Directors of corporate boards are overly confident about their organizations’ ability to cope with major risks, according to a new
The report found a significant misalignment between how executive management views an organization’s capability to manage risks and what is communicated to boards. Many board members believe risks are better managed than they really are and some misalignment is to be expected, according to a survey by the IIA of board members, management and internal auditors.
Several industries in particular are lagging in adopting a systematic approach to risk management, including health care, retail and wholesale, along with the public and municipal sector. Among the 11 key risks discussed in the report, cybersecurity, data management and new technology are especially susceptible to critical knowledge deficits.
“We took those 11 risks and we asked boards, management and internal auditors about how capable the organization is in addressing those risks,” said IIA president and CEO Richard Chambers. “The board had a more favorable view of how the company was going to be able to address every single one of those risks. The people who are there every day — management with their sleeves rolled up tackling these risks — had a less optimistic view of how prepared the company was to deal with them than the board. The boards have an absolute and consistent level of overconfidence in the way risks can be managed.”
The biggest disparity is in the perception of how much information the board believes it is getting from management. “The one that’s rated the highest of all of them is board information,” said Chambers. “They absolutely think they don’t have much risk around board information relative to other risks, and yet boards aren’t getting good information. They’re not getting the kind of information that guides management in addressing the risks to the organization. That inevitably leads to surprises. The board is surprised when some big debacle occurs, and they’re all looking around asking, ‘What happened? We thought we had a better handle on this.’”
Climate change is an area that many board members and management executives are overlooking as they focus on short-term financial results.”I would say that a lot of those risks — like sustainability risk and environmental, social and governance risk — are still not front and center on the radar because a lot of companies are taking a very short-term view of performance,” said Chambers. “If you think about how management’s performance is often assessed, and how they are rewarded, it’s often for short-term performance. There are exceptions, but it isn’t typically about whether the company is going to be positioned for success in 10 years, when management and the board are often gone onto their next big adventure. That’s one of the big challenges that I think Corporate America faces, that there isn’t a very long-term view of success in performance. But I would also hasten to add that isn’t entirely the fault of management and the boards because they’re responding to shareholder expectations, and we live in times of instant gratification. I think in many instances shareholders become impatient if they don’t see strong growth right now, so the boards and management are trying to be responsive to that. It does present risk, and the risks aren’t being fully recognized. Those ESG risks — the sustainability ones — are low on the spectrum.”
Internal auditors need to call attention to these neglected risks. “I think that the internal auditors are in a unique position to bridge some of the gap that this report indicates,” said Chambers. “It is internal audit’s responsibility to speak up, to make sure that if there are gaps based on either intentional or unintentional information flow within the organization, the head of internal audit has a responsibility to make sure that the board is aware of their perspectives. The internal auditor too often will not speak up and contradict management, and that’s got to change. The internal auditors have got to be willing to say to the board that management’s assessment is here and ours is here, and let the board make its own judgment. But if all the board hears is the same story, that this is a risk and we’ve got it under control, then I would tell you that they’re going to be surprised.”
The report also highlights some of the emerging risks that internal auditors anticipate will become more relevant in the next decade. Data management and collection, new technology, data ethics and sustainability risks are expected to grow in relevance in the next five years. “Those are likely to be front and center for the profession and Corporate America in the next decade,” said Chambers. “We’re starting to talk and think a lot about what the 2020s may mean for internal audit.”