Risk and Audit Transformation in the Era of Permacrisis: Imperatives for 2024 and Beyond
The world has always known chaos. But the 2020s are a different kind of chaos, with one risk-disruptive crisis after another, from COVID, supply chain woes, and war in Ukraine to inflation, waning confidence in banking and the capital markets, climate impacts, domestic political polarization, and more. As each new crisis unfolds, none of the previous crises have gone away — and before we can fully diagnose the crisis that has just emerged, we’re onto the next one.
We are in a state of persistent crisis, with no sense of how we’ll escape. Some have termed this the era of “permacrisis” — a newborn word for our “extended period of instability and insecurity.”
Risk managers and internal auditors are charged to assess risk, and to advise management and the board on the overall effectiveness of the organization’s ability to manage risk. In the past, we had confidence that the crises we faced were solvable, finite, intermittent, and sometimes predictable. In a landscape of permacrisis, we find no such confidence. Transformational change is critical for enabling our profession to operate effectively amid such volatility.
I’m honored to provide a keynote at AuditBoard’s Audit & Beyond Conference taking place in San Diego from October 17-20, 2023; my session will explore the 2024 transformation priorities that risk and audit professionals must embrace in the era of permacrisis. This article queues up some of the imperatives that must be top of mind for risk and audit professionals as they set their priorities for 2024. Register today to attend in person or virtually, and read on for my initial thoughts on how risk and audit can stay relevant, connected, and aligned in these extraordinary times.
Embrace Ambiguity and Complexity
The world will not revert back to a more predictable, less chaotic time. This is our new normal, where ambiguity only deepens and complexity only exacerbates. We should embrace it as an opportunity.
Historically, there was a sizable gap between the knowledge of our key stakeholders and our knowledge as internal audit and risk professionals. Twenty years ago, if I had walked into a room of board members and executives and announced, “Here are your key risks for the next three years,” they would have tossed me out. And they would have been right to do so, because they certainly would’ve had a stronger understanding of their business risks than I did. Today, ambiguity and complexity — permanent characteristics of permacrisis — have humbled us all and helped to level the playing field. Nobody knows better than anyone else what’s next, largely collapsing the knowledge gap. Our stakeholders are certainly smarter about the business than we are in many ways. But they increasingly appreciate how much they don’t know, and that is where we can help.
Our organizations need us more than ever. Internal audit and risk professionals have become the valuable third and fourth sets of eyes looking over the horizon. Peering through the fog of ambiguity and complexity, it’s profoundly challenging to see the risks and possibilities. It’s also an unprecedented opportunity for internal auditors and risk managers to provide insight and foresight.
Collaborate to Continuously Manage Risks
I have always championed collaboration. In recent years, I’ve raised the battle flag higher, viewing cross-functional collaboration as absolutely critical for surviving and thriving in a chaotic risk environment. Until I see it everywhere, I’ll keep talking about it. Risk resilience demands we combine forces and connect initiatives to monitor and manage the expanding risk spectrum.
The Institute of Internal Auditors (IIA) updated its “Three Lines Model” in 2022 to emphasize the need for “alignment, communication, coordination, and collaboration.” Indeed, breaking down silos and improving collaboration across assurance teams are key to getting ahead of risk. By leveraging perspectives, competencies, resources, and information from all of our colleagues, we’ll be better equipped to tackle both the risks on the horizon and the crises around the corner. For example, AI compliance risks and opportunities are emerging faster than expected (e.g., the EU’s AI Act, global momentum for AI regulation, the NTIA’s AI accountability efforts, which garnered 1,400+ public comments). As climate impacts continue proliferating, environmental, social, and governance (ESG) regulatory activity continues escalating. The top concerns for Chief Risk Officers worldwide are the external risks posed by macroeconomic indicators (e.g., growth, inflation, interest rates, liquidity). I could go on and on.
You’re wasting time if you’re not actively working to maximize the impact of your organization’s combined assurance resources. This is no time to waste time.
Emphasize Dynamic, High-Impact Communication
To ensure our communications create value, we should focus on ensuring genuinely impactful reporting — delivering our important messages at the right times and in the right ways. This is a central message in Protiviti’s 2023 Next-Generation Internal Audit Survey, which found that “using high-impact reporting to deliver and communicate value” was internal auditors’ top choice for most valuable driver of internal audit relevance. The report describes four characteristics shared by high-impact communications (summarized here):
- Relevant — Using customized messaging and modes of communication that consider the needs of multiple stakeholders and enable timely analysis and decision making.
- Risk-informed — Dialed into the risks that matter via dynamic risk assessments yielding insights linking business strategy, operations, compliance activities, and financial goals.
- Concise — Reliably asking, “How do I say more, with less?” and communicating critical information by making better use of data, visual appeal, and clear, efficient messaging.
- Insightful — Conveying fresh perspectives, analyses, insights, and suggestions throughout the audit life cycle, going beyond what stakeholders already know.
I regularly advocate “telling your story,” encouraging audit and risk professionals to shine the light on the value they deliver in formal and informal communications. Make that value shine yet brighter by prioritizing dynamic, timely, tailored, insightful communications designed for impact.
Deploy Next-Generation Talent Management Strategies
We won’t achieve any transformational priorities without talented teams capable of navigating the enduring chaos. Every organization should build out a comprehensive talent management strategy focused on attracting, sourcing, onboarding, engaging, supporting, continually training, motivating, recognizing, rewarding, and retaining the next-generation talent its future demands.
Talent management strategies must align and integrate with overall strategy. What are your needs, priorities, plans, and risks, and what kind of talent will you need to address them? What do ambiguity and complexity look like for your organization, and what skills, expertise, and diverse backgrounds will help you manage it? What expectations will talent have for your organization (e.g., technologies, innovation, collaboration, varied assignments)? Start by looking for strong business acumen, strategic thinking, relationship centricity, and an innovative mindset, the four shared attributes of great change agents I captured in my fourth book, Agents of Change. By cultivating a culture of trusted advisors and jacks-of-all-trades, your organization will be better-equipped to adapt to the unknowns that lie ahead.
Future-Proof Through Tech Agility
If internal audit and risk are to be effective in the next decade and beyond, we not only have to become more tech-savvy, but tech-fearless. Instead of fearing the technological unknown, we should embrace it, learn from it, and build upon it to enable the transformation — and continued relevance — of our professions. Embracing tech agility is critical for future-proofing our profession and the value it provides.
With technological innovation moving at breakneck speed, the danger of human inertia is real. The surest way not to make progress is not to try. Make a plan to explore opportunities, enhance capabilities, and upskill your team, because tech agility has become foundational to transformation. In fact, advanced analytics, AI, automation, process mining, connected risk platforms, and other technologies enhance our ability to make sense of ambiguity and complexity, collaborate across teams, generate relevant, risk-informed insights and reports, and attract and retain next-generation talent.
Choose Your Own Priorities
These are my thoughts on our transformational imperatives. But don’t take my word for it, and don’t determine your priorities based exclusively on the crisis du jour. The path to health is not paved solely with bandaids. Consider the transformation needed in your role and organization, and construct a broad strategy aligned with your goals and objectives. After all, while long-term strategic planning has long been a leading practice, it will soon be mandated: The IIA’s Global Internal Audit Standards will (if adopted) require long-term strategic plans for internal audit functions.
The era of permacrisis demands we focus on strategically positioning ourselves and our organizations for future success. What are your transformational priorities? How will you achieve them?
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.