Large-scale interconnected risk events are becoming systemic, according to a survey of chief audit executives. Organisations must regard crisis as the new normality and update their risk frameworks accordingly.

In fact, that traditional crisis management teams are ill-equipped to deal with non-stop emergencies. In particular, events such as the pandemic, climate change and the war in Ukraine show that the effects of such events can jump unpredictably through an enterprise.

Organisations need to implement better enterprise-wide risk management. That is because boards and executives must make rapid decision with often scant information. “An up-to-date risk appetite can provide greater clarity to rapid strategic decision-making in times of crisis,” the report by the European Confederation of Institutes of Internal Auditing said.

Out with the old

One consequence of these events has been to make siloed risk taxonomies obsolete. “Instead of thinking about what individual risks might arise over the next year or two,
chief audit executives need to be thinking over the coming decade,” the report said. “And be thinking big.”

In supply chains, for example, the report said that risk mitigation plans often fail to consider global demand for the same pieces of equipment at the same time. For example, protective medical equipment quickly ran out during the pandemic as hospitals struggled to keep staff safe. Organisations must focus on credible worst-case scenarios and plan for them.

Upcoming risks

The report ranks the top three risks this year as cybersecurity and data security, human capital and macroeconomic risk and geopolitical uncertainty. But in addition to macroeconomic and geopolitical risk, the threats businesses are struggling to get on top of include climate change and human capital and talent management.

With so many large-scale risks, it could prove difficult to keep longer-running projects such as digitalisation on track, the report warned.

Working across lines

A key finding for risk managers was that the first, second and third lines of defence must work more closely together. “Internal auditors must seek to work in co-ordination with first and second lines – especially legal, compliance and risk management,” the report said.

Just as organisations have thought of their risks as siloed, sometimes the response to those risks have been piecemeal. In addition, risk professionals across the business must learn to work together to avoid risks slipping between the cracks, or duplication of effort.

Read Risk in focus 2023, European Confederation of Institutes of Internal Auditing