Gavin Hayes (IIA UK & Ireland), Peter Hartog (IIA Netherlands) and Charlotte Gabet (IFACI France), have agreed to comment for us on the new edition of the study RiF, which this year called for more than 93 experts, internal audit directors and administrators, in addition to the 570 professionals interviewed. The results have been clearly marked by the COVID crisis.
Since few years now, we learn from the Risk In Focus publication by the IIA Institutes in Europe… Could you please tell us more about this initiative, and what is the purpose of this project?
Gavin Hayes : Risk in Focus is the annual flag-ship thought-leadership project of the IIA European Institutes Research Group (EIRG) and this year is a collaboration of ten European Institutes of internal auditors representing 11 countries including Austria, Belgium, France, Germany, Italy, Luxembourg, the Netherlands, Spain, Sweden and the UK and Ireland. The Risk in Focus research study examines the top ten business risks as identified by Chief Audit Executives. The report provides useful insights on key risk areas as internal audit functions are preparing their audit plans for the year ahead. The research is based on a quantitative survey, which this year received 579 responses from Chief Audit Executives from all the European countries involved, as well as qualitative one to one interviews. For the first time this year, as well as interviewing Chief Audit Executives, we also interviewed Audit Committee Chairs, to understand where key risks lie from a board point of view. We then supplemented the research with interviews with 51 subject matter experts using the Delphi method. This rigorous three-tiered research approach means that this year’s Risk in Focus is more fascinating and insightful than ever.
Peter Hartog : The rationale of the EIRG: Internal auditors in the different European countries are doing similar work and are being challenged by the same developments. The same counts for the different IIA institutes which represent them. In addition to that many sectors of the economy operate internationally and are regulated at the European Union, as well as national, level. So, it is very useful and efficient for the IIA charters to work together.
Like I said Risk in Focus (RiF) is the most important research the EIRG is conducting. Now in its 5th edition and with more participating institutes than ever: 10 institutes, representing 11 countries.
The main purpose of RiF is offering guidance for the risk evaluation that the IAF carries out annually in the context of drawing up the annual audit plan. For the added value of the IAF it is essential that this risk analysis is good and that the most important risks and topics for the organization are identified. RiF provides an overview of risks, their developments and the possible significance of them for the role of the IAF. The CAE can use this as a basis, to ensure that all possibly relevant topics are included in the analysis and annual plan.
Do you believe an European approach is a strong benefit when considering global risks?
Charlotte Gabet : Of course! The risks that now face businesses are more and more “macro-risks” or “meta-risks”. They are not attached to national boundaries, and both their roots and consequences are global. The RIF results are showing that. So, if we want to have an in-dept understanding of phenomena and if we want to bring strong and trusted analysis to our members (wherever they operate), we need to have a collective and a broader approach. European scale is a good level to me, as we benefit from some regulatory, economical and social coherence. This is the reason why we (the European institutes) have joined our efforts and mutualized our resources for these projects, in order to better serve our professions.
Some detractors would say there are other qualitative and well documented risk mapping produced annually and global reputation… Why is the RIF so special? What are its specifics?
PH: Indeed there are (many) more studies on risks. RiF is unique because of its approach. Primarily it shows the perceptions of colleagues, CAEs or Heads of Internal Audit, who are in the same situation, dealing with the same questions. An additional advantage is that this not only makes it possible to look at the developments in the risks, but also very specifically at the consequences for the IAF and whether the current time spent by IAFs is in line with the priorities in the risks. I think there is no other study addressing these like this, offering such handles for the annual audit planning.
To prevent us from setting blinkers by only looking at it from our own profession, we did some verification of the results with members of Audit Committees and this year for the first time we also approached an extensive group of experts through Delphi studies on the various topics.
CG: I agree with Peter, the RIF is quite unique. Especially this year, as we are developing some practical guidance in addition to the qualitative report. The survey and the interviews bring some quantitative and qualitative analysis of the key trends, but for this edition with are one step further, by supporting our readers with three practical and synthetic guidance where they will be able to find good practices, tips, innovating angles to tackle the risks and harness opportunities. They will also have a better access to key reference document, from many institutes (not only their respective institute!). This year the focus is on the three most critical risk: cyber risk (and the human factor), macroeconomic risk (in the context of COVID-19) and the climate risk (and its impact on business resilience).
