Before addressing potential risks that could matter to an organization in the coming 6 to 12 months, we should first emphasize that in the end, it is always the professional judgment of board committees, executive management and the assurance functions (i.e. 2nd and 3rd line of defense) that define what should be considered key and what not.
This article observes common trends regarding the perception of key risks. However, each organization has its own specific priorities, organizational culture, governance maturity, etc.
Secondly, the term “emerging risks” should be understood as circumstances:
- that are developing (or already existing),
- which could have a significant impact on the business and the organization,
- that could result in material losses (i.e. damages, fatalities, shortfalls, etc.),
- that are difficult to identify, assess or track
- that, due to the high level of uncertainty, are ambiguous and vague regarding the underlying information and therefore lack transparency.
Thus, while emerging risks are difficult to identify, they are even more demanding to assess, which makes it all the more challenging for an Internal Audit (IA) function to effectively address them as part of their assurance mandate.
While we have come up with some examples of emerging risks which we observe in practice, this outline should be treated as food for thought and not considered as a complete or exhaustive list. Naturally, the individual circumstances of an organization may provide a completely different picture regarding the risk situation.
Also, our outline focuses on emerging risks that could arise from the lockdown/extended home-office regime with a relatively short-term focus. For long-term risks, i.e. those that will affect organizations over the coming 12-24 months and for a general assessment of relevant topics / risks for the year 2021, a good reference is the current KPMG publication, "Internal Audit: Key Risk Areas 2021" that addresses topics such as business resilience, talent management, third party management, CSR, digitalization or data management.
The list below shows the potential risks and the possible tasks that may arise for IA. We structured the list according to the following categories:
- Finance & Reporting
- Performance and Process Excellence
- Information Technology