MPact » Feature
Risk Forecast: What the years ahead could bring for Canadian business
By Richard Arthurs
Partner, National Leader – Internal Audit
As COVID-19 moves from being a top business concern, it's time to focus on what comes ahead. The next challenge is always closer than we think. By embracing the reality of risks, you can prepare your organization and steel yourself against challenges.
[insights]
- Digital technologies bring great opportunity, but organizations need to critically assess their cybersecurity readiness and internal capabilities.
- Organizations are using third-party relationships because they can deliver efficiencies. Leaders need to evaluate contracts to ensure their vendors are doing what's needed to reduce risk.
- Workforce challenges are here to stay. Organizations need to make plans for the long-term, determine what roles are vital, and investigate opportunities to upskill existing team members.
A global pandemic. Political polarization and unrest. Extreme weather. Global demands for greater transparency, accountability, and sustainability.
On a long enough timeline, the probability of any crisis is infinite. But four generationally significant events in the span of two years certainly is not.
No one could have predicted the events of recent years — and nobody knows for sure what curveballs the fates will throw in the years ahead. The following insights seek to explore some possibilities based on the explosion of risk wrought by the pandemic, advancements in technology, changing attitudes, and pervasive uncertainty about what happens next.
A common refrain of many leaders over the past year has been to never let a good crisis go to waste. There’s much to learn from extreme events: warnings to heed, mistakes to avoid, and opportunities to improve.
Whether it’s the following trends that come to fruition, or something else, one thing is certain: can be judged in isolation, and the future will only grow more complex, dynamic, and unpredictable. However, through the lens of opportunity, you can add value to your organization by understanding how to manage through the associated risks.
The post-pandemic transition could be a haven for hackers, outside and inside your organization
Hackers love extreme situations and change. People tend to become distracted and stop watching for unusual activity. Organizational leaders will often divert resources from core functions (e.g., security and monitoring) toward the crisis at hand. This can quickly create risk exposure in an otherwise well-controlled cyber security posture.
As the pandemic shifts into a new phase, it’s important to recognize we’ve merely crossed the threshold from one period of intensive change to another. The disruptive and dynamic nature of the situation remains high — and, in many respects, this next shift may prove to bring even greater change.
Organizations welcoming employees back to the office need to assume past disciplines around locking devices, protecting passwords, printing documents, and discussing sensitive matters may not be top of mind. There will also be resourcing challenges for those embracing a hybrid/permanent remote model moving forward. Along with a more complex security environment to manage, plans must also weigh the human factors involved with disengaged team members or those who choose to be a hacker. This may lead to insider cyber security and privacy risk being one of your greatest risk exposures.
Questions to ask – what's the opportunity?
- Has your organization re-assessed its inside and outside cyber risks as part of return-to-the-office planning?
- What additional resources and capabilities will security teams need to manage the increased workload of a hybrid workforce?
- Has your organization updated its policies and training modules to effectively prepare team members to better understand changing cyber risks?
Managing the growing reliance on third-party relationships, and the related risks
The rise of cloud capabilities and software as a service (SaaS) offerings have revolutionized the technology landscape. Organizations of all sizes can now get a perpetually updated version of their enterprise software, spread the cost of that software over an annual subscription, and access it from anywhere in the world. Economies of scale also mean many cloud service providers supply much more robust cyber security controls than most organizations could afford on their own. But that peace of mind comes at a cost.
With a growing number of SaaS and cloud services, organizations are now vulnerable to any number of their vendors getting breached. Any one of those attacks could trigger the same breach reporting requirements, result in the same loss of sensitive private or proprietary information, and cause the same legal and reputational consequences as if the organization itself were breached. It’s also possible the attacker could use a vendor breach to gain backdoor access to any of its clients.
The pandemic precipitated a flood of digital transformations as organizations looked to adapt to new business models and a remote working reality. Given the urgency of these changes, it’s likely many of these new relied-on vendors did not include a thorough third-party risk assessment or specify in contracts who is accountable for these risks, such as a breach. This must be a priority for leadership teams and chief information officers heading into 2022/2023.
Questions to ask – what's the opportunity?
Are you effectively assessing the risk of reliance on third parties? You need to continuously evolve the way you audit third-party relationships. There are different approaches for vendors offering a one-time service versus those your organization places a material reliance on long-term to meet targets and strategy. Both can be audited using data analytics, and both have opportunity to mitigate risk by effectively designing contracts upfront. Though the greater the reliance on the vendor or materiality of their work, the more in-depth the risk assessment should be.
