I begin this article by stating clearly that I likely do not have all of the answers you may be looking for, but what I can offer is the perspective that comes from 35 plus years’ experience helping my clients and the organisations I have worked with gain an understanding of risk.
On the subject of risk, a great deal has changed over the years including the willingness and interest of CAE’s, Audit Committees and Boards to talk about risk. These conversations started slowly with discussions relating to risks around the fair presentation of financial statements and have more recently expanded to the critical risks relating to achieving the strategic objectives of the business. The depth and breadth of the discussion has grown to include the impact of the global economy, the rapid if not exponential growth of technology, geopolitical uncertainty, changing dynamics of the workforce as well as topics relating to gender equity and social justice.
As part of the increase in dialogue relating to risk and risks on the horizon much has been written and many lists have been developed. I offer a list of the most common I have come across in my discussions with Boards, Audit Committees, CAE’s and CFO’s as well as my reading on the subject. As you review it I am confident there will be one or two that touch a nerve in your organisation:
- Cyber Risk and Cyber Security
- Agility / Adaptability
- Robotic Process Automation and AI
- Economic Trends
- Tariffs and Trade Wars
- Emerging Business Models
As you look at this list, the first question that comes to mind is what is the role of the corporate audit function in defining, assessing, monitoring and remediating these risks? The classic response is that corporate audit is not the expert on these risks. Evaluation of risk rests in the hands of th experts the organisation has brought in to manage these risks. Far too often, I have heard that CAE’s and their teams are not expected to be strategic in their thinking, but rather more tactical and focused on testing.
The good news is that this way of thinking is changing. While the primary responsibility of the audit function is to provide assurance as it relates to internal risk management processes, the level of assurance is taking on deeper meaning. The corporate audit function is providing evaluations of the effectiveness of risk management activities through the traditional methods of inquiry, observation and testing. However, more and more audit committees are looking for insight into the quality and maturity of risk management processes, and the ability of organisations’ people, systems, and process to effectively manage risk. Other important variables in this discussion are culture and organisational maturity of core business processes to effectively support the implementation of new strategies to address risk.
It is not my intention to discuss each of the items on the list above in detail as each risk has specific context based upon the industry you are in and the risk maturity of the organisation. What I do plan to do is expand briefly on the opportunities for internal audit specifically relating to Cyber Risk and Cyber Security, Agility and Adaptability, Robotic Process Automation and AI and Talent.
Cyber Risk and Cyber Security are clearly top of mind in all organisations and an area of critical focus. The majority of the effort of most organisations has been to focus on Cyber Security and the risk of security breaches and the loss of critical data and private information. While these types of events grab headlines and result in the loss of reputation, this is only one element of the broader topic of Cyber Risk. A Cyber Risk Assessment is a comprehensive evaluation of an organisation’s cyber security program and overall security posture. It identifies key risks that can impact the availability, integrity, and confidentiality of its information assets. It determines where the strengths are, and zeroes in on weaknesses that present the greatest threats to the organisation. A Cyber Risk Assessment looks at not only security over networks and data but also looks at the overall cyber infrastructure of the organisation and the ability of the infrastructure to support critical business processes now and in the future. For more on this topic I refer you to an earlier Internal Audit Insights article written by my colleague Stephen Head.
Agility and Adaptability are rapidly becoming the new norm across all organisations. Even if you are in a mature, stable industry, innovations developed in other industries can, once refined, be applied to your industry with game-changing effects. One clear example is the growth of Robotic Process Automation and AI. These two topics and the risks associated with them are interrelated, as the ability to respond quickly and adapt to a changing landscape is directly tied to the overall maturity and quality of underlying business processes from both a people and internal controls perspective. This is where the corporate audit function can add valuable insight, as companies seek to adapt and innovate through the use of automation and artificial intelligence. As more and more organisations look to automate routine tasks using available state of the art tools; they are beginning to understand the best processes for automation are those that are mature, stable and well controlled. Audit is in the best position to participate on RPA steering committees and share insights into the processes which are appropriate and ready candidates. Audit can also play a key role by identifying gaps in current processes that would need to be remediated prior to beginning transition to automation.
Agility and Adaptability are also risks to the future effectiveness of the corporate audit function. While it is not a new idea that an effective audit function needs to possess individuals with the skills and talents to effectively audit the risks of an organisation; what is different is the depth of skills required and the speed with which risks are changing. To be effective, audit functions need to be taking a risk based approach to their work, and continuously challenge their risk assessment methodology and audit approach to stay relevant and meet the expectations of key stakeholders. This will require the identification of appropriate subject matter experts from within the organisation or outside the organisation, to work with audit to challenge current processes in order to effectively audit controls relating to business risks.
To be successful, CAE’s and their teams need to be forward thinking in understanding emerging risks, changes in strategy and the potential impact to the organisation. As an example, let’s look at the decision to convert disbursements to an automated robotic process. At the end of the day, this will create an opportunity for audit to perform their work more efficiently when looking at a variety of processes that are impacted by cash disbursements. The opportunity is for audit to get in on the front end design phase of the new process, and think about the data that would be useful to have to facilitate the audit process. By thinking about how you will audit the process up front and define what you need in terms of data, this increases the likelihood you will be successful in implementing new audit procedures when processes go live. The result is a major benefit derived from the introduction of data analytics into the audit process. Many departments were challenged in implementing analytics effectively as an audit tool as they were not involved with the business in defining data requirements. As a result, audit often had to submit supplemental requests to get data in a useable format. Such a process was inefficient and more costly. Hence with RPA, identify your needs for data up front and have them considered in the design phase.
Talent as a risk has multiple dimensions for an organisation. We are in a period where baby boomers are retiring from leadership roles at a record pace. Added to this phenomenon is that an outcome of the great recession is that many organisations are now flatter. As a result the size of the talent pool to fill managerial and leadership roles has decreased in size. As if the first two trends were not enough, a larger and larger portion of the workforce are millennials. There are many generalizations that have come to define millennials, but one characteristic that stands out is that millennials are inclined to roles where they can make a strong contribution as an individual contributor. They enjoy making contributions to a team, but typically are not interested in a leadership role on the team. This is a risk at an organisational level and at the departmental level for the corporate audit function. But with risk there is also opportunity. Audit remains an area where talented people can grow their skills and learn the business. An innovative function that has established agility, adaptability and leveraging technology as core operating principles can be a magnet for attracting organisational talent and positioning them for important strategic roles in the future.
When we look at risks on the horizon we understand that given the speed of change and rate of innovation the horizon is getting closer and closer every day. The ability of an organisation to manage downside risks and optimize upside risks in large part rests in the culture, risk maturity and quality of the underlying business processes in the organisation. As organisations set strategic priorities and address rapidly changing risk profiles, audit can play a vital role in navigating the landscape. Armed with knowledge of the business in terms of culture, risk maturity and stability of business processes, audit can contribute to strategic discussions around risk and organisational readiness to manage the changing profile. Audit will also play the traditional role in providing assurance that the processes to detect and manage risks are operating effectively. In addition, audit needs to understand how changing risks impact their processes and approach so they can demonstrate agility when modifying its approach to executing their core responsibilities.