Looking Ahead: Reviewing OnRisk 2021

Late last year, The Institute of Internal Auditors (IIA) released its second annual OnRisk report — OnRisk 2021 — looking ahead to risks all organizations are likely to face in 2021.

The IIA released the first OnRisk report — OnRisk 2020 — in late 2019 with an eye toward risks in 2020. This was a groundbreaking report compiled after quantitative surveys from Chief Audit Executives (CAEs) and in-depth qualitative interviews with Board members, senior executives, and CAEs. The surveys and interviews were conducted across organizations that vary in industry, size, and location, amongst other factors.

In fairness, the words “pandemic” or “Covid” are nowhere to be found in OnRisk 2020. Then again — how many among us anticipated this global pandemic and its effects, even in December 2019? I certainly didn’t appreciate the severity of what was then known as the “Wuhan virus” at that time. So, as we progress through our review of OnRisk 2021, let us remember this is a valuable guide in helping us look ahead to risk in 2021, but is not intended (as the report itself says) as an all-inclusive list of any organization’s key risks.

Top Risks 2021

• Cybersecurity
• Third Party
• Board Information
• Sustainability
• Disruptive Innovation
• Economic & Political Volatility
• Organizational Governance
• Data Governance
• Talent Management
• Culture
• Business Continuity & Crisis Management

None of these risks is particularly surprising when looking back at 2020 and anticipating the year ahead. The ongoing Covid-19 pandemic has tested the business continuity and crisis management plans of nearly every organization across the globe. This has invariably led to heightened concern for other risk factors on this list including cybersecurity, third party risk, disruptive innovation, economic volatility, data governance, talent management, and culture. Additional important events from 2020 guaranteed to guide organization’s decision making in 2021 include social unrest across the political spectrum, growing demands to address racial inequities, a sharp focus by a growing number of investors on climate change, and a new political party controlling the White House and both houses of Congress. Therefore, it is no surprise to see board information, sustainability, and political volatility on our list, in addition to the others already addressed.

It should be noted that perception of organizational capability to manage risks were more aligned this year among Boards, Management, and CAEs. However, there is still room for improvement in alignment on the perceived relevance of certain risks. The report particularly highlights two key findings:

• Management respondents generally assessed risks to be less relevant to their organizations overall compared to Board and CAE respondents. The report notes this was particularly evident in regard to Organizational Governance (discussed further below) and Economic & Political Volatility. The report also noted Management respondents tended to view certain operational risks, such as Talent Management, Culture, and Business Continuity & Crisis Management, as more relevant than Board and CAE respondents.
• Specific to Organizational Governance, as noted above, the report observed the number of Management respondents who assessed this risk as highly or extremely relevant were fewer than their Board and CAE counterparts. Additionally, Management respondents more frequently assessed personal knowledge and organizational capability for Organizational Governance as highly or extremely knowledgeable and highly or extremely capable, respectively.

Focus Areas

The report highlights four specific risks that may be of particular importance for the year ahead:

• Business Continuity & Crisis Management — With 87% of Board and 93% of CAE respondents surveyed considering this risk as highly or extremely relevant, it is one of the two top-rated risks for 2021. Both Board and CAE respondents are generally aligned on an organization’s capability to address this risk, with the number of CAE respondents assessing their knowledge of the subject as highly or extremely knowledgeable slightly higher than that of their Board counterparts. Interestingly, the number of Management respondents who rated organizational capability and individual knowledge as highly or extremely capable and highly or extremely knowledgeable, respectively, was lower than their Board and CAE counterparts. For 2021, CAEs should ensure this business continuity and crisis management remains on their radar and work to better align knowledge and capability assessments amongst Management, Board, and themselves. This is an opportune time to examine successes of the past year as a result of the Covid-19 pandemic and identify areas for improvement.
• Cybersecurity — The other top-rated risk for 2021, CAEs were generally heavily skewed in rating this risk as highly or extremely relevant compared to their Board and Management counterparts. While upwards of 90% of CAEs rated this risk as highly or extremely relevant, only 73% of Management and less than 80% of Board members surveyed assessed it as a highly or extremely relevant risk. With this disparity in assessment of relevance, it is not surprising that CAEs also rated their individual knowledge significantly higher than that of their Board and Management counterparts, with 43% of CAE respondents rating their knowledge as highly or extremely knowledgeable compared to 23% of Board and Management respondents. There is hope, however, in the alignment of assessment of organizational capability, with CAE respondents assessing their organizations as highly or extremely capable weighing in at 50%, Management respondents closely followed at 47%, and Board respondents trailed slightly behind at 40%. CAEs should continue to educate Management and the Board on emerging cybersecurity risks and continue providing independent assurance to the Board that these risks are being adequately address by their organizations.
• Disruptive Innovation — One of two risks rated by all respondents among the most relevant, yet the number of Management respondents who assessed their individual knowledge and organizational capability as highly or extremely knowledgeable and highly or extremely capable, respectively, were among the lowest. Board respondents who assessed this risk as highly or extremely relevant was just shy of 70%, and CAE respondents just over 70%, with Management respondents at approximately 60%. Board and CAE respondents were also closely aligned when assessing organizational capability as highly or extremely capable, at 33% of Board respondents and 37% of CAE respondents, with Management respondents trailing at 20%. Conversely, the number Management and CAE respondents who assessed their individual knowledge as highly or extremely knowledgeable was 33%, with the number of Board respondents assessing their knowledge as highly or extremely knowledgeable at 43%.
• Talent Management — With the number of Board and CAE respondents assessing this risk as highly or extremely relevant at approximately 78% and 82%, respectively, Board and CAE respondents are typically aligned on perceived relevant of talent management risk. Only approximately 68% of Management respondents deemed this risk as highly or extremely relevant. Less than 40% of respondents across all three groups assessed organizational capability as highly or extremely capable. Additionally, while 53% of Board respondents assessed their individual knowledge as highly or extremely knowledgeable, this was less so among Management and CAE respondents, at 40% and 30% respectively. With such low assessment of organizational capability and generally low assessment of individual knowledge, CAEs should work to ensure they and their teams understand the depth of talent risk and stand ready to help educate Management and the Board with the full risk picture and possible solutions.

This is a very brief overview of the depth of content presented in OnRisk 2021. We’ve reviewed four key areas for CAEs to watch in 2021. It is important to note, however, that these “areas of focus” do not in any way indicate any of the other risks identified, or indeed other risks NOT identified, are not important to an organization.

We must also keep in mind the interrelated nature of risk. For example, board information is critical to proper oversight of any other risk. If the risk of board information is not properly controlled, and not given independent assurance from Internal Audit, Board members may consider organizational capability to be extremely capable, when in fact it may be extremely incapable. As a further example, the concept of sustainability has become increasingly popular amongst and important to younger workers, specifically the millennial generation and younger. An organization seen not to be properly addressing sustainability risk may find itself facing a new talent management risk if its sustainability practices do not make it an employer of choice.

Risk abounds in 2021. Boards and Management will be relying on Internal Audit to fulfil its role in the Three Lines Model and serve as a trusted advisor to their organization. I encourage you to review OnRisk 2021 for yourself and share with your Board and Management counterparts. Together, we can ensure our organizations weather the storms ahead that 2021, and beyond, surely have in store.

Note: The views expressed in this article are solely those of the author, and do not necessarily represent the view of any organization with which the author is affiliated.