Making Proactive Strategic Changes to Address Risk

Anand Bhakta


February 18, 2021

The COVID-19 pandemic has changed the way organizations operate, introducing a host of business risks. To better understand this dynamic risk environment, AuditBoard surveyed more than 2,000 attendees at our recent virtual conference about the risks they will face in 2021. Respondents felt that three major risks will require the bulk of their attention moving forward: economic threats impacting [business] growth, cybersecurity threats, and business continuity and crisis response. Organizations that take proactive measures now to address these risks will give themselves a better chance to succeed as we continue to navigate the pandemic.

Major Risks Have Ripple Effects on Businesses 

Unsurprisingly, economic threats impacting growth was the number one risk on most respondents' minds. Business leaders outside of the sample group echoed this concern, with CEOs of major companies expecting financial hardships to continue through the end of 2021 and beyond. Recessions squeeze everyone's margins, impact demand, and make it tough to hire and retain employees. The current economic landscape has led to bankruptcies, contractions, and layoffs.

In uncertain economic conditions, it is challenging to maintain business continuity and respond to disruptions, including the current global health crisis. The pandemic has disrupted everything from how workforces are organized to supply chains and demand for products and services. It is challenging to keep a business running smoothly when any semblance of traditional continuity feels nonexistent. Businesses must change the ways they interact with partners, employees, and with customers. But making operational changes to maintain business continuity gives way to a new, dynamic set of risks. 

For example, many businesses have implemented long-term work-from-home policies. To address this change, companies are embracing hybrid clouds and leaning on collaboration software. Reliance on third-party vendors and distributed workforces accessing corporate networks introduces additional cybersecurity risk

Mitigating economic stagnation and obstacles to business continuity, such as increased cybersecurity threats, requires more than check-the-box assessments. To truly fortify a business for 2021, leaders must make the following strategic changes:

Make ERM a Core Part of Business Operations

To best address an uncertain economic climate, leaders can make audit and enterprise risk management (ERM) a core part of business operations and decision making. For example, Gartner has stated that organizations with an ERM function are "more likely to see risks coming and then mitigate the impact of those emerging risks more swiftly and effectively." Deloitte recommended that internal audit teams have "early engagement" with other stakeholders to address incoming risks.

Now is the time for internal audit departments to rise to the occasion and earn a seat at the table by playing a more critical role in helping the business strengthen and mature its ERM practices. The goal for internal audit teams is to build a robust risk management program that not only helps the organization identify key risks to its strategies and objectives, but also does so with the purpose of integrating risk into business strategy. ERM practices should:

  • Increase organizational focus on strategic risks
  • Develop key risk indicators to proactively monitor key risks on a more frequent basis
  • Enhancing the quality, availability and timeliness of risk data
  • Identify and manage new and emerging risks through more frequent risk assessments

Improving upon these areas involves engaging the C-Suite and board in ERM discussions, unifying risk management across siloed audit, risk, and compliance groups, and investing in technology solutions and training.

Increase Communication to Thwart Cyberattacks

To address rising cybersecurity risk, organizations must fortify cybersecurity safeguards. In addition to performing risk assessments more frequently, internal audit can coordinate with IT and the CISO to develop or evolve a more robust plan to mitigate the risk of breaches. In addition, leaders should encourage frequent communication with employees and among teams regarding cyberrisk. Clear, frequent coordination between audit, information security leaders, and executive leadership is necessary for a united front stressing cybersecurity vigilance.  

Learn from the Past and Adjust

As business conditions continue to fluctuate, it is important to continually reassess key risks to the business, and adjust strategy accordingly. The top priority for audit, risk management, and compliance teams is to define and support business continuity efforts and to focus on the continuity of their own teams’ processes. Critical steps to reevaluating business continuity strategy may include: 

  • Reevaluating technology
  • Assessing and reassessing business priorities (through Sarbanes-Oxley Act materiality assessment, SOX and ERM risk assessments, for example)
  • Staying up to speed with the impacts of the crisis to a business' respective industry and best practices being employed by industry peers
  • Ensuring audit and compliance testing programs are as efficient as possible

Audit and risk professionals believe that the year to come will be more challenging than usual, and businesses that adjust their risk-management strategies appropriately stand a better chance of overcoming the obstacles in their path. Success will be predicated on how well organizations center audit functions as the catalyst for risk mitigation moving forward. Following this blueprint can help organizations better position themselves to withstand the blow of the pandemic and future disruptions.

Anand Bhakta is senior director of risk solutions at AuditBoard.