERM) programs.
“Conditions this year have changed drastically due to the pandemic, and audit, risk, and compliance organizations have had to act quickly to adapt to the dynamic risk environment while maintaining operational continuity,” said John Reese, senior vice president of marketing at AuditBoard. “AuditBoard survey responses overwhelmingly showcase how quickly the workplace mindset is shifting, and how important modern audit, risk, and compliance technology has become to support a more remote and connected future.”
Seven Risks to Consider for the Remainder of 2021
The following are risks that need to be completely evaluated and will likely have a large influence on audit plans in the coming year:
1. Cybersecurity
Cybersecurity is typically at or near the top of any risk list regardless of the circumstances. The pandemic, however, has only served to heighten such risks. With employees at most organizations still working remotely, work networks reach far and wide with many more nodes and vulnerability points. IT organizations have a difficult job already securing the networks that are contained within their own facilities. Now they have to ensure the security of varied devices and networks used by remote workers.
Meanwhile the growing sophistication and variety of cyberattacks, like phishing scams and ransomware attacks, continue to wreak havoc on organizations’ brands and reputations, often resulting in disastrous financial and productivity loss. “This risk examines whether organizations are sufficiently prepared to manage cyber threats that could cause disruption and reputational harm,” the IIA wrote in its OnRisk 2021 report.
2. Business Continuity and Crisis Management
According to the OnRisk 2021 report published by the Institute of Internal Auditors, business continuity is at the top of the list of risks along with cybersecurity. Certainly it is one of the risks that have been elevated by the pandemic. “Organizations face significant existential challenges, from cyber breaches and pandemics to reputational scandals and succession planning. This risk examines organizations’ abilities to prepare, react, respond, and recover,” the IIA wrote in its report.
Certainly the greater emergence of business continuity risk puts pressure on organizations to dust off those business continuity and disaster recover plans and make sure they are up to date and tailored to the current circumstances. Hopefully, most companies have done this already during 2020. It also demonstrates the interconnectedness of risks. It is impossible, for example, to talk about business continuity without addressing cybersecurity, supply chain risk, third-party risk, and other considerations.
3. Regulatory Risk
A changing of the guard in the White House could put a spotlight back on regulatory risk. The Trump Administration worked to roll back regulations on environmental issues, securities law, financial institutions, labor rules, and other areas. The new Biden administration is likely to work to restore regulations in some areas and create new regulations in others. Regardless, compliance is sure to require some additional emphasis and oversight as regulations continue to change. It’s too early to tell if enforcement actions in such areas as Foreign Corrupt Practices Act and securities law will intensify and bring new regulatory risks to companies.
Even without a change in U.S. leaders, regulatory risk continues to grow in significance, partly due to the increasingly global nature of business and the willingness of global regulators to enact new rules. Many companies, for example, are still digesting the landmark EU General Data Protection Regulation even though it went into effect in May of 2018. Look for increased regulation around the globe related to data governance, as well as climate change and sustainability initiatives, bribery, money laundering, and other areas.
4. Economic Decline
Another risk that extends directly from the pandemic is the potential in 2021 for economic decline and a related potential decline in product demand. Many prognosticators have predicted a quick recover from the hit to the economy due to COVID-19 disruptions, but its also possible that the economy does not bounce right back. The hit from the pandemic has crippled several industries, including airlines, hotels, restaurants, cruise ship companies and many others, and the effects could last well into the new year and beyond. Some companies have reacted with layoffs and reductions in capital expenditures that could further contribute to a difficult economic environment.
Undoubtedly, internal audit leaders will need to keep a finger on the pulse of the economy and consider how economic conditions—as well as related factors such as interest rates, currency exchange rates, and the labor market—could impact strategic plans and company objectives.
5. Fraud
Fraud is another risk that has been affected by the pandemic. The Coronavirus Crisis, bringing about an increase of remote work and large employee furloughs has opened up new avenues for fraud. The global economic contraction harms employee morale and has heightened vulnerability to overstep ethical bounds.
The potential for an increase in fraud is such that the IIA has recently issued a report to address that heightened risk, titled A Blueprint to Managing Corporate Fraud. The guide uses the fraud triangle, where opportunity, pressure, and rationalization factor into the occurrence of fraud, and examines how COVID-19 increases the possibility for all three elements.
“Anyone with the slightest understanding of fraud is familiar with the concept of the fraud triangle, which identifies pressure, opportunity, and rationalization as the key ingredients,” Richard Chambers, president and CEO of the IIA said. “The pandemic is fueling the first—pressure—in myriad ways, as its impact on economies threatens the financial well-being of millions of organizations and billions of workers globally,” he said.
With more limited management oversight working from home, employees have more opportunities to circumvent controls. With layoffs to staff, segregation of duties might become more lax. Because of other challenges, organizations may not prioritize risk management and the budgets for risk control may decrease.
6. Supply Chain Disruption
A relative of business continuity risk is supply chain disruption. Closures or problems can quickly migrate up the chain and affect companies anywhere in the world. “Major companies have also had to assess the ongoing viability of key suppliers and, where appropriate, offer financial assistance by paying upfront to ensure their own operations do not go offline,” the Chartered IIA wrote in its recent report, “Risk in Focus 2021. “Vendor insolvencies have the potential to cause massive disruption.”
As the pandemic has wreaked havoc on supply chains, companies have been busy diversifying and seeking new avenues for supplies and materials. They have also had to evaluate the risk profile of existing suppliers and consider the geo-political risks in the countries where those suppliers are located.
7. Climate Change and Sustainability
From the massive fires in California, Australia, and elsewhere to the most active hurricane season in years, the risks that stem from climate change don’t appear to be abating and will likely intensify in the coming years. Indeed some say risks related to climate change and sustainability are the next big issue on the horizon to have the disruptive force that the COVID-19 pandemic has had this year. Severe weather events will continue to wreak havoc more frequently and will impact businesses across the globe in many ways.
Climate-related risks are already impacting many organizations. Internal audit can add significant value by providing assurance over identification, mitigation, and management of such risks. Internal audit can also provide assurance over climate related threats and opportunities in four ways: strategy, risk analysis, meeting green finance principles, and reviewing sustainability metrics.
The Only Constant is Change
This is by no means a comprehensive list, but instead an attempt to highlight some of the risks that will be at the forefront of risk assessments and the audit planning process in 2021. Some other risks to consider include talent management, data governance, lasting effects of a remote workforce, digital disruption, and several more.
It’s likely that 2021 will be a year of rapid change as we look to get the pandemic behind us and deal with its lasting effects. If there is a silver lining from the pandemic it will be that companies have—hopefully—become better at dealing with rapid change and more adept at dealing with quickly arising disruptions.
“Businesses are operating in extraordinary times and have had to adapt to new challenges this year like never before,” John Wood, chief executive of the Chartered IIA, said. “Coronavirus has exacerbated existing risks, forcing organizations to think from completely new angles or assign new levels of priority to them. Cybersecurity is a case in point. Though a perennial front-of-mind risk for boards, the rise in remote working means cybersecurity issues have taken on a new dimension and IT infrastructure has had to adapt in record time.”
Along with a more agile risk management function that can detect and react to emerging risks as they develop, sometimes seemingly out of nowhere, an agile internal audit function will also be necessary to assess those risks and conduct the audits that ensure companies have the controls and processes in place to deal with them.
Joseph McCafferty is editor & publisher of Internal Audit 360°.