Boards are significantly overconfident when it comes to addressing the most difficult issues their companies face, party because they are underinformed on top risks, finds a new survey.
According to the report, there is a gap between how board members view key risks and how executive management does, due to insufficient information on those risks reaching the board level. Because of this disparity, boards have greater confidence in their organizations’ ability to manage such crucial risks than members of management do, according to the survey of board members, executive management, and chief audit executives released by The Institute of Internal Auditors (IIA).
The reason for the skewed sense of security on risks ranging from data protection and emerging technology to culture and sustainability: Boards may receive information from management that’s incomplete or misleading, then compound the problem by failing to ask critical questions.
The survey, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk offers a comprehensive view of organizational risk from those who manage it. Through quantitative and qualitative surveys, the report explores how each group perceives and communicates key risks and provides important benchmarking to help organizations align and enhance their risk management strategies and execution.
Among the report’s findings:
- There is a critical misalignment between how executive management views an organization’s capability to manage risks and what is communicated to boards, leading to board members believing risks are better managed than they are.
- A perception of “acceptable misalignment” on risk—some respondents believe some misalignment is to be expected—is prevalent.
- Some industries are lagging in adopting a systematic approach to risk management. These include health care and retail/wholesale, as well as the public/municipal sector.
- Among 11 key risks reviewed in the report, cybersecurity and data management and new technology are especially susceptible to critical knowledge deficits.
- Data management/collection and new technology, data ethics, and sustainability risks are expected to grow in relevance in the next five years.
“The burden is on management to provide the board with an accurate picture of risks that may negatively impact the organization as well as those that present opportunities,” said IIA president and CEO Richard F. Chambers. “But board members also must seek out informed and objective assurance on the information they receive, and internal audit is uniquely positioned to provide that truly independent and enterprise-wide perspective.”
According to the IIA, the inaugural OnRisk report is a significant step in collecting stakeholder perspectives on risk and risk management in support of good governance and organizational success. The combination of quantitative and qualitative research provides a robust look at 11 top risks facing organizations and allows for both objective data analysis and subjective insights based on responses from risk management leaders. The qualitative survey is based on 90 in-depth interviews with professionals in North American boardrooms, C-suites, and internal audit functions. The quantitative survey also gathered responses from more than 600 internal audit leaders, primarily chief audit executives.
“It is vital for organizations to not only develop strategies to address risks, but to have an added layer of assurance that examines the effectiveness of the risk strategy and its components,” Chambers said. “No single report provided a holistic view of risk based on the perspectives of the three key players in risk management—until now.”