A new report from The Institute of Internal Auditors paints a mixed picture of risk management amid social upheaval, economic and political volatility, accelerating climate change, and uncertainty about COVID-19's lingering toxic spell. While risk managers appear to be better aligned than in prior years and attuned to the challenges they face in the coming year, they also are less than confident in their organization's ability to manage some key risks.

OnRisk 2022: A Guide to Understanding, Aligning, and Optimizing Risk offers six key observations based on in-depth interviews with the key players in organizations' risk management — board members, C-suite executives, and chief audit executives (CAEs). Chief among these observations is that gaps exist between the ratings that respondents assigned for the relevance of certain risks to their organizations and the sometimes significantly lower ratings assigned for their organization's capability to manage them. The Relevance-Capability gaps were widest for risks associated with Cybersecurity, Talent Management, Disruptive Innovation, Data Privacy, and Culture.

Respondents also identified five risks they expect to increase in relevance in the next three to five years: Cybersecurity, Talent Management, Disruptive Innovation, Culture, and Economic and Political Volatility. Each of these fall into risk areas identified as having large Relevance-Capability gaps. "This concurrence could be viewed as troubling — organizations have fallen far behind on their capabilities to manage future risks — or encouraging — risk players intuitively recognize capability weaknesses and understand they must act to correct them," according to the report.

"Each year, The IIA's OnRisk report uses its unique methodology to uncover important insights into how key players are aligned on managing risk, and this year is no different," said IIA President and CEO Anthony J. Pugliese. "All organizations must take seriously the troubling gaps between risk relevance and organizational capabilities identified in this year's report. The challenges created by the current risk landscape demand that boards, executive management, and internal audit work together to narrow those gaps."

Another observation from OnRisk concerns risk related to Environmental, Social, and Governance (ESG) reporting, also referred to as sustainability reporting. Accelerating climate change, robust social justice movements, growing interest from regulators, and increased investor activism for more sustainability reporting have positioned this risk category top of mind for risk management leaders.

This year's survey looked at each area as a separate risk (environmental, social, and governance), which led to a surprising observation. According to OnRisk, "Perceptions of risk relevance vary greatly across ESG components. While alignment among the three groups is relatively strong on these risks, Organizational Governance holds far greater relevance for respondents than do Social Sustainability and Environmental Sustainability."

Other observations from OnRisk 2022 include:

• The pandemic revealed opportunities to improve organizational risk management. COVID-19 may not have improved the ability to predict risks, but it increased confidence for many in reacting to risks. For others, it provided a wake-up call on how they manage risk and the added challenges associated with managing risk in decentralized or siloed conditions.
• Senior executives and boards desire broader scope for internal audit services. Respondents feel that their current assurance services are adequate but suggest some improvements in assurance reporting. This offers an opportunity to demonstrate the value of independent assurance across a wider spectrum of risks.

Now in its third year, the OnRisk report examines alignment among the three key players in risk management — boards, C-suite executives, and CAEs. The OnRisk approach is grounded in an innovative methodology that uniquely brings together their views based on personal knowledge, organizational capability, and risk relevance for the top risks examined in the report. The methodology employs qualitative interviews of 30 board members, 30 C-suite executives, and 30 CAEs from 90 different organizations. The research provides a robust look at risks facing organizations and allows for both objective data analysis and subjective insights based on responses from risk management leaders.

"Risk today has become very volatile and random. You see these things occurring globally in the news and there seems to be less correlation between the cause and effect." 
Board, Retail   
Source: OnRisk 2022