Alignment on Risk Management Is Dangerously Askew

Boards are under increasing pressure from investors, regulators, and the general public to adapt to and better manage the factors that influence how organizations are created, grow, and succeed—and to do so with transparency and accountability. This requires unparalleled collaboration and harmony of purpose among those charged with risk management.

But findings from a new Institute of Internal Auditors (IIA) report paint a troubling picture that is anything but harmonious. Worse yet, the report’s key findings suggest that boards generally have an overly optimistic—and potentially dangerously skewed—view of how risks are managed.

OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk uses quantitative and qualitative surveys to determine how boards, executive management, and chief audit executives view key risks based on their personal knowledge of the risks and their views of their organizations’ capabilities to address them. Importantly, the report offers an analysis of how those views differ and what that means to an organization’s risk management.

Data analysis for this year’s report reveals varying levels of misalignment among respondents on 11 primary risks. Some of the report’s most important findings include:

Boards have a consistently rosier outlook than others who walk the halls. Executive management’s views on risk management capabilities are consistently more conservative than the board’s, which suggests an even more disconcerting condition: Boards don’t grasp the complexity of the risks their organizations face, aren’t getting the right information to fully understand the organization’s risk posture, or simply take what information is presented to them about risk management at face value. Furthermore, directors are more likely than executive management and chief audit executives to think their organization’s risks are well managed. This suggests better communication pipelines are needed between management and the board to ensure that directors see the full risk picture.

Most survey respondents believe a certain level of misalignment on risk perceptions is acceptable. The qualitative survey found approximately 7 in 10 respondents expressed the view that some level of misalignment is “healthy”. While some misalignment around individual knowledge is to be expected, a cavalier attitude that that misalignment is somehow healthy is troubling, in particular with respect to misaligned perceptions of an organization’s ability to manage risk.

Certain industries are falling behind when it comes to integrating enterprise risk management processes. Overall, 67% of respondents reported using a systematic approach to identifying, managing, and monitoring risk. However, some industries that struggle to develop coordinated risk management strategy include health care (51%), retail/wholesale (47%), and public/municipal (38%).

Cybersecurity and data are increasingly important for proper board oversight, but respondents seem to have little understanding of these areas. Boards and C-suite executives reported minimal knowledge in cybersecurity and data, which were rated among the most relevant to companies today. For example, less than a third of board members and executives interviewed rated their knowledge of cybersecurity at either a six or seven on a seven-point scale (top two). Organizations should make improving their understanding in these areas a top priority. Moreover, predictions by chief audit executives about the growing influence of three risk areas—data and new technology, data ethics, and sustainability—offer organizations an opportunity to proactively address them.

Talent management is on the radar of all OnRisk 2020 respondents. They understand that finding and keeping talent, particularly workers with data and information technology skills, will drive future success.

The Time for Action Is Now

Internal audit is often unfairly criticized as identifying problems without offering solutions. Indeed, a long-standing macabre joke among risk managers is that internal audit’s job is to come in to bayonet the wounded.

One of OnRisk 2020’s significant benefits is that it offers solutions. Through careful analysis of survey data, as well as additional research, the IIA has identified actions each respondent group could take to improve their alignment on risk management and, ultimately, enhance their organization’s ability to address each of the 11 risks examined in the report. One theme for recommendations across a number of key risk areas was for boards to press executive management for more information or more frequent updates on risk management efforts. Another was a push for greater transparency and timeliness from executive management when reporting on key risks. OnRisk 2020’s overarching message is that all organizations can benefit from conducting reviews of risk knowledge and capability perspectives among their boards, C-suites, and internal audit functions.

One definition of risk management is to identify and evaluate risks based on impact and likelihood, then implement necessary controls and processes to leverage or minimize them. Any weakness in an organization’s risk management strategy or its execution is, in itself, a risk. Misalignment among the board, executive management, and internal audit on risk is one such weakness that can and must be corrected.

Richard F. Chambers (CIA, QIAL, CGAP, CCSA, CRMA) is CEO and president of The Institute of Internal Auditors. He has worked as a risk management and internal audit leader for more than four decades.