Nearly each news report these days starts with a rundown of the current numbers of those infected with the coronavirus and the tragic number of deaths that have resulted from the outbreak. As of this writing, those figures stand at more than 72,000 cases of the virus, also known as covid-19, and nearly 2,000 deaths, although numbers are certain to in the coming weeks.
In addition to the many lives that have been affected or lost, the outbreak has had a big impact of the global economy, causing supply chain disruptions; shutting down factories; grounding flights; rerouting or halting cargo and cruise ships; and causing closures of offices, retail outlets, and casinos.
Data company Dun & Bradstreet says an estimated 5 million companies rely on suppliers in China where the virus originated—from Apple, whose supplier Foxconn postponed the reopening of its Shenzhen factory, to food companies Kraft Heinz and PepsiCo, which have closed some of their Chinese factories. This week, Apple issued a statement warning that it would miss revenue and earnings targets directly due to the epidemic.
The coronavirus is just the latest example of how quickly a risk can materialize and significantly impact businesses. And how costly that impact can be. The Centers for Disease Control and Prevention estimated the global cost of the similar SARS outbreak in 2003 at $40 billion, and already most economists expect the cost of the coronavirus to be much higher. Yet, at this time last month, most Americans had never heard of the illness.
The Speed of Risk
While the coronavirus is an extreme case of a quickly emerging risk that can have significant effects on companies around the globe—forcing quick reactions in everything from company policies, to sourcing and planned internal audits—it’s hardly the only one. Here are some others risk events that developed rapidly, catching unprepared organizations by surprise.
- In 2018 wildfires in California emerged quickly, with 58,000 wildfires burning 8.8 million acres and causing an estimated $400 billion in damage. The California utility Pacific Gas & Electric filed for bankruptcy, after facing $30 billion in fire-related liability costs due to the fires. More recently, wildfires in Brazil and Australia erupted causing massive disruption to people and organizations in those countries.
- Most organization weren’t aware of ransomware computer attacks until the WannaCry attack hit in May 2017. The worldwide cryptoworm cyberattack targeted thousands of computers and devices, encrypting victim’s data and demanding bitcoin payments to untraceable accounts to unlock that data. Cyber-risk-modeling firm Cyence estimates the economic losses from the cyberattack at as much as $4 billion.
- In 2016, voters in the United Kingdom shocked the world when they elected to leave the European Union. Brexit, as it has come to be known, was just realized last month and will have a significant impact on organizations in the UK, the EU, and around the world. Although the economic impact Brexit will have on the United Kingdom and other countries is debatable, many organizations, such as the World Trade Organization, suggest the impact will be negative and many companies have had to rethink supply chains and markets in light of Brexit.
These may be “black swan” events, but often such emerging risk events stem from larger risk trends that have been developing for some time. Many climate scientists, for example, predicted an increase in wildfires would result from global warming. And certainly the rise of randsomware attacks is just the latest iteration of the long cybersecurity battles that hackers have been waging for decades. Even Brexit can be traced, at least in part, to trends toward increased nationalism and changing views about the European Union that have been percolating for years.
Internal Audit Agility
While its not easy for internal audit to stay on top of these trends and emerging risks—and there will always be events that catch business off guard—it must do a better job of looking for them on the horizon and remaining flexible so it can react to risk events more quickly. As Richard Chambers, president of the Institute of Internal Auditors, preaches in his book, The Speed of Risk: Lessons Learned on the Audit Trail, internal audit must take a more continuous approach to risk assessment. He says audit plans and coverage should constantly evolve as new, potential risks arise. “Internal auditors working from risk-based annual plans developed before March are increasingly finding themselves addressing yesterday's challenges,” he wrote in an article on the topic.
He’s right. The annual risk assessment and resulting audit plan simply must be replaced with more of a rolling and continuous process. Sure, there may be some audits that can be planned and scheduled on an annual basis, but there must be room in the audit plan for changing scenarios. A more agile internal audit function that can shift focus as risks evolve and organizational needs change isn’t just the internal audit function of the future; it’s what is needed now.
