MPact » Feature
What are the long-term risk trends for business leaders should be thinking about?
By Richard Arthurs, FCPA, FCMA, MBA, CFE, CIA, CRM+A, QIAL Partner, National Leader - Internal Audit
Mariesa Fett, CPA, CA, ABCP, CRMA, ICD.D National Enterprise Risk Services Leader and Post-Secondary Education Lead
The next challenge for business leaders is never far away. Prepare yourself with this forward-looking article features insights from across MNP.
[insights]
- Technology is set to disrupt unsuspecting industries. Meet with your management team to think about change that could be driven by emerging tech.
- The flipside to technology is cybersecurity and risk. Evaluate your current practices and explore your vulnerabilities to avoid being impacted.
- Environmental, Social, and Governance issues are on the horizon. Looming standards will create new responsibilities for businesses and it's important to stay informed.
After two full years of COVID-19 dominating the global risk cycle, Canadian organizations finally started to see a light at the end of the tunnel. But the celebratory atmosphere has been short-lived, with several new and ongoing challenges casting a shadow over those silver linings. We surveyed practice leaders across our firm about the risks and opportunities they’re most concerned about heading into a new era — and specifically what internal audit should focus on.
Among the top priorities were:
- Impacts of looming environmental, social, and governance (ESG) reporting standards,
- Omnipresent cyber security threats, and the growing challenge of third-party risk
- Issues with realizing the value of digital transformation and how to keep pace with the accelerating speed of innovation
Read on to see how these risks could impact your business and what you can do to navigate potential challenges.
Getting ahead of digital acceleration and disruption
Technology has become a double-edged sword for organizations looking to cut costs, streamline operations, and build a competitive advantage. While many are rightfully focused on what’s next, there’s also danger in overcommitting to innovation — especially without the right foundations in place to support it.
Leveraging technology to achieve organizational and commercial strategy
Artificial intelligence, machine learning, and predictive analytics capabilities continue to become more practical and affordable for businesses of all industries. This is creating new opportunities for smaller and mid-sized enterprises, but also introducing new risks.
What the experts are saying
Emerging tools come with the promise of reduced costs and increased efficiency. They can also be a force multiplier for further innovation. Organizations that are slow to pick up on the potential of emerging technologies will therefore have a difficult time keeping pace with digitally driven competitors.
The benefits of being an early adopter span everything from talent attraction and retention to improving line of sight into emerging trends and business opportunities. Businesses need to understand the relationship between their digital, organization or commercial strategies, and their interdependencies.
What internal audit should ask
- What digital technologies will have the greatest impact on your industry and how can the organization harness them to build a competitive advantage?
- What are the barriers to new technology adoption in the organization and how can we overcome these?
- Does the organization have the available human capital and expertise to adopt and effectively deploy emerging technologies?
- What strategic initiatives would benefit most from emerging technologies and how can the organization leverage these to build market share?
- How do you understand the value of adopting these technologies and ensure the anticipated benefits are measured and will be realized?
Facing attacks from all directions: future cyber and privacy risk
Cyber and privacy risks are perennial concerns for organizations of all sizes and industries — and that ubiquity is what makes them so dangerous. Just as the fish doesn’t know it’s surrounded by a sea of water, how do leaders avoid becoming habituated to the threats all around?
Shifting attention to insider risk
Cyber risk is commonly thought of as something that comes from outside of the organization, which can lead organizations to ignore the very real threats that exist within their perimeter defences. However, insider threats can often do far more damage with a fraction of the effort.
What the experts are saying
Insider risks include intentional or unintentional behaviours such as an individual responding to a phishing attack, poor cyber defences within an external cloud or network-connected software or device, or malicious actions by an employee or external contractor.
Organizations should pay close attention to any employees, contractors, devices, or systems that have access to key IT infrastructure and information. Almost every organization has increased their reliance on third parties over the past five years. This has significantly increased the number of insiders, and therefore the number of opportunities for a breach to occur.
What internal audit should ask
- What assurances have third-party vendors provided on the efficacy of their cyber security policies and practices?
- What steps has the organization taken to minimize third-party risk (i.e., risk assessment, background checks, vendor agreements with risk mitigation terms, segmented networks, etc.)?
- Who has access to critical systems and data and how often does the organization review privileges?
