Boards, executive management and internal auditor departments are misaligned over a series of critical risks, according to a recent report – OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk – by the global industry body the Institute of Internal Auditors (IIA). In particular, boards are overconfident that their organisations’ risk management capabilities are able to deal with a wide-range of critical threats.

“For some risks, board member views on capability were dramatically higher than those of executive management or chief audit executives (CAEs),” said IIA president and chief executive officer Richard Chambers. “Taken together, these findings raise questions about how boards build their views on capability, and how this affects decisions that drive risk strategy.”

Information challenge

The report said that board members may be failing to critically assess the information that management provides, either because the information is too narrow, or that executive managers are failing to be transparent with the board about risks. The report concluded that the main cause for boards’ overconfidence was a breakdown in effective communication.

In fact, some respondents to the survey played down the potential impact of such misalignment on risk. Many respondents also said that there was a ‘healthy’ level of disconnect between CAEs, board members, and executive management when it came to risk.

“The level at which a healthy disconnection becomes an unhealthy one was not addressed, leaving a dangerously nebulous gap that, in itself, is a risk,” the report said.

 Main findings

  • Boards are overconfident. Boards consistently view the organisation’s capability to manage risks higher than executive management, evidence of a critical misalignment between what executive management believes and what is communicated to the board.
  • Boards generally perceive higher levels of maturity in risk management practices. Board members’ perceptions of risk knowledge and capability place them ahead of executive management and CAEs relative to risk maturity, therefore making them more likely to believe those risks are better managed.
  • “Acceptable misalignment” on risk is a prevalent and dangerous mindset. A majority of respondents believe some misalignment on risk perception should be expected, with some viewing it as “healthy.” While misalignment around individual knowledge of a risk may be acceptable based on varying roles, misalignment on the perception of the organisation’s capability to manage a risk is a serious concern.
  • Some industries are lagging in adopting systematic approaches to risk. Healthcare, retail/wholesale, and public/municipal industries are lagging — sometimes significantly — in developing coordinated and consistent risk management processes.
  • Cybersecurity and data and new technology represent critical knowledge deficits. Low reported knowledge and high relevance of these risks suggest risk management players should prioritize building knowledge in these two key risk areas.
  • Data and new technology, data ethics, and sustainability risks are expected to grow in relevance. CAEs predict brisk growth in relevance for these three key risk areas in the next five years, identifying an opportunity for organisations to take a more proactive approach.
  • Talent management (and retention) are at the centre of future concerns. Respondents recognise the importance of good talent and how people drive the success of a business — particularly when it comes to data and IT skills. An important shift is underway from an insufficient availability of resources to an inability to attract and retain talent with business-critical skills.

Download the free report here.