Top Five Risks that Organizations will Face In 2023
The past few years, since the pandemic started in 2020, have been difficult and constantly changing for all of us. The way we conducted our everyday lives, were transformed, probably forever. For organizations worldwide this was no exception; they also took a blow in the form of new risks, sometimes combined with existing risks. Is as if we live in a constant state of panic, with the pandemic, war conflicts and inflation. The new landscape compels more creative approaches to detect and mitigate these risks.
The European Confederation of Institutes of Internal Auditors has published the Risk in Focus 2023 report (September 2022) that was compiled with the results of interviews, round table exercises and input from several Chief Audit Executives (CAE)'s in 15 European countries. The report sheds light to internal auditor and organizations about the emerging and rising risks in 2023 to be addressed to ensure security and integrity at all levels of the organizations. The provided information can serve as solid foundation for the 2023 audit planning. We have compiled the top 5 identified risks of this report. The full report can be accessed here.
2023 Internal Audit Key Findings
The internal audit key findings for 2023 are based on the Risk in Focus 2023 Hot Topics For Internal
Auditors published by the European Confederation of Institutes of Internal Auditing published from data collected through 2022 from 14 internal auditing institutes in Europe.
1 Macroeconomic and Geopolitical Risks
Rapid Changes in Sanctions
The on-going war conflict that between Russia and Ukraine implications are still being uncovered, while it seems that the key risks are being under measured. Because of the conflict, organizations have ended their business relationships with Russian government and companies. Also, the conflict has impacted the financial liquidity of organizations, creating an insolvency risk. The extent and amounts of sanctions imposed by the European Union, the United Kingdom and the United States on Russia has been unprecedented. As a result, Russia halted their oil supply to Bulgaria, Finland, and Poland, scaling up the prices. The risk brought on by the imposed sanctions will probably continue to increase in 2023 and beyond.
Agility of Risk Assessments
Maintaining risk assessments updated can be challenging since they originate from different territories. It is imperative that organizations map the restrictions imposed by all countries across their global operations. Auditors must engage the legal, compliance and risk management areas to conduct effective risk assessments.
Emerging Risks Changing the Landscape
The risks brought on by the macroeconomic and geopolitical latest turn of events are out of the scope of the organizations risk registers controls. Their importance cannot be overlooked by the stakeholders, management, and auditors. The audit planning process must be revisited to ensure that it covers the 2023 risk landscape.
Supply Chain Disruption and High Impact Events
Brought on by the pandemic and the war conflict, supply chains have been impacted and probably will continue to be over the next few years. For more than three years now the world has been in a state of emergency. Unfortunately, it seems lie these crises are becoming systemic. The nature of global organizations makes them more vulnerable to the increasing exposures of high-impact events. Events in the past were generally contained in one or two areas of the organization, currently they extend across the organization. If not properly trained by executing crisis management exercises periodically, it will be difficult to respond to issues quickly. The scale and complexity of their potential impact have increased. Organizations have no control over the causes of these events and are also struggling to retain personnel. Management and auditors will have to focus on training and staff wellbeing to improve the organizations resilience.
Global Risk Reassessment
Global energy systems have been interconnected to attain stability of supplies. However, these can turn into a root cause for vulnerability and risk. Organizations have spread out of their crisis management teams the kinds of scenarios that were not considered before into their risk management strategies. Business continuity planning should now be adjusted to include, along with local or regional events, the impact if those same or linked events affected all parts of the organization.
Risk Appetite Clarity
Clarity on the organization’s risk appetite should be the foundation to define the strategies to address the risks. Strategic objectives need to be translated into measurable goals, related risks, required controls, and mechanisms to identify if the implemented controls are working as expected. The result of this analysis can serve as the scope for audits.
2 Climate Change and Environmental Sustainability
Climate and environmental changes could become the next big crisis that organizations are unprepared for. The Conference of the Parties (better known as COP 26) defined new climate goals that may be difficult for organizations to achieve. One of the goals is to secure net global emissions by 2030, with a target goal of net-zero emissions by 2050. This global challenge will have to be worked on across different sectors to reach the net-zero emissions goal. To enable this transition, changes to the frameworks and controls need to be aligned to accommodate the business objectives and related risks.
