If you ask one question this week make it this one: How can I ensure that I and my team stay up to date with a rapidly changing risk environment?

Q: How can I ensure that Iand my team stay up to date with a rapidly changing risk environment?

A: There are many truisms about change – that it’s constant and that if you don’t also change constantly you fall behind – but there are periods when change seems to accelerate to the point where it’s harder than ever to keep up. This is partly because large-scale disruption of any kind starts so many small wildfires in every part of our lives and businesses that it’s easy to miss the one that will turn into a blazing inferno if it’s not managed.

The challenges caused by rapid change matter to us all, but for internal auditors they pose particular concerns. Individuals and teams are affected by the same pressures as everyone else – changing work patterns, technological developments, price rises, staff shortages – but they also need to consider how these changes are affecting other people in different situations and what this means for the control environment and emerging risks.

Change prompts shifts in human behaviour among staff, managers, suppliers and customers. Different groups will have different incentives and divergent views on the same issue. Actions in response to a change at one level may have unintended and unforeseen effects at another. Some decisions will be carefully considered and implemented, but some may not be recognised as significant until they have already had widespread repercussions – for example, on staff morale, supplier relations or reputation.

How then, can internal auditors ensure they stay up to date with ongoing changes in the wider macroeconomic and corporate environment, while also managing the changes that affect them directly as individuals and as a team? How do they identify which wildfires risk becoming a conflagration, while ensuring that the smaller ones are monitored and damped down?

The two sides of this are related. Teams and individual internal auditors who take time to find out what others in their profession are doing and ensure that their own function is well-equipped to track changes and respond rapidly when necessary are likely to find it easier to ensure that corporate-level changes are also identified and managed well. They are also likely to gain advance warning of developments in emerging risk, since they will benefit from the observations of contacts within and outside the profession.

The obvious problem is that those who are not already well-connected and plugged into wider professional networks and information sources are likely to be fully occupied dealing with the fires already springing up around them and, therefore, have less scope to think about the future and develop these contacts and information sources. They, like the Red Queen in Alice in Wonderland, will have to run even faster to make any progress.

However, while any internal auditor who feels wholly confident that they are up to date with all the changes that are occurring today should be wary of complacency, those that feel overwhelmed by the challenges should take heart. There are many ways to raise awareness both in the internal audit team and more widely in the organisation, and they do not all involve a hefty investment in technology or training.

A few hours spent thinking about – or brainstorming with others in the internal audit team – sources of information and the ways you identify, track and manage change could pay dividends.

Key questions could include: Have we improved or accelerated the way we track emerging risk in the past two years? Do we speak regularly to contacts elsewhere in our sector to learn about changes they are making and risks they see emerging? Do we speak to contacts beyond our sector about these things? Are we using the Chartered IIA’s networks and forums to develop our contacts and find out what others in the profession are doing and seeing?

How much do we use technology to track change, responses to change and emerging risks? Could we use our existing technology to do more? What sources of information do we currently use – and what do other
teams use? Are there new or different sources that we should utilise to improve our knowledge of changing risks (eg, in different regions or markets, for example)?

Are we confident that we are addressing behavioural, cultural and reputational risk adequately, given the way rapid change can affect these areas? Are we looking enough at new incentives and opportunities for fraud? Should we consider sending someone in the team on a training course to refresh our approach?

Are managers aware of the impact of current unfamiliar economic challenges (such as rising inflation) on staff, customers and suppliers? Is the internal audit team confident that management understands potential behavioural and reputational risk and that this is being factored into decision-making?

These are just a few of many issues – and details will vary from organisation to organisation. However, at a time when war, pandemic and climate change are having huge effects on geopolitical risk, while soaring inflation and, particularly, energy costs, are causing a financial squeeze not seen for more than a decade, on top of ongoing problems hiring staff and implementing new working patterns, what we did in the past is unlikely to be enough today.

When you’re running to keep up, it can be difficult to justify time to think and ask questions. But it’s never been more vital. 

This article was first published in July 2022.