- Does the organization conduct background checks on individuals and third parties before granting access to critical systems?
- Does the organization independently audit new software and physical systems for physical and cyber security vulnerabilities? How are access rights assigned and removed for employees and contractors?
- What training is available on cyber risks and how to report suspicious behaviour?
The evolving shape of cybercrime and managing the risks of self-disruption
Cybercriminals are constantly evolving their tactics and exploiting new opportunities. This risk is amplified by the number of digital, structural, and operational changes most organizations have undertaken in recent years — and it might increase as even more organizations experience the great resignation and retirement trend.
Boards and leaders need to recognize they will always be on the back foot — especially as attackers continue to find new and innovative ways to be successful with ransomware and other tactics of choice. But there are steps they can take to avoid falling too far behind.
What the experts are saying
Complacency is the most dangerous mindset organizations can have when it comes to cyber security. Resilience is not a “set it and forget it” kind of thing. Even well-established types of attacks are constantly appearing in new and unexpected ways — often with surprising levels of success. Sometimes it might even be an insider leading it.
New IT infrastructure, remote versus in-office work, and excessive employee turnover can further impact preparedness and increase the likelihood that a cyber attack will both succeed and go undetected. And there may already be a large volume of information about the organization’s vulnerabilities and login credentials circulating on the dark web.
Training, threat assessments, and penetration testing need to be ongoing. These need to factor in the latest available thinking about how the organization and cyber threats are evolving — and how threats could infect the network and impact the organization at large.
Utilizing new advanced services such as Dark Web Scanning may reveal what the hackers are saying about a company and what vulnerabilities might exist.
What internal audit should ask
- Is cyber resilience monitored at the board level and is security a regular agenda topic in board discussions?
- Are there formal policies for ongoing employee cyber security training and regularly updating modules to include emerging breach tactics?
- Does the organization have a formal policy about how to report suspicious activity (e.g., phishing emails) or a cyber incident (e.g., clicking on a suspicious link)?
- Does the organization have an incident response plan? How often is this plan practiced? How often does this plan get updated?
- Has the organization established a cyber security program that adequately mitigates both current and evolving cybersecurity threats?
- How have new technologies, practices, and business models changed the organization’s overall cyber risk exposure?
- Have you ever utilized Dark Web Scanning to learn what the hackers are saying about your organization?
Getting the balance right on environmental, social, and governance (ESG) targets
Goodbye greenwashing (making it look better than reality) and greenwishing (hoping things improve) — 2023 will begin a new era of transparency, policy, and sustainability accounting. New standards and expectations will present opportunities for some, and significant challenges for many.
Building a strategic roadmap by knowing your current and optimal future state
Rapidly evolving stakeholder expectations around ESG are increasing the pressure on organizations to react. Many will find it difficult to attract financing and customers in the years to come if they cannot produce a clear understanding of their current state, a vision for where they need to go, or how they will get there.
What the experts are saying
The conversation around ESG progressed considerably over the past two years, and some organizations have made it more of a priority than others. However, the pace of change will continue to accelerate — advantaging those organizations that understand what steps they must take to quantify the ESG factors that have a material impact on their business, and how to improve on them.
At the very minimum, organizations should conduct an environmental scan and use this information to prioritize initiatives that will take them toward a future state desired by investors, customers, employees, and business leaders.
The largest emitters are realizing how complex, costly, and time-consuming reaching net zero will be, and there will be discoveries along the way that create both opportunity and risk. Reversing what took decades to invent and build may take decades to implement sustainable change.
What internal audit should ask
- How does ESG fit into the organization’s strategic priorities?
- What steps has the organization taken to understand and assess its current ESG priorities and associated metrics that are material to the business?
- Who are the organization’s key ESG stakeholders and what are their expectations around reporting and the organization’s roadmap to improving ESG adoption?
- What risks does the organization face by not prioritizing compliance with ESG and associated disclosure standards?
- What ESG-specific assurance services are going to be required to meet the needs of stakeholders?
Time to revisit your resilience?
Back to the office doesn’t necessarily mean back to normal. MNP’s Business Resilience team offers a wide range of services to help you assess your emergency planning and preparedness. Learn more about what we do, and how we can deliver the agility and confidence you need in an uncertain world.