Auditors need to be involved during the carbon transition journey to provide their input and assurance to the organization. Auditors need to communicate to the concerned parties about how the framework and controls are being developed and how the risks are being managed. This recommendation is made to avoid discovering that they’re not in the right path a couple of years down the line. Organizations are at different levels of maturity on their path to environmental sustainability, which makes delimiting the auditors’ role confusing. A common denominator for auditors should be to help management delineate strategies and goals and raise awareness and support for environmental initiatives.
Another finding from the results of the participants of the survey is that there is excessive pressure in the aspect of reporting. This raises the concern of the organizations governance model effectively accommodating the sustainability goals. Auditors must ensure that their organizations’ basic compliance objectives do not replicate the excesses of the culture created by the 2002 Sarbanes-Oxley Act over controls around financial reporting.
Emphasis on ESG
The Environmental, Social and Governance (ESG) efforts should really emphasize in the governance aspect. Many auditors take this an opportunity to prepare their organizations to face different issues, which includes climate change. Effective governance can prevent green washing (providing the public or investors with misleading or false information about the environmental impact of a company's products and operations) practices and provide assurance to stakeholders that the governance processes are moving in the right direction. Organizations must have a clear plan to assure investors and the public that they are implementing that they have linked the necessary controls into their environmental strategy.
Personnel Skills and Knowledge
Finding skilled personnel to engage in environmental auditing is becoming one of the biggest challenges. Specially since all departments are struggling to retain high-quality staff auditors. A major component of the auditor skills set, should be understanding the complex global regulatory landscape and the potential significance for the business. This can be a major task and many organizations opt to seek help from external audit and global consultancy firms.
3 Human Capital, Diversity, and Talent Management
Human Factor
Part of the aftermath of the pandemic, is that the organizational culture and talent management have challenging areas for organizations. In 2023, the global talent shortage will likely increase, especially when technical expertise is required. Psychological well-being it’s more prioritized in the workplace now, making it harder to entice employees’ return to the traditional office environment. Inflation, rising operational costs and settlements payout have taken center stage, resulting in more organizations struggling to retain its staff.
Hybrid Workspace
Before the pandemic, hybrid schedules were increasing worldwide. Today, offices are struggling to accommodate flexible working conditions. Organizations are feeling the burnout of human resources and a leakage of institutional knowledge. Key projects are lacking skilled personnel to deliver the expected results. Implementing the digitalization of manual processes can lessen the impact of staff shortage.
Defining What Is the New Normal
It is highly probable that businesses will ever return to the so called normal - the work conditions permeating before the pandemic. As foreseen, the working environment landscape will continue to integrate this new reality, without bouncing back to what we knew before. Recognizing challenges and innovating the business models are an adequate response to coping. Auditors should provide guidance during these cycling of conditions and distinguish the changes that will become permanent.
Working with a Social Purpose
The younger generation of professionals focus more in working with a social purpose, aligned with their objectives and values. This is evident in the perception they have about people with higher seniority levels. By some, human capital and organizational culture are considered as unrelated issues. From the executives and upper management that participated in the survey, 85% that the purpose of the organization can be achieved in their day-to-day lives, while only 15% of managers and employees agreed.
Changes in ESG Goals
The ESG (Environmental, Social and Governance) sustainability goals have changed in the last years. The widespread use of smartphones and social media reinforces this point of view. Key stakeholders, management and employees not only are observers, but also commentators of the company’s performance. The governance framework should be revisited and adjusted to sustain these new perspectives. Auditors should aid the organization in the definition of better controls and clear metrics that sustain diversity objectives. Historically, auditors have focused on evaluating procedures (hard controls), but the recent changes in the workspace have brought on the need of including on culture and behavior (soft controls) evaluation as well. These controls should align with the organization’s strategy and human resources objectives.
4 Cybersecurity And Data Security
Cybercrime Models Maturing
It was reported that during 2022 ransomware attacks increased by 80%. In average, costs related to data recovery stolen via cybercrime attacks increased from $170,000 to $812,360 per breach. One of the main factors that have incited the rise in cybercrime attacks is the maturation of its business models. Maturing. This has become a major threat, that poses more challenges to organizations. The presence of internal audit in the IT security boards can definitely increase the level of defense, with the corporate board support still being pivotal.
