As we kick off 2016, CEB has identified the top ten risks that organisations around the world need to have on their radars. These risks can have a serious impact on business performance, and chief audit executives (CAEs) should prioritise these in their annual plans.
This year’s Audit Hot Spots report highlights findings from research among CAEs at FTSE 100 and Fortune 500 companies among many other global corporations. As most CAEs are now focusing on detailed planning and budgeting for 2016, it’s essential that they consider and evaluate how they will provide assurance against the following risks:
Data privacy: The recent string of high-profile data breaches, from TalkTalk to Ashley Madison, has put the risks surrounding data privacy squarely top of mind in 2016. Companies are rapidly digitalising their operations but are not updating associated governance measures at the same pace, and employee training on privacy regulations fails to drive more risk-aware behaviour. The costs of poor data privacy are mounting—in addition to regulatory noncompliance, companies face large costs in terms of management time and lost business.
Cyber security: The number of cyber security incidents increased by 48 per cent over the last year. Cyber security is a board-level issue and remains a critical risk, as the increased attention has not yet been translated into adequate detection and response measures across organisations. Even as companies shore up their external defences, they remain vulnerable to attacks from malicious and unwitting insiders (employees and third-party contractors). These are much harder to prevent and potentially more damaging.
Third-party relationships: Organisations continue to form an increasing number of third-party relationships to provide services. With the median company now working with 3,000 third parties, these organisations are also taking on increasingly critical business functions. However, despite this, organisational oversight remains limited. Attaining proper oversight is complicated by the ongoing decentralisation of procurement activities, driven by the increasing speed of business. This lack of oversight leaves firms exposed to significant risk in terms of business disruptions, data leaks, and regulatory noncompliance.
Strategic change management: To meet aggressive growth targets, organisations are implementing more strategic change initiatives. However, the combined speed, frequency, and volume of these initiatives can often lead to failure in execution. These change initiatives also risk degrading the control environment by causing change fatigue in employees: risk management effectiveness declines on average by 6 per cent in areas affected by material change.
Business continuity and disaster recovery: The relentless geographic expansion of companies’ operations and supply chains, coupled with a focus on lean operations and single sourcing, has increased companies’ exposure to unforeseeable risk events that could cause business disruptions. As the number and type of risks continue to grow, companies’ ability to properly respond to adverse events has been further complicated by an increasing difficulty in insuring against new or immeasurable risks.
Competitive environment: Fuelled by easy access to capital and a proliferation of new technologies, start-up companies are entering previously stable industries with new, disruptive business models, and mature companies are entering sectors adjacent to their own in search of growth. At the same time, customers have increased access to information and are making more discerning purchasing decisions, which has led to a decrease in customer loyalty. These two factors combine to make the competitive environment harder than ever to navigate this year.
Talent management: Effective talent management strategies are critical to supporting the achievement of corporate objectives. However, organisations’ efforts to hire and retain the best employees are hindered by stronger economic growth in many countries, which increases labour mobility. In addition, an increasing number of company strategies depend on critical and scarce skill sets, especially in technical areas.
Macroeconomic volatility: The volatility in currency and commodity markets recently is just the latest indicator of global macroeconomic uncertainty. From the devaluation of the Chinese currency and plummeting oil prices, these fluctuations makes it harder for companies to properly budget, forecast, and make strategic planning decisions. Volatility risks impacts short-term cash flow and liquidity as well as long-term strategic planning and profitability targets.
International tax planning: As governments look to increase tax revenues and public scrutiny of companies’ tax strategies increases, tax is back on many companies’ risk radars. The OECD released its BEPS guidelines at the end of last year, and some countries have already passed related legislation. The increased transparency requirements will not only burden corporate tax reporting requirements and increase the risk of sensitive information being leaked but will also expose companies to reputational risk.
Governance: In the dynamic and decentralised environment that companies operate in today, the need for effective governance is growing. The string of recent corporate scandals—ranging from bribery to market rigging—as well as the increasing impact that activist shareholder demands have on companies’ decision making especially accentuate the need for stronger governance.
For many organisations’ audit teams, these risks, and how they have evolved, may be relatively unknown. To manage them requires greater levels of business acumen to not only identify effectively but also to assess where and how the business might be affected by macro-level risks. Internal auditors need to understand the operations of various corporate functions. They must also consider how this will alter the business’ risk and control environment, audit processes and assurance activities, and the meaning of audit’s value to the business. These are not standard areas for audit to review and demand new skills and revised approaches.
Businesses are now fully connected and therefore susceptible to risks throughout their supply chain, which often extends to emerging markets. Risks that were previously thought to be confined to distant parts of the globe, like disorderly states or crumbling currencies, very much apply to businesses of the West. Further to this, new risks that are unique to developed economies and their mature industries, are becoming more pressing in 2016. Internal auditors must put companies through their paces to ensure they can deal with all dimensions of risk, even those that are clouded with great uncertainty.