Are Boards Negligent When Internal Audit Heads Are Hired and Fired?
January 19, 2021I Still Believe Internal Audit Shouldn’t Report to the CFO
January 31, 2021Given the global mission of The IIA, I frequently share global studies that should be of interest to internal auditors around the world. These reports come frequently from organizations such as The World Bank, Organization for Economic Co-operation and Development, International Monetary Fund, and World Economic Forum (WEF).
All of those organizations generate valuable knowledge via thought leadership and other reports. However, in recent years, I have found WEF’s annual Global Risks Report to be particularly valuable. Those who attend my presentations at IIA conferences and other events may recall that I have used more than a decade of risk report data to illustrate the volatility of global risks in the 21st century. WEF’s Global Risks Report 2021 has just been released, and it does not disappoint when delving into the myriad risks that the world faces in the short, medium, and long term.
Generated in the midst of the COVID-19 pandemic, the Global Risks Report 2021 presents a stark reminder that risks are not just a theoretical inventory of things we should worry about; they often present clear and present dangers to global economic order, the health and safety of the world’s citizens, and potentially even the existence of humankind itself.
By this time of the year, most internal audit functions have long since undertaken an annual risk assessment, and they are already executing the annual audit plan. However, as I have written on countless occasions before, risk assessment and audit planning must be a continuous process. In January 2020, few outside of possibly China were seriously worried about COVID-19. Yet, within two months, pandemic-related risks were consuming almost every waking hour. It is precisely because risks are so volatile that a continuous focus is in order.
If I were a practicing chief audit executive in 2021, I would be perusing every resource I could lay my hands on to validate and update my risk assessment. WEF’s Global Risks Report 2021 is such a resource.
For me, the most revealing information is WEF’s classification of risks based on a Global Risks Perception Survey. The report ranks 30 global risks based on when respondents expect they will become critical threats to the world: Clear and Present Dangers (0-2 years); Knock-on Effects (3-5 years); and Existential Threats (5-10 years). While the entire report should be of interest to all of us, I would draw internal auditors’ attention to the Clear and Present Dangers risks. The top 10:
- Infectious diseases.
- Livelihood crises.
- Extreme weather events.
- Cybersecurity failures.
- Digital inequality.
- Prolonged stagnation.
- Terrorist attacks.
- Youth disillusionment.
- Social cohesion erosion.
- Human environmental damage.
By now, you may be asking yourself, “What am I to do with a list like this as an internal auditor?” After all, you really can’t audit risks such as livelihood crises or prolonged stagnation. However, the organizations you serve (whether private sector or government/not-for-profit) will almost certainly be impacted by such risks. As internal auditors, you should be attuned to the risks that your organization may face as you assess its effectiveness in risk management itself. If you are an internal auditor in the retail industry, your company will almost certainly be impacted by infectious diseases (COVID-19), livelihood crises (unemployment), and prolonged stagnation (the economic side of the COVID crisis), to name a few. Your risk assessment should acknowledge these risks, and you should be in conversation with management and the board about how the company is addressing them. The Global Risks Report’spreface indirectly makes this point:
“In 2020, the risk of a global pandemic became reality. As governments, businesses, and societies survey the damage inflicted over the last year, strengthening strategic foresight is now more important than ever. With the world more attuned to risk, there is an opportunity to leverage attention and find more effective ways to identify and communicate risk to decision-makers.”
While the Clear and Present Dangers risks should be prominent in our attention and conversation, don’t overlook the longer-term risks also in the WEF report:
Knock-on Effects (those risks that respondents forecast will become critical in three to five years). The top five:
- Asset bubble burst.
- IT infrastructure breakdown.
- Price instability.
- Commodity shocks.
- Debt crises.
Existential Threats (those risks that respondents believe will become critical in five to 10 years). The top five:
- Weapons of mass destruction.
- State collapse.
- Biodiversity loss.
- Adverse tech advances.
- Natural resource crises.
In late 2019, I wrote a blog in which I forecast that, in the 2020s, “Theworld will be tested by a series of significant political/economic crises.“ While that may not have been a particularly bold prediction, it is certainly proving to be true. How we as internal auditors respond to the remainder of this decade, and how we serve our organizations, is largely up to us. Are we to simply react to every crisis that materializes, or are we to be risk beacons, shining a light on potential risks that lie ahead? This dilemma is indirectly addressed in the WEF report. Its executive summary provides an insightful observation about how we should apply what we’ve learned while battling the pandemic:
“However, if lessons from this crisis only inform decision-makers how to better prepare for the next pandemic — rather than enhancing risk processes, capabilities, and culture — the world will be again planning for the last crisis rather than anticipating the next.”
Internal audit leaders must assess if they are positioned to offer foresight at this critical time, when stakeholders appear most attuned to the value of understanding what risks may lie just beyond the horizon.
I welcome your comments via LinkedIn or Twitter (@rfchambers).