Richard Chambers is seeing a never-ending series of crises confronting internal auditors and posing risks to their organizations.
A former chairman of the Institute of Internal Auditors, Chambers currently chairs the UNICEF Audit Advisory Committee and is senior advisor of risk and audit at the audit technology company AuditBoard. His fourth book, "
"The premise behind the book, and it's something I've been talking about now for the better part of the last three years, is that it's almost like when the 2020s dawned," he told Accounting Today. "The switch was flipped in terms of risk, volatility and risk velocity."
With a consequential election approaching, potential risks are top of mind for many voters. "Risks became much more volatile and unpredictable, and the speed with which they emerged became almost unfathomable," said Chambers. "We've lurched from the pandemic to supply chain disruption to macroeconomic turbulence, to wars in Europe, wars in the Middle East. All of this has the combined effect of really challenging even the best risk managers out there, and the idea that risk managers can do their thing off in their silo."
The election will bring its own set of risks. "Each party has clearly staked out its position on fiscal policies, tax policies and so forth," said Chambers. "There's a lot of uncertainty there as to which way it's going to go, so you've kind of got to manage the risks in both directions. You've just got to be prepared for the.uncertainty that lies ahead."
Internal auditors, risk managers and compliance professionals can no longer operate separately. "We are dealing with almost an existential threat to a lot of companies and a lot of industries," said Chambers. "We've seen a lot of companies and industries be decimated in the last five years," said Chambers. "What I've tried to do with the book is to offer a path forward. It's in some ways a call to action that says, you know you can't manage risks like you've traditionally managed them in the era of 'permacrisis.'"
He sees it as a permanent state of crisis where everyone needs to get involved. "It's all hands on deck," said Chambers. "You've got to have the risk managers, the internal auditors, the compliance team, the information security professionals, everybody's got to be on the same page. And there's got to be a lot more collaboration, cooperation and communication to help companies manage the risks."
Chambers experienced his own crisis in 2022 when his home in Florida was badly damaged by Hurricane Ian. He was only able to move back in this past June.
Cybersecurity and artificial intelligence open up a new set of challenges. "If I were to talk about, the top-of-mind risks in 2025, there's a whole range of IT risks: cybersecurity, data security risks, increasingly AI," said Chambers. "AI presents extraordinary opportunities, but it also is laced with some really significant risks. That's going to become even more acute as we see more and more regulations put in place, legislation and regulations coming from governments to try and tie down how AI is used, to make sure it's not misused."
In addition, there is economic uncertainty around inflation, while recruiting is still a problem for many companies. "We're still not out of the woods on talent management, the ability to recruit and retain the talent a company needs or an organization needs, has been in the top five for almost the whole decade so far," said Chambers.
Internal auditors will be hard pressed to deal with all of these uncertainties. Chambers sees a "risk exposure gap" in the number of risks that are being presented to a limited number of auditors. "We've seen the risk continue to mount, but we have not seen a real increase in the resources to tackle those risks," he said. "Internal audit resources have been stagnant at best. I personally think they've been in a modest decline for the last two or three years because they haven't been keeping pace with inflation. You are seeing a lot of infusion of resources into risk management or into compliance."
One way to offset some of the risk exposure gap is through better collaboration among various risk management professionals, along with more investment in up-to-date technology. "If everybody's still trying to track risks and manage risks using spreadsheets, that's really not going to be very effective in the volatile environment we're living in," said Chambers.
He wants to see more collaboration among internal auditors, risk managers, compliance professionals and information security personnel. "I often encourage the internal auditors to be the leaders in this collaboration movement," said Chambers. "Start working more closely with the risk managers in your organization and with the compliance teams, in making sure that when you all get in front of the board or in front of the executive management, that you have a pretty good understanding of what the others are doing, that you have hopefully been able to align on what the true risk profile is of your company. There's nothing that frustrates a board more than having two or three different folks come in and tell them that there are different risks that the company's facing. I've had audit committee chairmen say we just throw them out and tell them to come back when they can find some common ground. There's too much ambiguity out there anyway, and if a board has ambiguity in terms of their different key players coming in and telling them that the company's facing different risks, it really leads to frustration. The key here is there's no one player that has to be the one to take the lead. But if somebody's going to take the lead and get everyone on the same page with risk management, I think internal audit's a prime candidate."
He sees the various risks multiplying now. "I've been in the profession for 50 years," said Chambers. "Next year will be my 50th year since I joined internal audit right out of college, and I've never seen a period as volatile as these last five years. We have been averaging as many risk disruptive events per year as we used to see in a decade. The time has come for action and the key risk management players — the risk managers, internal auditors, compliance, infosec — the ball is in their court. If companies are going to navigate the second half of this decade with any degree of success, these players have to come together and be a part of it."
