An insight into the new contradictions that risk management approaches need to accommodate.
Hurricanes, terrorism, technology change, hacking, supply chain disruption… being resilient is a lot tougher than it used to be. We need a new mindset – in the business and in internal audit – to keep things safe, argues Rohitesh Dhawan.
VUCA – volatility, uncertainty, complexity, ambiguity – might be a decade or two old as an idea, but the acronym is more apt than ever in describing today’s world. “What has changed is the approach businesses now need to handle VUCA”, says Rohitesh Dhawan, Global Lead for Brexit & Geopolitics at KPMG.
“The old mindset sees things are calculable, ‘analysable’. But that analysis seems to come up with the wrong answers so often now – on Trump or Brexit, for example.”
Can an orthodox, legal or procedural approach to business resilience offer real protection against risk? Will a tick box exercise put in place the rapid response required if areas like reputation or supply chain – more vital than ever – are threatened?
It sits with internal audit (IA) in particular to ask the right questions – using new mental models of what threatens resilience.
For Dhawan it’s vital we need to acknowledge the emergence of four fundamental contradictions to help change the way business manages risk:
“Debating these new contradictions is a good way to start developing internal conversations about aspects of VUCA that ought to be on risk registers, but aren’t right now.”
The upshot is this: if you manage risk or report on business resilience, you now need to consider even outlier scenarios.
“We’re seeing major corporations put in place outline plans to leave South Korea within days, given the risk of a war on the peninsula,” says Dhawan.
This isn’t paranoia or scaremongering. It’s about developing a mindset in IA that recognises harsh realities – no matter how unpalatable or unthinkable they are.
“That’s also why IA needs to be hyper-alert about confirmation bias,” Dhawan adds. “Even in a world of big data and analytics, it’s too easy to select evidence that confirms existing world-views – personal or corporate. Smart boards and audit committees are seeking different outlooks to guard against group-think. It can make decisions harder work – but it’s vital.”
Empathy – using all mental faculties to see the full nature or context of a problem – is essential. Managers, strategists, auditors and leaders must go beyond just checking policies, and immerse themselves in other people’s thinking to become more alive to the full variety of threats to resilience.
That extends to getting into the minds of leaders in other businesses and other sectors – not just because industries are converging, but also to discover alternative risk sensitivities.
“This is a moment of truth for IA,” Dhawan says. “If IA helps the business shift mind-set, it can become indispensible as leaders wake up to the sheer variety of challenges. But if it’s just static risk registers being ticked off to satisfy obvious threats – then you’re on the road to irrelevance.”
For 2018, then, here are three resilience projects for IA:
Ultimately, business resilience today depends on people with open minds asking the right questions and accepting a range of possible outcomes in a highly unpredictable world. And any organisation that wakes up to this fact will treat internal audit as a brilliant tool to shape and contextualise those questions to protect the business effectively.
“IA has to be a little cunning to get those messages out to NEDs and even management,” Dhawan concludes. “This isn’t a call for IA to do a whole raft of extra things. But it does have to be creative. How about getting guest speakers for the next audit committee event who can help redefine thinking about risk? Bring in audit professionals with new skills and experiences from other businesses. Even just the anecdotes that come with someone from an entirely different background can have a big impact with decision-makers.”