The top risks for organizations in 2021 and the impact of COVID-19

In November 2020, the Institute of Internal Auditors released its second annual OnRisk report, titled OnRisk: A Guide to Understanding, Aligning, and Optimizing Risk 2021 (Copyright © 2020 The Institute of Internal Auditors, Inc. All rights reserved.). The material for the report came from qualitative interviews with 30 board members, 30 C-suite executives, and 30 chief audit executives (CAEs) from 90 different organizations, as well a quantitative survey of CAEs, which drew 348 responses. 

The combination of qualitative and quantitative research provides robust data to examine the top risks facing organizations and allows for both objective data analysis and subjective insights from the three key risk management players.

The report identifies 11 risks that are most likely to affect organizations in 2021 and discusses alignment between boards, executive management and internal audit in connection with their views on the relevance of these risks, their personal knowledge of the risks and organizational capability to manage them. 

The top 11 risks for 2021 (not in any order of importance)

• Cybersecurity
• Third party
• Board Information
• Sustainability
• Disruptive Innovation
• Economic and Political Volatility
• Organizational Governance
• Data Governance
• Talent Management
• Culture
• Business Continuity and Crisis Management

These 11 risks should be relevant universally to all organizations. However, they do not cover all the significant risks that every organization faces. Depending on their specific circumstances, organizations may face other significant risks not included in the report.

Business Continuity/Crisis Management and Cybersecurity were the two most relevant risks among OnRisk 2021 respondents. Unprecedented challenges brought on by the COVID-19 pandemic as well as increased reliance on technology and data drove these two risks to the top of the list. They were often paired as cyber threats were heightened by the sudden relocation of employees to work-from-home environments as well as an intense shift to e-commerce, which was brought on by the pandemic response.

Alignment of the three key players’ views on risk relevance, capability and knowledge is a significant step toward achieving strong risk management in support of effective governance. On this aspect, alignment was lowest on risk relevance. While board members and CAEs were largely aligned on their perception of the relevance of risks included in OnRisk 2021, management relevance rankings were lower overall. The average relevance score for the 11 risks was 75% for boards, 74% for CAEs and only 57% for management. A top risk, Business Continuity and Crisis Management, was ranked as highly or extremely relevant by 87% of board members, 93% of CAEs and just 63% of C-suite members. There was also an especially large gap in the perception of Organizational Governance and Economic and Political Volatility. 

Alignment was stronger on the organizational capability to manage risk, with average ratings of 46%, 41% and 46% from boards, management and CAEs, respectively. This stronger alignment was likely driven by responses to COVID-19, which often included renewed risk assessments and more frequent communication and collaboration among risk management players.

Alignment on risk knowledge was also stronger, with average ratings of 52%, 47% and 44% from boards, management and CAEs, respectively. Board and C-suite respondents rate their level of personal knowledge lowest when it comes to cybersecurity—both at 23%. CAEs rate themselves significantly higher in knowledge about this risk at 43%. All three respondent groups were not particularly confident about organizational capability to manage cyber risks. On average, fewer than half of respondents (46%) rated their organizations as very or extremely capable.

The report provides alignment results for each of the 11 risks and suggests remedial actions for the three parties involved.

Covid-19’s Long-Term Impact

The report states that, “Beyond the obvious fallout from shuttering the global economy for extended periods, response to the pandemic contributed to generally improved alignment among risk management players on business continuity, risk management, and communications. The pandemic also exposed the strengths and weaknesses of how organizations manage disruption. However, COVID-19’s most influential long-term impact may be the marked acceleration of technology’s positive and negative effects on cybersecurity, talent management, economic and political volatility, and disruptive innovation.”

Suggested Use of the Report

Organizations should assess how the 11 risks affect them and use the results to ensure the adequacy of their risk response. In this endeavour, they should pay attention to the alignment of their board, management and internal audit on risk relevance, capability and knowledge. Organizations may also assess the roles of these players using the IIA’s recently published Three Lines Model to ensure their adequacy in achieving effective governance and strong risk management. 

About the author

Dung Tien Can, FCPA, FCA, is the auditor general at the STM. He has led the internal audit function at six well-known organizations and the risk management function at one of them. Besides participating in several Quebec CPA Order working groups, he was on the Board of The IIA’s Montréal Chapter, and on the Advisory Board of the Conference Board of Canada’s Strategic Risk Council. Dung Tien Can has a BBA from HEC Montréal and an MBA from McGill University. He is also a Quebec CPA Order Fellow.

Bibliography

• OnRisk: A Guide to Understanding, Aligning, and Optimizing Risk 2021, The Institute of Internal Auditors
• Three Lines Model, An update of the Three Lines of Defence, The Institute of Internal Auditors