Top 10 key risks in Internal Audit for 2022
Each year the Institute of Internal Auditors (IIA) present the OnRisk report which includes a guide to understanding, aligning, and optimizing risks. This report is obviously very important for the Internal Audit functions and Chief Audit Executives (CAE). However, the mentioned risks are also relevant for the Board of Directors, Management and for the risk and compliance functions.
Below, FCG has summarized the 10 top key risks presented in the order of relevance, as rated by the OnRisk report 2022. All the risks in the OnRisk 2022 report should have universal applicability to organizations, regardless of size and industry. However, FCG recognizes these as very relevant with great impact, especially within the financial services sector.
- CYBERSECURITY: The growing sophistication and variety of cyberattacks continue to wreak disruption on organizations’ brands and reputations, often resulting in disastrous financial impacts. This risk relates to whether organizations are sufficiently prepared to manage cyber threats that could cause disruption and reputational harm.
- TALENT MANAGEMENT: The increased need for and acceptance of remote operations, including working from home, as well as continued dynamic labour conditions, are redefining how work gets done. This risk relates to the challenges organizations face in identifying, acquiring, upskilling, and retaining the right talent to achieve their objectives.
- ORGANIZATIONAL GOVERNANCE: Governance encompasses all aspects of how an organization is directed and managed — the system of rules, practices, processes, and controls by which it operates. This risk examines whether organizations’ governance assists or hinders achievement of objectives.
- DATA PRIVACY: The growing list of regulations from jurisdictions around the world is making data privacy increasingly complex and dynamic. This risk examines how organizations protect sensitive data in their care and ensure compliance to all applicable laws and regulations.
- CULTURE: With an increasing percentage of professional employees working remotely full or part time, organizations are challenged to maintain, enhance, or control their organizational culture. This risk examines whether organizations understand, monitor, and manage the tone, incentives, and actions that drive the desired behaviour.
- CHANGE IN REGULATORY ENVIRONMENT: Fundamental changes in government appetite for regulation can have a significant impact on organizations, including those not considered heavily regulated. This risk examines the challenges organizations face in a dynamic and ambiguous regulatory environment.
- SUPPLIER AND VENDOR MANAGEMENT: For an organization to be successful, it has to maintain healthy and fruitful relationships with its external business partners and vendors. This risk examines organizations’ abilities to select and monitor third-party relationships.
- DISRUPTIVE INNOVATION: We are in an era of innovative business models, fuelled by disruptive technologies. This risk examines whether organizations are prepared to adapt to and/or capitalize on disruption. Disruptive Innovation presents one of the greatest risk management challenges for organizations, which is reflected in the considerable misalignment between boards and the C-suite as it relates to risk relevance and organizational capability.
- SOCIAL SUSTAINABILITY: Increasingly, there is a recognition that organizations have significant influence on individuals who they employ, who work in their value chain, who consume their products and services, and who live in their communities. This risk examines the ability of organizations to understand and manage the direct and indirect impacts their actions have on individuals and communities.
- ENVIRONMENTAL SUSTAINABILITY: Organizations are facing increased pressure from stakeholders, including shareholders, regulators, customers, and employees, to evaluate and disclose how they are impacting the environment in which they operate. This risk examines the ability of organizations to reliably measure, evaluate, and accurately report on their environmental impacts.
Conclusion
According to the report, the three risks that needs extra attention which should be expected to increase in relevance in the next three to five years are the following: Cybersecurity, Talent Management and Culture.
Given the ever-increasing risks of cyber-attacks, after EBA and EIOPA’s guidelines on Information and communication technology (ICT) and security risk management and ESMAS’s guidelines on outsourcing to cloud service providers, the EU has further strengthened the cybersecurity and operational resiliency of almost all financial entities. Therefore, the Council presidency and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption. DORA is expected to be in force by 2024.
Talent Management is also expected to remain a top risk for financial entities with challenges to find candidates who have the required skills, are the right fit for the role and have the potential to grow into future roles. However, to retain talents is at least as important as hiring talents which should be managed by e.g., promoting flexibility, building good company culture and provide a secure environment for the employees. Some competency areas in the financial sector that need to be further strengthen are for example ICT incl. cyber and information security, sustainability and anti-money-laundering (AML), where there are also fit-and-proper requirements to meet.
The culture and the distributed workforce created by the pandemic is feeding significant concerns about workplace culture with challenges that the organizations now face. Moving forward, the organizations must focus on finding arrangements on how to strengthen the communication, interaction and collaboration and how to keep fostering relationships with colleagues and clients. Further, given the importance of corporate culture, organizations and boards should assess the current state of their culture incl. tone at the top and deliberately evolve it to achieve desired business and stakeholder objectives. Boards should also be clear on how management defines a corporate culture that is linked to organizational purpose and aligned to strategy.
In addition to these three areas, FCG want also to emphasize the expected risks, challenges and demands of environmental, social and governance (ESG) credentials from regulators, shareholders, customers as well as other stakeholders, where also greenwashing has been a hot topic in the financial services sector. Some of the expected risks are noncompliance with regulatory requirements (SFDR, EU Taxonomy Regulation etc), lack of robust ESG data which is one of the largest barriers to ESG adoption and embedding ESG in existing risk practises incl. the organization’s ecosystem.
FCG has extensive experience of supporting clients with governance, risk and compliance (GRC) services in the financial sector incl. Internal Audit, both as an outsourced function and as supportive (co-sourcing) collaboration. We are happy to discuss how FCG can support your Internal Audit function in meeting external guidelines as well as internal expectations based on the organization’s specific conditions and needs.