At a time when organizations around the globe are facing a range of uncertainties, from volatility in financial markets to heightened geopolitical tensions, it’s never been more important for senior business leadership and internal audit leadership to be aligned on which risks are most critical for the organization to manage.
However, Protiviti’s latest annual Top Risks Survey finds that chief audit executives (CAEs) and other senior executives aren’t fully in sync on what the top risks are for their organization not only this year but also looking out to 2031. We explored these differences and their potential implications for businesses in a recent webinar, Top Risks for 2022: An Internal Audit Perspective. Following are some of the key takeaways from our discussion.
2022: CAEs and Executives Cite Similar Risk Concerns, But Rank Them Quite Differently
First, the good news: CAEs and other executives are aligned on seven of the top 10 risks projected for 2022 — even though our global survey results show they don’t share the same level of concern for these various risks. For example, as shown below, the overall top risk in 2022 cited by executives responding to our global survey was “pandemic-related government policies/regulation.” But on the CAEs’ list of top risks for this year, that risk ranks only ninth.
CAEs seem to be looking more broadly at the risk landscape than other senior executives, taking stock of longer-term challenges that the business should address sooner rather than later if it wants to compete effectively in a post-pandemic economy. For example, CAEs cited “uncertainty surrounding the viability of key suppliers, scarcity of supply or stable supply prices” as a concern for this year and 2031. But that risk isn’t on the overall top 10 list for other executives for 2022 or 2031, even though companies around the globe have been struggling with supply chain issues for many months and are likely to continue to do so.
The pandemic fully exposed supply chain fragility, underscoring the need for organizations to stop looking at the supply chain as a cost center and work to increase supply chain resiliency, optimize supply chain operations and better manage key risk exposures. That latter item, in particular, is likely what has CAEs viewing supply chain challenges as a higher priority risk, as their teams will be on the front lines of helping the business to focus on identifying and managing those issues.
CAEs See Managing Cyber Threats as a Top Priority for This Year — and Beyond
Notably, CAEs also appear to be much more worried than other senior executives about cyber threats affecting their organization in the year ahead. Internal audit leaders in our survey ranked cyber threats second on the list of top 10 risks for 2022, while this risk sits at ninth place on the overall list of top risks.
Our take on these findings is that many CAEs likely see cyber threats as a high-priority issue because their teams are closely tracking how the organization is mitigating risks, especially in light of recent cyberattacks involving critical infrastructure and the software supply chain. Internal audit leaders also ranked cyber threats among the top three risk concerns for 2031.
Why would other senior executives in our survey give a lower ranking to the cyber-threat risk this year — and not even include it in the top 10 list for 2031? This could be due to the “Not if, but when?” mindset they’ve adopted about cyber threats after years of observing and/or experiencing firsthand malicious actors’ relentless efforts to disrupt businesses and profit from their attacks.
Greater alignment between CAEs and other executives on the severity of the cyber-threat risk is important, as it can lead to the business making more strategic decisions that will help it be less vulnerable to an attack — or, at least, more agile in its response when one occurs.
2031: Both CAEs and Executives Expect Trouble Ahead on the Skilled-Talent Front
Looking at the list of top 10 risks for 2031 below, we can see that CAEs are aligned with executives on only six risks — and, again, the priority ordering of risks is different. Indeed, it is markedly so in most cases.
However, where CAEs and other executives are almost exactly in sync is in their concern for people-related risks. Their risk rankings for 2031 show that they are worried that their organization will struggle to hire and keep top talent in the future and that they’ll need to make a significant effort in the coming years to upskill and reskill employees to keep pace with technological change.
In our recent webinar, we touched on several strategies that CAEs and other executives may want to apply as they work together to address people-related risks. Those strategies include:
- Benchmarking against peers (What are other companies doing to compete for talent?)
- Ensuring that the business is capturing and analyzing the right talent-related data
- Assessing whether the company’s current hiring process is taking too long
- Using rotational programs to broaden employees’ skill sets and offer staff new challenges
- Evaluating internal communication to ensure that the business is making clear how people can advance in the organization
- Taking stock of how the business handles talent management, generally, and what leaders do to show they trust employees and help inspire and empower them
- Balancing the need to invest in new technology with the need to manage rising labor costs and ensuring that upskilled or reskilled workers are compensated appropriately
Many internal audit teams haven’t been asked to include some significant risk areas for today’s businesses in their 2022 audit plan. About one-third of attendees polled during our recent webinar said their internal audit teams have not received requests to look at any of the following risks this year:
- Hybrid work policies and processes
- Pandemic-related policies and processes
- Talent management processes
- Environmental, social and governance (ESG) and sustainability
Proactive, Ongoing Discussions About Risk Can Help Create Better Alignment
The findings from Protiviti’s latest Top Risks Survey help underscore the importance of CAEs and business leadership engaging in regular conversations about risk to help ensure they understand each other’s perspectives and can educate each other about key risks.
Differences of opinion are to be expected, including when it comes to deciding how to prioritize risks and devote resources to managing them. However, by engaging in more proactive and specific discussions about which risks to include on leadership’s radar and in the audit plan, there is less chance of anything critical being overlooked or underestimated.
Creating better alignment on which risks the business should monitor and manage will also help the internal audit function create a more dynamic risk assessment and planning process that it can adjust as risk conditions inevitably change.