As the project lead Gavin, what are the key results of this year edition? Are you surprised? What is new in comparison to the previous result?
GH: This year’s edition of Risk in Focus has been the most interesting and fascinating to work on, not least because we undertook the research during the biggest risk event in decades – the global coronavirus pandemic. We’ve seen a whole range of business-critical risks exacerbated as a result of the crisis and this is very much reflected in this year’s survey results. Amid heightened awareness of the IT and security threats posed by remote working it is perhaps not surprising that cybersecurity has once again dominated the top spot with 79% of CAEs citing it as a top five risk. However, the report also highlights growing concerns around companies’ ability to remain solvent with the global economic recession now upon us. As a result, we have seen a notable spike in the number of survey respondents citing Financial capital and liquidity risk a top five risk – 42% of CAEs compared to 30% a year ago, which is a 40% year on year increase. Disasters and crisis response, a new risk in this year’s survey, was cited a top five risk by just over a third of Chief Audit Executives – reflecting the increased focus on business resilience and crisis management as a result of the pandemic. Health and safety meanwhile saw a 70% year on year increase, with 17% citing it a top five risk compared to just 10% a year ago. But for me the one to watch out for in the year ahead is Climate change and environmental sustainability. Two years ago only 8% cited climate change a top five risk, last year this almost doubled to 14% and this year it has gone up yet again to 22%, and when you ask CAEs what they think their top five risks will be in three years’ time it goes up even further to 28%. But despite this at present only 6% of CAEs say this is one of the top areas for internal audit to spend most time and effort. If we want to avoid climate change becoming the next big risk event after coronavirus then we really need to see more internal audit functions taking it more seriously and devoting more time to this business-critical risk area in the years ahead. But overall the survey results really do reflect the rapidly changed risk landscape as a consequence of the global coronavirus pandemic, which make for some interesting and relevant insights
As for the COVID impact and the “New Normal”… is the Risk in Focus particularly impacted by the recent crisis? Is this edition COVID length only? How will the RIF help the internal auditors to deal with the immediate future?
PH: Of course, the present report is strongly influenced by Covid-19. This affects almost all aspects of business operations, also in 2021. So it’s important to give some guidance on that. At the same time, that is not all that is being looked at. After all, other developments also continue. Important examples of this are the developments in the field of politics and macroeconomics (as the rising nationalism), HR (the concern to attract new talents) and of course Climate Change, which is becoming increasingly important.
CG: Again, this year the RIF also offers some practical guidance to support the day-to-day work in an internal audit team. The three risks we propose to dive-in are the most critical and where there is a real gap between the maturity level for a large part of professionals and the growing importance for the overall organization. The guidance must support the internal auditors, on an immediate term. In a medium term, this analysis (maturity Vs importance, dedicated time Vs existing materials…) will help the institutes to identify the topics they will be best relevant to work on – even if for some risks, our members are not yet very aware of the importance. I believe we do have a prospective role to play for the profession.
Finally, personal question! Could you pick your number one priority risk /topics you personally believe should be on the radar of all internal auditors and business leaders? Why?
PH : Personally, I think that climate change should get the attention of every IAF right now. Its size and impact will increase further in the coming years; now is the time to be able to act proactively. And not only look at the risks, but also at the opportunities that this offers. By raising this at an early stage, from a broad business perspective, I think that you can add a lot of value as an IAF.
GH : Without a doubt climate change. It is the most dynamic new and emerging risk moving most quickly up internal audit’s agenda, but there is currently a disconnect in terms of the amount of time and effort internal audit team’s are currently engaged in auditing this business-critical risk area. If we want to avoid climate change turning into the next big crisis then business needs to play its part and get ahead of the curve on this one. I believe internal audit has a vital role to play in supporting boards to do the right thing on climate change. This is an area where internal audit can and should be adding value to the organizations they serve.
CG : If not climate change, then I would say Talent management. I personally think this is a really interesting and strategic matter for any organization. It both a classical and “historical” risk, and and innovating and transforming phenomena. I believe HR planning is always a real challenge. Both in terms of quality and quantity. Then, you have to deal with attraction and retention of talents… it will always be a major challenge for businesses! Therefore, the expectations from staff are more and more complex.. stronger… and now fully assumed by the employees! I believe our profession can support to better apprehend the risks and bring new opportunities for people.