Risks and opportunities with maturing digital technologies
Digital transformation has been underway for decades, from the introduction of the first desktop computers, Internet, and email, to today’s increasingly sophisticated analytics, cloud, and machine learning tools. Many organizations have accepted continuous technology change as a matter of course. But not everyone has been so quick to replace obsolescent controls, policies, and update training programs to match new technology skill requirements and risk exposures.
Innovative technologies don’t merely make work easier or more efficient — they’re redefining the very nature of certain jobs. Roles that didn’t exist 5 or 10 years ago are now integral to many organizations’ current and future success. There have been many newly-created job descriptions, but many new responsibilities have simply been tacked onto legacy job descriptions without deference to the unique challenges, complexities, or risk exposures that go in hand.
In a world of constant technological change, leadership should step back and completely re-evaluate the organizational design and related roles, policies, procedures, and systems of controls as if you were designing the company from scratch to optimize strategic success.
Questions to ask – what's the opportunity?
- Have you assessed the risk of internal resources not having sufficient capability or training to use new and changing digital technology to achieve planned benefits to the organization?
- Has the level of change management been assessed in your organization, in relation to digital transformation?
- Has your leadership team assessed all policies, procedures, control documentation, and training that may no longer be accurate or usable due to digital transformation and changes made?
The war for talent – consider your future needs
Organizations are constantly trying to recruit technically savvy resources and new graduates if possible. Unfortunately, many new graduates do not have all the skills required and those who do are often already employed.
Throughout the pandemic, businesses invested heavily in digital transformations to survive and thrive in a completely novel environment. There is no backtracking on these changes. More likely, the pace of technological change will only continue to accelerate as the potential future benefits become clearer and capabilities more accessible. Demand for skilled workers who are both capable of leveraging current technologies and have the vision to understand what’s ahead is far outpacing the talent currently available to fill these roles.
This may not be a short-lived challenge, either. Even post-secondary institutions, which have long been bastions of innovation and progress, are struggling to keep pace with growing automation, digitization, artificial intelligence, and machine learning capabilities. Assuming things were to change right now, it would be several years before new graduates emerge with the most sought-after skills and technical knowledge.
The onus will be on organizations to upskill their workforce as new capabilities and opportunities become available. Some larger organizations are already experimenting with their own mini universities to provide the ongoing training, skills, and structure employees need to succeed in their role and re-invent themselves professionally.
Beyond the sheer cost, however, there are also questions around how to balance work and academics while preserving productivity. Also, organizations need to consider the risk of investing in someone’s education only for them to leave for a competitor or to pursue a completely different career path if the need for lifelong learning becomes too overwhelming.
Questions to ask – what's the opportunity?
- Have you evaluated the average time it is taking you fill critical roles in your organization?
- Are some critical roles increasingly challenging to find anyone and if yes, what risk does this pose to your organization?
- What skills and capabilities will your team need to evaluate and advise on risk in the years ahead? Are those currently in high demand? Do the skills and capabilities even exist?
- How will you recruit, develop, and retain that talent before your competitors do?
The big resignation among millennials and retiring baby boomers
As organizations across Canada welcome workers back to the office, many labour experts expect we may also be on the cusp of the largest mass resignation of all time. Pandemic-related fears, months of remote work, and significant changes to job descriptions over the past two years have been overwhelming and given employees a lot to think about. Many of those in their 20s and 30s are seeing this latest paradigm shift as an opportunity to reset, start fresh, and move on to a different employer, a different industry, or different profession altogether.
The timing and potential magnitude of these exits couldn’t be worse. Canadian businesses are already experiencing an unprecedented volume of turnover as baby boomers increasingly age out of the workforce — and that too may be about to accelerate. The youngest baby boomers are roughly 55 years old — the age where older professionals who successfully navigated the pandemic are now questioning whether the nine-to-five lifestyle is worth sacrificing time with loved ones and pursuing long neglected life goals. For many, the answer could be no.
With millennials and baby boomers the most likely to leave, organizations face a troublesome prospect: The younger end of that spectrum possesses the very skills and insights needed to navigate technological change. The elder workforce will include key executives, board members, and decades worth of institutional memory. If it comes to fruition, this brain drain could deplete precious human capital; increase costs to recruit, onboard, and retain new talent; and destabilize hard-won cultures.
Questions to ask – what's the opportunity?
- Has your organization factored retirements, resignations, and turnover into its human capital and resource risk assessments?
- How have employee engagement and satisfaction surveys throughout the pandemic influenced these analyses?
- What steps is the organization taking to scenario plan and prepare?