OnRisk-2020-Report.pdf

TABLEOF CONTENTSIntroduction . 3Top risks for 2020 and beyond . 4Key findings . 5Methodology . 6How to use this report . 7Leveraging the methodology . 8Understanding risk . 9The stages of risk . 11Key findings explained . 12Board overconfidence . 13Views misaligned on risk maturity . 14Misalignment danger . 15Risk strategy concerns . 16Insufficient understanding of significant risks . 17Three risks to watch . 18Focus on talent . 19Conclusion . 20Cybersecurity . 24Data protection . 25Regulatory change . 26Business continuity and crisis response . 28Data and new technology . 29Third party . 30Talent management . 32Culture . 33Board information . 35Data ethics . 36Sustainability (ESG) . 37Figures . 38Dear Readers,I have the great pleasure of introducing the inaugural edition of an exciting new report from The Institute of Internal Auditors. OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk is an innovative and insightful research report that promises to change the way organizations view and understand risk. Thats a bold statement that requires some justification, so here it is.A number of risk reports published annually provide perspectives from individual players in the risk management process. However, no single report has provided a holistic view of risk from all perspectives until now.OnRisk 2020 brings together the perspectives of the board, executive management, and chief audit executives (CAEs) on the risks that are top of mind for 2020 and beyond. Based on quantitative and qualitative surveys, the report lays out how each respondent group views key risks. Respondents shared their perspectives on their personal knowledge of the risks and their views of their organizations capability to address the risks. But the most innovative and powerful benefit OnRisk 2020 offers is a studied analysis of how those views differ and what that means to an organizations risk management.For example, the qualitative survey found that board members are consistently more optimistic about their organizations capability to address key risks than members of executive manage-ment are. For some risks, board member views on capability were dramatically higher than those of executive management or CAEs. Taken together, these findings raise questions about how boards build their views on capability, and how this affects decisions that drive risk strategy.Another example relates to managing cyber risk. Addressing this ubiquitous risk remains a daunting task, and its management is a top priority. Yet because of the ever-evolving nature of cybersecurity threats, executive management, boards, and CAEs are aligned in feeling that their knowledge of cybersecurity is low.These insights should do more than just raise awareness of the misalignments, or gaps, that may exist. Through careful analysis of the survey data as well as additional research on each risk, The IIA has identified actions each respondent group may take to improve alignment with one another and ultimately enhance the organizations ability to address the risks. This is where OnRisk 2020 offers the most innovative and powerful benefit to organizationsanizations should review the analysis and recommendations related to each of the 11 key risks that follow and are encouraged to conduct a similar review of the knowledge and capability perspectives among their own organizations board, executive management, and internal audit activity. OnRisk 2020 offers a robust look at key risks that organizations will face in the coming year, provides important benchmarking on capability to support risk and audit planning, and offers direction to help align and enhance risk management strategy and execution. I am confident you will find OnRisk 2020 insightful, illuminating, and of immense value.Sincerely,Richard F. ChambersPresident and CEOThe Institute of Internal Auditors03INTRODUCTIONRisk is a thorny word. In its simplest form, it means exposure to danger, but in an organizational or business context, it takes on a much more complex definition. For generations, investors, boards, and executive management viewed risk as something to be avoided or mitigated, but organizations that take such a defensive posture cannot thrive for long in todays dynamic marketplace driven by global competition, rapid technological change, and geopolitical uncertainty. The modern approach to risk management must view risk as opportunity, as well. This requires strategic, coordinated, and seamless collaboration among key risk management players, and success in this arena demands a clear-eyed view of each players understanding of and ability to leverage or manage risk.The Institute of Internal Auditors (IIA) is proud to offer OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, a robust and comprehensive view of the top risks for the coming year based on the perspectives of key players in the risk management process the board, which sets the risk appetite and provides strategic oversight for long-term value creation; executive management, which sets and executes risk management strategy; and the CAE, a resource for the board and management who provides assurance and insights independent from management.In partnership with a global market research firm, The IIA has produced a unique report that captures the viewpoints from the boardroom, C-suite, and internal audit activity. It also introduces a Risk Stages Model with stages rang -ing from Recognized to Maintained that provide additional insight into developing risk management plans and strategies. In todays dynamic risk universe, risk management must effectively combine risk mitigation of potential negative outcomes with identification and prioritization of opportunities to enhance organizational value.Through quantitative and qualitative surveys, OnRisk 2020 not only identifies perspectives from each key player in the risk management process, it also maps how those views align. This additional insight into risk alignment provides vital data to measure how risks are understood and managed.The mapping of how risk perspectives are aligned or misaligned provides deeper insight to support risk management planning in the coming year. It also sheds light into areas where misalignment can create weaknesses that can disrupt even the best risk strategies. 