OnRisk 2021 has been released
This week, The IIA Global released an insightful report that provides further perspective on the pandemic and its impacts on organizations. OnRisk 2021 is not intended to be a report on COVID-19’s effects on risk management and governance, but is designed to offer key insights into risk alignment among boards, executive management, and internal audit.
OnRisk 2021 leverages a methodology that uses qualitative and quantitative surveys to measure how boards, the C-suite, and internal audit view 11 key risks facing organizations in the coming year. It measures respondents’ views on their personal knowledge of each risk, the capability of their organizations to manage each risk, and how relevant each risk is to their organizations. The data shows improved alignment on risk knowledge and capability, but potentially troubling dissonance on risk relevance.
The report is being released just in time for many internal audit departments to leverage its insights as annual risk assessment and audit planning gets underway for 2021. There are five key observations from the report that reflect a broad array of challenges and areas for improvement:
- Business continuity and crisis management and cybersecurity are the top-rated risks for 2021. Unprecedented challenges brought on by the COVID-19 pandemic, as well as expanding reliance on technology and data, drive these two risks to the top of the list. They often are paired as some cyberthreats are heightened by the sudden relocation of employees to less secure work-from-home environments, as well as an intense shift to e-commerce brought on by the pandemic response.
- Two risks offer priorities for organizational improvement. All respondents rate disruptive innovation and talent management among the most relevant risks. Yet, C-suite respondents rank their personal knowledge and the organization’s capabilities related to these risks among the lowest.
- Management perceptions on risk relevance are generally not aligned with boards and CAEs. Board members and chief audit executives (CAEs) are largely aligned on their perception of the relevance of risks included in OnRisk 2021. However, management relevance rankings are lower overall, with an especially large gap in the perception of governance and economic and political volatility. Indeed, the C-suite assigns higher relevance to operational risks, such as talent management, culture, and business continuity.
- Perceptions on capability to manage risks are more aligned. This year, responses are more tightly clustered in ranking organizational ability to manage risk. The board overconfidence noted in last year’s report appears to have eased. Responses to COVID-19, which focused in part on renewed risk assessments and more frequent communication and collaboration among risk management players, likely drove stronger alignment on organizational strengths and weaknesses.
- Management sees organizational governance as a less relevant risk than do boards and internal audit. The disparity in relevance rankings for organizational governance as a risk is significant and telling. Management’s lower relevance ranking on this risk, combined with its higher rankings on personal knowledge and organizational capability, signal management overconfidence in this area and a disconnect from boards and CAEs.