Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
The Institute of Internal Auditors (IIA) just issued “On Risk: A guide to Understanding, Aligning, and Optimizing Risk 2020”. This is the first risk assessment survey conducted by IIA. It is also the first survey which includes responses from board members, the C-suit and the Chief Audit Executive (CAE). This article looks at the results of the survey and its implications.
IIA is an international professional association with a mission of promoting knowledge of risk management, internal auditing and internal control. It is a member of the Committee of Sponsoring Organizations (COSO) which has developed an Enterprise Risk Management (ERM) processes. While the commentary on the survey does not indicate that COSO ERM should be adopted, it does stress the need for a holistic approach to risk management. Thus, IIA is an ERM advocate.
That IIA has conducted a risk management survey is an indication that IIA believes Internal Auditors will be involved with risk management. An example of the type of involvement is laid out in the New South Wales (NSW) Australia risk framework. (The NSW Risk Management Framework, was discussed in an earlier Insight piece.) The NSW framework stipulates that annual audits are to be conducted on the ERM implementation process. (1)
Having set out the implications of the IIA survey, it is time to discuss the survey methodology and the findings.
Two approaches were used for the survey. One was qualitative. The other was quantitative. The qualitative portion consists of 90 in depth interviews of professionals in North America. The quantitative aspect consists of 600 interviews of audit leaders, primarily CAEs. The survey respondents are primarily from North America. The survey covers a broad range of industries are covered.
ERM Use by Industry
Responses indicate that ERM’s implementation is greatest in Finance/Banking (84%). This is followed by Utilities (73%), Education (67%) and Services (65%). ERM’s use is least in the Public/Municipal (38%) sector.
The diversity of ERM implementation reflects the lack of risk awareness in some industrial sectors. Further, larger organizations are more likely to have a comprehensive approach to ERM, than smaller ones.
There are several key findings. One is that board members tend to be overconfident in the organization’s ability to identify and manage risk. Board members also overestimate the organization’s risk maturity level.
There is a misalignment between board members, the C-suit and CEA’s on the nature of the risk an organization faces. This misalignment is caused by different individual perceptions based on their roles. It also reflects that risks are siloed within the organization. These findings are the main reason IIA recommends a comprehensive ERM process. Other findings have to do with the major risks identified by respondents.
The survey identified eleven key risks. The top five risks are shown below in Table 1. It shows the percentage responses for current and future risks.
|Data and New Technology||64%||82%|
The top two current and future risks are cyber security related. While all respondents agree that cyber security is a major risk, IIA is concerned that CAEs may be relaying too much on the optimism of the IT professionals.
A complicating factor can be seen in the two risks ranked lowest. These are Data Ethics and Sustainability. While currently rated the lowest two, the future expectation is that these risks will increase in importance. The change in expectation can be seen in Table 2.
Data Ethics refers to the organization’s values, morals, and principles related to the collection, storage and management of data. It will be the Internal Auditors responsibility to ensure management is adhering to the organization’s principles.
Sustainability relates to Environmental, Social and Governance (ESG) aspects. Organizations are under pressure to meet ESG from regulators, board members and stakeholders. Organizational leaders must continuously review how the organization is viewed by the public and shareholders. Leadership must also adapt to an ever changing social and environmental environment which can impact organizational governance.
The complexity is that Data Ethics is interrelated with the way data is handled and protected. Yet, the determination of how risks are to be handled is not the sole responsibility of IT professionals. It is also the responsibility of upper level management and the governing body. This makes the need for risk management to be handled on a holistic and enterprise wide basis.
A further complicating factor is Sustainability. This risk is multifaceted. It includes concerns about environmental risks, such as the impact of global warming, as well as, company generated pollution, energy use and the treatment of animals. Social risks are the relationships with suppliers and employee working condition. Governance includes the level of transparency of the organization’s accounting methods and whether it is involved in illegal practice.
To the extent that Internal Auditors will be involved in evaluating Data Ethics and Sustainability, their jobs will be difficult. This is because the benchmarks needed by auditors to verify compliance may not be consistent. National and state governments regularly add or modify environmental regulations. Similarly, boards of directors and management add to Data Ethics requirements as needed. These actions may lead to conflicts in objectives and standards.
That IIA has conducted a risk survey indicates the institute believes internal auditors are going to play an increasing important role in risk management. While the IIA report does not specify COSO ERM, it emphasizes the use of a holistic risk management process.
The results show there is consistency in the view of top two current and future risks. These are Cybersecurity and Data Protection. Going forward, they intersect with the second lowest current risk, Data Ethics. This intersection means that there are multiple actors within the organization who’s involvement is needed to effectively manage risks.
The interrelationship between these three risks is one reason IIA emphasizes a holistic approach to risk management. A holistic approach can cut across organizational silos and mitigate the misalignment of risk perspectives between the respondent groups. It might also provide auditors a better risk management perspective. This would also mitigate the overly optimistic viewpoint on cyber security and data protection of the IT professionals.
James J. Kline, Ph.D., CERM, is the author of numerous articles on quality in government and risk analysis. He is a senior member of the American Society for Quality and Six Sigma Green Belt with experience consulting for the private sector and local governments. His recent book, Enterprise Risk Management in Government: Implementing ISO 31000:2018, is available on Amazon. He can be reached at firstname.lastname@example.org.
- Institute of Internal Auditors, 2019, “On Risk: A Guide to Understanding, Aligning, and Optimizing Risk”, https://www.iia.ni/…/onrisk-a-guide-to-understanding-aligning-and-optimizing-risk.
- New South Wales Government, 2019, “A New Risk Management And Internal Audit Framework for local councils in NSW Discussion paper”, September, www.olg.nsw.au/content/new-risk-management-and-internal-audit-framework-local-councils-nsw