Third Parties Can Create Vulnerabilities
Everyday partnerships with third party providers are more necessary and frequent. These can range from cloud solutions to external data warehouses, to name a few. Organizations sometimes limited leverage to implement or force controls on third parties. It is even harder for auditors to have visibility and gain traction to assess and mitigate the risks. Data security is a critical element of the information assets and infrastructure protection performed by the organization. Auditors should advise on the required controls that should be in place, especially for those that support critical data, but also, they should ensure these providers are financially stable.
Merge of Cyber and Economic Crimes
It is of vital importance that organizations identify the differences between cyber and economic crimes. However, this has triggered a division of their cyber and data security team. In some instances, these function as separate departments. poor communication between departments could result to treating cyberattacks as an isolated event, or as something that only impacts one department. In today’s landscape, this approach might no longer be adequate. Auditors must ensure that the required controls are in place to propel effective communication among department. The auditor overlooking these controls should possess strong cybersecurity knowledge and skills.
Effective Implementation of Controls
Due to the pandemic, many controls were weakened or not fulfilled as personnel was working from home. This new work environment brough on its own challenges and reshaped the organizational data security culture. The new work scenario needs to be considered aby organizations and auditors to promote the effective implementation of controls. Sound risk frameworks, such as ISO 27001, NIST and COBIT, along with the implementation of policies and procedures, are mandatory. However, these fall short when they’re not implemented correctly or are not executed. The biggest failure of a control is when people does not follow it.
5 Digital Disruption and New Technology
The pandemic pushed the organizations digitalization efforts to accommodate the new circumstances of working from home. Before an organization engages in digitalization, they must first determine what the innovation culture is within their organization to succeed. Characteristics of an organization’s culture is one that foments transparency, openness, fairness, collaboration and a strong customer focus. While these characteristics are very important, they must be supported by a clear strategic vision, the right skills, and an ability to maintain and effective oversight of projects. A conscientious corporate culture enables people to make mistakes and attempt new things without fear of failure. This outlook motivates growth and development of their personnel and attracts the skilled resources, which are increasingly scarce. Auditors need to be aware of fast-paced technology projects that can increase the potential threat of data risks.
Measuring Innovation Edge
While auditors need to support the organizations strategic plan and initiatives, balancing innovation and risk is the role of management. The executive staff should assess whether the different types of innovation efforts are more or less productive, or if they are aligned with the organization’s strategic objectives. Auditors should assist the organization measure added financial value that the innovation may bring.
Safeguarding Data
Many organizations have legacy systems that are poorly integrated with their current technology. A significant issue is that data can be spread over separate departments and systems. Auditors should bring awareness to their organizations about this problem and propose opportunities to protect their data assets and uncover the risks that the lack of data centralization can generate. For this, developing an enterprise-wide governance framework is a must.
Strategic Data Risk
Risk can manifest in different areas of the organization simultaneously when data is at the source of the issue. The risks can range from reputational, regulatory, operational, financial, and other threats. One way to controls these risks, and advantage for businesses, is that they can control the situation with the right focus and prioritization. The auditors functions can include an data-driven assurance approach, while another team can perform data risks audits across the organization, such as privacy, ethics, data by design, data retention, metadata and other areas. This can help understand the power of harnessing data and identify the impact of data breaches. Auditors can take advantage from this analysis by gaining a holistic that pans across the organization. It also can help address a fragmented data landscape that contains legacy systems.
Artificial Intelligence in Internal Audit
One of these year’s technology emerging topic is artificial intelligence. Some organizations have begun to introduce AI programs in the audit process, particularly in AI models and areas that are considered high risk. Organizations are expected to conduct regular compliance checks of their systems. A transition from data analytics to AI is a positive strategy, considering breaking own this process into smaller steps. Potential benefits of such an approach include larger audit coverage, continuous monitoring, and standardization of audit methodologies as they are being embedded in AI programs. It is worth mentioning that there can be a discrepancy between the time that AI new algorithms are developed an tested and the audit cycle.
Retaining the Human Point of View
Through the implementation of AI, the judgement of the auditor needs to accompany the AI transition. If the focus is solely placed on automation audits performed by intelligent systems can diminish the input that auditors can provide and fail to detect risks where AI loses visibility. Auditors can provide assurance by ensuring that a healthy balance exists between human and artificial intelligence in the auditing process.
__________
Reference:
The State of Ransomware 2022, Sophos, April 2022