Boards face the ‘perfect storm’ of high-impact interlocking risks, finds new Chartered Institute of Internal Auditor’s report, Risk In Focus 2023

The War in Ukraine, coupled with an accelerating cost of living catastrophe, and a looming recession has significantly intensified a wide range of business-critical risks for many organisations. As businesses continue to grapple with the aftermath of the pandemic, Russia’s invasion of Ukraine is intensifying supply chain failures, caused a spike in energy prices and fuelled inflation, further heightening geopolitical and macroeconomic risks. Meanwhile, an increasingly weaponised cyber-attack landscape as well as major recruitment and retention challenges are throwing many businesses into a permanent state of crisis.

Boards now face a ‘perfect storm’ of risks, is revealed in the annual Risk in Focus 2023 report, published by the Chartered Institute of Internal Auditors (Chartered IIA).

The backbone of the research that the report is based on is a survey of Chief Audit Executives (CAEs) working in all sectors of the economy across Europe, which during the year, received a record-breaking 834 responses. The report focusses on five key areas to help boards navigate these headwinds: geopolitical uncertainty, climate change, human capital and talent management, cyber and data risk, and digitalisation and artificial intelligence. Boards must rapidly adapt and get a grip on these ever-changing risks. For those that have one, they should do so by seeking the support of their internal audit functions to help them navigate more uncertain, risky, and volatile times ahead.

One of the main takeaways from the report is that geopolitical and macroeconomic uncertainty is the most dynamic risk, rising-up the agenda by four positions from seventh to third most severe risk this year. Yet despite its growing prominence and severity, only around one in ten businesses are spending any major time or effort auditing the impacts of this risk on their business. The Chartered IIA is alarmed by the gap between awareness and action taken on this rising risk and is urging boards to act now to mitigate the threat of further unforeseen major geopolitical disruption in the future.

Cybersecurity continues as the top business risk for the fifth year running but the nature of cyberattacks is changing. Relatively novice hackers exploit today’s sophisticated ransomware-as-a-service market. ‘Killware assaults’ which threaten lives by targeting vital infrastructure, have dramatically increased. There is a concern that boards lack the sufficient interest or knowledge in these pressing threats. But cyber and data breaches impact the core of an organisation and can have a significant negative impact on a business’s reputation and long-term sustainability. Strong cyber policies must therefore be properly implemented.

Meanwhile, as the climate emergency threatens to snowball into the next big crisis, an increasing percentage of CAEs are also listing climate change as a top five risk. This is the fifth year in a row that this risk has risen in the rankings. Unless organisations prepare now for the impacts of climate change, extreme weather events such as the record-breaking temperatures experienced over the summer are likely to be the new norm in the future. This also includes major floods like the one seen in Pakistan recently and could even result in even more devastating hurricanes, like Hurricane Ian that has wreaked havoc across much of Florida.

With many organisations left with hard-to-fill gaps for key projects, human capital, diversity, and talent management is crucial, now more than ever. Businesses are facing significant challenges in attracting and retaining employees. Businesses must therefore prioritise ensuring fair pay settlements, address skill gaps by offering professional development and ensure better psychological support to staff, underpinned by a healthy corporate culture emanating from the right tone at the top.

The COVID-19 pandemic has accelerated the need for digital innovation for many organisations. However, an increase in salary demands and skyrocketing costs may prevent many organisations from implementing their digitalisation plans in 2023. Digital disruption, new technology, and AI are therefore expected to rank higher as an important area of internal audit effort by 2026.

So, what should boards be doing about these risks?

The Chartered IIA is advising boards to be pro-active and focus on systemic risks that create vulnerabilities in many parts of the organisation simultaneously and ensure risk assessment and risk management efforts provide boards with clear oversight of such risks. Not least because if left unchecked these risks can potentially have a big impact on a business’s bottom line.

Boards also need to check if their risk appetite is up to date in order to provide clarity during rapid strategic decision-making and ensure that governance, risk management and control efforts are coupled with strategic risks. For those that have an internal audit function, it is vital that boards through the Audit Committee, work with the Chief Audit Executive to ensure that enough time is being spent on emerging strategic and systemic risk areas whilst providing them with the profile, authority and resources to properly support the organisation in achieving its strategic goals.

The message is clear, boards should not wait for a major risk to manifest into a crisis or for the organisation to be shaken before acting. Instead, business leaders, including NEDs, must get on the front foot in order to shield themselves from the ever-emerging risks and the uncertain times ahead.

The Chartered IIA’s ‘Risk in Focus 2023’ report and board briefing is available to download here.

Written by Mo Warsame, Senior Policy and External Affairs Executive, Chartered Institute of Internal Auditors

Interested in curated board content? Join NEDonBoard today and become part of a large community of talented professionals operating at board level, sharing wisdom and insights so we collectively accelerate global sustainable development.

New to the non-executive director role? Start here.