Chambers provides some advice for keeping on top of the evolving risk landscape: “Set your antenna as high as possible to detect industry-wide changes, economic trends, and other external factors. Industry publications, seminars, and professional association meetings can be valuable sources for acquiring crucial intelligence that might impact your risk assessment,” he writes. Indeed, boards and senior executives are looking for more help on identifying and understanding emerging risks, according to a survey by the IIA.
The Risks Lists
Another good resource for keeping on top of developing and emerging risks is research from leading consulting firms and advisory groups. For example, Protiviti’s report, Executive Perspectives on Top Risks 2020, provides a great run-down of the top risks that executives, including CEOs, CFOs, and chief audit executives, are concerned about.
According to the survey, conducted along with North Carolina State University, business leaders contend that economic uncertainty and unknown future regulatory changes could impact their ability to effectively compete, grow their businesses, and achieve operational targets in 2020 and beyond.
Survey respondents were asked to rate 30 macroeconomic, strategic and operational risks. Of those, the top 10 risks identified are as follows:
- Regulatory changes and scrutiny may impact operational resilience and production and delivery of products and services
- Economic conditions may significantly restrict growth opportunities
- Succession challenges and ability to attract and retain top talent may be more difficult
- Limited operational resilience of legacy IT infrastructure and digital capabilities may restrict the organization’s ability to compete with “born digital” players
- Resistance to change may restrict organizational agility
- Preparedness to manage cyber threats may be insufficient
- Ensuring privacy and identity management and information security and system protection may be challenging
- Company culture may not empower timely identification and escalation of risk issues
- Sustaining customer loyalty and retention may be increasingly difficult
- Adoption of AI-enabled technologies may require new skills that are either in short supply or require significant upskilling and reskilling of existing employees
“Nearly half of the top risks this year are related to culture and attracting and retaining top talent. This is happening at a time when organizations need to execute increasingly complex strategies to navigate the rapidly changing digitally-based business environment,” said Jim DeLoach, a Protiviti managing director and co-author of the report. “As the future of work evolves, businesses need to upskill and reskill existing employees—particularly as digital innovations, such as artificial intelligence, natural language processing, and robotics become a mainstay in organizations—to ensure they remain competitive with ‘born digital’ companies and are future-proofed for the next decade.”
While several of the risks remain consistent with findings from previous years, including concerns around regulation, cyber threats, operational resilience, privacy management and information security, this year’s results show an escalation of anxiety related to overall economic issues across domestic and international markets, climbing from number 11 last year to the number two risk concern for 2020.
Another list that provides insights on emerging risks comes from management consulting firm Oliver Wyman and also flags economic issues and trade disputes among the top concerns. The Global Risks Report forecasts a year of increased domestic and international divisions with the added risk of economic slowdown. Indeed, 78 percent of survey respondents said they expect “economic confrontations” and “domestic political polarization” to rise in 2020. Environment disruption also figures prominently on the list of top risks. Global experts see the risk of extreme heat waves and destruction of natural ecosystems increasing, as well as a rise in cyber-attacks targeting operations and infrastructure and data theft.
The top ten risks expected to increase this year, according to the Global Risk Report are:
- Economic confrontations and economic friction between major powers
- Domestic political polarization
- Extreme heat waves
- Destruction of natural ecosystems
- Cyber-attacks: Disruption of operations and infrastructure
- Protectionism regarding trade and investment
- Populist and nativist agendas
- Cyber attacks: theft of data or money
- Recession in a major economy
- Uncontrolled wildfires
While these lists hardly provide a comprehensive look at the emerging risks that are likely to impact organizations this year and beyond—and every organization faces their own set of circumstances and concerns—they do offer some thinking on what those involved in risk management function should be looking for and thinking about.
Internal audit leaders simply can’t afford to not keep their eyes on the horizon for developing and emerging risks, such as the coronavirus and others, that can materialize so quickly.