View from IIA Global: Disconnected – differing perceptions of risk
Given the myriad ways that the coronavirus pandemic has affected businesses, it is hardly surprising that senior executives say that business continuity, crisis management and cybersecurity are the top risks they expect their companies to face in 2021. However, COVID-19’s most influential and enduring impact may in fact turn out to be the way it has accelerated the positive and negative effects of technology.
This was a key finding in IIA Global’s recent research report, OnRisk 2021: A Guide to Understanding, Aligning and Optimizing Risk. Other risks that rank highly in this second annual report are talent management, culture, organisational governance, data governance and disruptive innovation. Sustainability, economic and political volatility, third-party relationships and board information receive lower rankings.
This year’s survey also asked respondents for their perceptions on the relevance of various risks and this highlights some interesting – and worrying – disconnects between different types of risk stakeholders. While the views of the C-suite, board and chief audit executives align closely over personal knowledge of, and organisational capabilities to deal with, 11 key risks, there is a significant split between the perceptions of C-suite respondents and those of board members and CAEs when it comes to the relevance of these risks.
Board members and CAEs have broadly similar views about the relevance of most risks to their organisations, but management tends to rate relevance much lower overall. This gap is particularly large when it comes to organisational governance and economic and political volatility, and the C-suite assigns higher relevance to operational risks, such as talent management, culture, and business continuity and crisis management.
This gap should not be dismissed lightly – there is a clear disconnect. Combined with management’s higher ranking on personal knowledge and organisational capabilities, it suggests that management is either overconfident about organisational governance risk, or unaware of concerns at board level.
The report shows not only that board tends to assign more relevance to each risk than management does, but also which risks are most relevant to each group. For example, although talent management and culture appear to be highly relevant to both the C-suite and the board, the board’s relevance scores for each exceed those of management by about 20 points. Moreover, while cybersecurity tops the relevance list for C-suite respondents, it is only the sixth most relevant risk for board members.
Overall, perceptions of organisations’ capability to manage risks are better aligned among the three groups than previously. Responses to Covid-19 – such as more frequent communication and collaboration among those involved in risk management – may have increased their mutual agreement about organisational strengths and weaknesses.
Recruiting and retaining top talent is a persistent and global challenge that became significantly more complex during the pandemic. Organisations scrambled to react to lockdowns, disrupted supply chains and cashflows and an exodus of employees from work sites. Pay cuts, furloughs and job cuts further complicated talent management and this disruption, as well as its impact on morale, productivity and workplace culture, will have many implications. Not least of the new challenges will be finding people with the technological skills to use the systems that organisations have adopted as a response to the pandemic.
Further reading
Richard F Chambers writes a blog at chambersontheprofession.org and tweets at www.twitter.com/rfchambers. His third book, The Speed of Risk: Lessons Learned on the Audit Trail, 2nd edition, is available at www.theiia.org/bookstore.
This article was first published in January 2021.