Since 2016, the European Confederation of Institutes of Internal Auditing’s (ECIIA’s) annual Risk in Focus report has sought to help Chief Audit Executives (CAEs) understand how their peers view today’s risk landscape as they prepare their forthcoming audit plans for the year ahead. This year, the Internal Audit Foundation expanded the report worldwide to each of The IIA’s six regions: North America, Asia Pacific, Africa, Middle East, Europe, and Latin America
The first-ever Risk in Focus 2024: North America report, sponsored by AuditBoard, provides practical, data-driven research to help internal auditors and their stakeholders understand today’s risk environment and prepare audit plans for the year ahead. The report is based on a worldwide survey to identify current and emerging risks for each region, followed up with roundtables and interviews to discover leading practices for internal auditors.
Two risks dominate the risk landscape for North America in 2024 – cybersecurity and human capital, which cut across almost every aspect of an organization’s operations. By 2027, CAEs expect the biggest risk to still be cybersecurity, but digital disruption will leap into second place – with climate change also seeing greatly increased risk levels.
The North America Risk in Focus report describes in detail the challenges and solutions for urgent risk areas and draws on the expertise, experience, and knowledge of multiple internal audit leaders throughout the region. The featured topics for the North America reports are cybersecurity, human capital, market changes, and business continuity.
Read on for top takeaways from the report and download the full Risk in Focus 2024: North America report here.
Cybersecurity: Team Building for Cyber-Resilience
Because most organizations expect to be hacked, they are focused on building resilience through enterprise-wide collaboration and continuous training.
Internal auditors are strengthening collaboration throughout the business to help boards stay ahead of an escalating cyber-risk landscape. With the growth of industrialized hacking techniques and a higher risk of state-backed cyberwarfare, CAEs at the roundtable agreed that organizations must expect to be hacked – and prepare to bounce back rapidly.
Most crucially, collaboration across the entire enterprise is key. Cybersecurity and data security issues are not located in just one part of a business; they are ubiquitous. That means risks, controls, and mitigations also impact multiple business functions.
In three years’ time, survey respondents expect that cybersecurity will still be at the top of the list for risk levels and audit effort. With developing technologies, such as artificial intelligence, coming on stream over that time, and the tensions between the U.S. and China over Taiwan, the risk landscape is only likely to become more complex – and potentially more dangerous.
Human Capital: Redesigning Corporate Culture
At a time of acute skills and talent shortages, CAEs are helping organizations to diversify work practices, recruitment, and retention strategies.
Human capital risk cuts across every strategic and operational area of a business. Without the right people, organizations cannot function effectively – either to achieve goals, or to identify, manage, and mitigate key risks. Because of trends such as digitalisation and complex emerging risks such as climate change, organizations require a broader and deeper spectrum of expertise across a wider range of areas.
Few companies have fully redefined their work processes in the post-pandemic era. Rather than new cultural expectations being set by the board, culture is more likely to be defined by middle management out of necessity, said Brian Tremblay, CAE at 1stDibs. “Corporate culture is defined by the ‘tone in the middle,’ where managers make decisions for the benefit of their people, which may or may not align to the organization’s values,” he said. CAEs can help by providing boards with awareness about differences in work practices across business units so that boards are more in tune with culture realities.
Market Changes: Adding Value With Strategic Involvement
Markets are changing unpredictably, causing organizations to invest in digital strategies that are more responsive to fast-moving trends. CAEs are bringing together expertise across their businesses and acting as advisors on new initiatives to help those transformations.
Rapidly investing in the technology to deliver products and services is often essential to keep up with the market, CAEs at the roundtable said. But doing so increases exposure to other threats, including cybersecurity for new and untried systems and supply chain risk where services move to the cloud or change their operating structure.
Organizations need to do more than just identify market risks; they should calculate accurate and specific information about financial impacts. Ayaka Mitsunari, Internal Audit Director – Risk Architect for Delivery at Uber, said her team reviews governance processes, strategy, and operating structures to assess whether the business is able to respond effectively to market challenges. For example, internal audit asks, “How is management measuring the stickiness of the product? Do they have the right processes to be able to adapt quickly and innovatively?” she said.
Business Continuity: Building Resilience in Complexity
If boards tended to under-prioritize business continuity plans before the pandemic, that is no longer the case. High-profile cyber breaches, extreme weather events, and rising geopolitical tensions – particularly between the U.S. and China – continue to keep the topic on the agenda.
The experience of the pandemic and the rapid macroeconomic changes that have driven up inflation and interest rates has not only made it a boardroom imperative to better prepare organizations for the future, but also altered the way businesses think about operational resilience.
Organizations must plan for both event- based and non-traditional, broad-scope crises. Shannon Urban, vice president and CAE at Hasbro, said that her business extended its enterprise risk program to include both types of risk and internal audit ensures that they are included, monitored, and that disaster recovery plans are in place. In addition, disaster recovery plans go through regular desktop exercises, where internal audit provides a critical voice so that any weaknesses are proactively identified and tackled.
Download the full Risk in Focus 2024: North America report for a deep dive into the detailed survey results, with additional insights and recommended internal audit actions for each of the four top risks above, and a forecast of future risks expected to rise.