04 theiiaTOP RISKS FOR 2020 AND BEYONDThe 11 risks below were carefully selected from a vast assortment that are likely to affect organizations in 2020 and were vetted through in-depth interviews with board members, executive management, and CAEs. CYBERSECURITY: The growing sophistication and variety of cyberattacks continue to wreak havoc on organiza-tions brands and reputations, often resulting in disastrous financial impacts. This risk examines whether organi-zations are sufficiently prepared to manage cyber threats that could cause disruption and reputational harm.DATA PROTECTION: Beyond regulatory compliance, data privacy concerns are growing as investors and the general public demand greater control and increased security over personal data. This risk examines how organizations protect sensitive data in their care.REGULATORY CHANGE: A variety of regulatory issues, from tariffs to new data privacy laws, drive interest in this risk. This risk examines the challenges organizations face in a dynamic and sometimes volatile regulatory environment.BUSINESS CONTINUITY/CRISIS RESPONSE: Organizations face significant existential challenges, from cyber breaches and natural disasters to reputational scandals and succession planning. This risk examines organizations abilities to prepare, react, respond, and recover.DATA AND NEW TECHNOLOGY: Organizations face significant disruption driven by the accelerating pace of technology and the growing ease of mass data collection. Consider traditional versus born-digital business models. This risk examines organizations abilities to leverage data and new technology to thrive in the fourth industrial revolution.THIRD PARTY: Increasing reliance on third parties for services, especially around IT, demands greater oversight and improved processes. This risk examines organizations abilities to select and monitor third-party contracts.TALENT MANAGEMENT: Historically low unemployment, a growing gig economy, and the continuing impact of digitalization are redefining how work gets done. This risk examines challenges organizations face in identifying, acquiring, and retaining the right talent to achieve their objectives.CULTURE: “The way things get done around here” has been at the core of a number of corporate scandals. This risk examines whether organizations understand, monitor, and manage the tone, incentives, and actions that drive behavior.BOARD INFORMATION: As regulators, investors, and the public demand stronger board oversight, boards place greater reliance on the information they are provided for decision-making. This risk examines whether boards are receiving complete, timely, transparent, accurate, and relevant information.DATA ETHICS: Sophistication of the collection, analysis, and use of data is expanding exponentially, complicat-ed by artificial intelligence. This risk examines organizational conduct and the potential associated reputational and financial damages for failure to establish proper data governance.SUSTAINABILITY: The growth of environmental, social, and governance (ESG) awareness increasingly influenc-es organizational decision-making. This risk examines organizations abilities to establish strategies to address long-term sustainability issues.05KEY FINDINGSThe qualitative and quantitative interviews for OnRisk 2020 elicited new insights about how the principal drivers of risk management interact, which risks pose the greatest challenges, and how alignment on risk management efforts impacts organizational success. Analysis of the results identified seven key findings that shed light not only into how risks are understood, but also how the ability to manage risk is perceived. In-depth examinations of these findings are found later in this report. Boards are overconfident. Boards consistently view the organizations capability to manage risks higher than executive management, evidence of a critical misalignment between what executive management believes and what is communicated to the board. Boards generally perceive higher levels of maturity in risk management practices. Board members perceptions of risk knowledge and capability place them ahead of executive management and CAEs relative to risk maturity, therefore making them more likely to believe those risks are better managed. “Acceptable misalignment” on risk is a prevalent and dangerous mindset. A majority of respondents believe some misalignment on risk perception should be expected, with some viewing it as “healthy.” While misalignment around individual knowledge of a risk may be acceptable based on varying roles, misalignment on the perception of the organizations capability to manage a risk is a serious concern. Some industries are lagging in adopting systematic approaches to risk. Healthcare, retail/wholesale, and public/municipal industries are lagging sometimes significantly in developing coordinated and consistent risk management processes. Cybersecurity and Data and New Technology represent critical knowledge deficits. Low reported knowledge and high relevance of these risks suggest risk management players should prioritize building knowledge in these two key risk areas. Data and New Technology, Data Ethics, and Sustainability risks are expected to grow in relevance. CAEs predict brisk growth in relevance for these three key risk areas in the next five years, identifying an opportunity for organizations to take a more proactive approach. Talent Management (and retention) are at the center of future concerns. Respondents recognize the importance of good talent and how people drive the success of a business particularly when it comes to data and IT skills. An important shift is underway from an insufficient availability of resources to an inability to attract and retain talent with business-critical skills.METHODOLOGY The inaugural OnRisk 2020 report is a significant step forward in collecting stakeholder perspectives on risk and risk management in support of good governance and organizational success. The combination of quantitative and qualitative research1provides a robust look at the top risks facing organizations in 2020 and allows for both objective data analysis and subjective insights based on responses from risk management leaders.1The quantitative survey of internal audit managers and CAEs and the qualitative interviews of board members