control, and governance
control, and governance
A Look Ahead: Top Risks for 2010
Several key areas should be on all internal auditors’ watch lists for the coming year.
Todd Davies
Founder, Todd Davies & Associates
Technical & Policy Director, IIA-Australia
As the developed world pulls itself away from the abyss of the global financial crisis, many around the globe are breathing a sigh of relief. Having dodged a major bullet, organizations are now returning to business as usual. But if the crisis was a wake-up-call for the world, did business leaders and internal auditors pay attention or just hit the snooze alarm? What’s the next “black swan,” or significant unforeseen risk, and what should internal auditors be doing about it?
Surprisingly, there has been no wholesale view that the internal audit profession was culpable during the fallout of the economic crisis. But around the world regulators are turning their attention to auditing’s areas of interest and concluding that risk management processes missed the big picture. Foresight around strategic risk, structural breaks, and systemic risk, they say, was systematically absent. Accountabilities need to be put in place to make sure that risk management is exposing material risks rather than getting lost in the minutia. Moreover, organizations need independent assurance that risk management is functioning in this manner, and that assurance should be provided by internal auditors.
Since 2008, the CEOs of Australian listed companies have been required to report to the board of directors that their company’s material business risks have been fully understood and disclosed to the board in full. Moreover, they are required to attest that the status of those risks are reported accurately. Internal auditing is also expected to give an independent view on this reporting process and indicate whether the organization’s risk approach enables this, and the underlying risk framework, to be executed with appropriate rigor. Providing this view represents a new skill set for many internal auditors, and it sets a precedent that other countries are watching closely. The requirement also begs two key questions: Does internal auditing have any blind spots? And if so, what are they?
Top 10 Risks: A View From Opinion Leaders
After only two months into the year, it seems that every relevant industry group, pundit, or blogger has already released a study on the top 10 risks for 2010. These studies by various opinion leaders help identify some of the blind spots internal auditors may face. Depending on the study, the authors might be stock market analysts (the people who were telling investors to buy shares just before the market went off the cliff), CEOs (the people who drove the companies off the cliff), and other “experts” (people advising the CEOs at the time). Because each group has its own blind spots, these reports collectively provide a more comprehensive view. And if it helps internal auditors avoid driving off a cliff or two, then it’s an exercise well worth doing.
What’s particularly interesting is the different skews that arise in each of the reports and approaches. The Corporate Executive Board (CEB’s) 2010 study of CEOs and senior executives top 10 risks for 2010 has a strong inward and reactive flavor, focusing on the adaptive capacity of the organization, particularly in dealing with the ramifications of downsizing during the global economic crisis. The study also highlights vulnerabilities that came to light during the crisis, such as third-party dependencies and fraud.
Ernst & Young’s Annual Global Risk study draws on the analyst community and presents a more holistic view, identifying changes in consumer attitudes and business model redundancy, as well as some of the issues raised in the CEB’s top 10 risks. And like the CEB research, this study tends to be lagging rather than leading in some respects. For example, the research highlights the risks of global financial shocks and the credit crunch as they were already unfolding, rather than signaling them well in advance.
The most useful study comes from the World Economic Forum. Its 2010 Global Risks report highlights risks of a potential systemic asset price collapse, global dependencies from economic growth in China, impacts of ecological degradation, redundancy as a result of job transfers to the developing world, and the inability of global governance to keep up with an interconnected global financial and regulatory system. Based on the CEB and Ernst & Young reports, many of these issues don’t appear to be showing up in mainstream corporate thinking, representing a risk to all organizations.
Risks to Watch Closely
Given all of the disparate and complex information on current risks, distilling it down to a short list is very difficult. Nonetheless five key themes stand out, each representing an important area for internal auditors to watch:
| Theme | Potential Risk Impacts | What to Look for |
| 1. Significant changes in the supply and demand for energy, combined with a global price on carbon emissions. |
Potential price spikes of energy in all forms. Reliability of existing energy supply and infrastructure. Phasing out of carbon-intensive energy sources. |
How dependent is the organization on different energy sources? What contingencies are in place if different energy sources are disrupted? And are these reliable if everyone else is also disrupted? What is the impact of a sustained increase of 100%–200% in the cost of energy? Are operations and business practices still viable? |
| 2. Redistribution — the developed world atrophies while the developing world grows rapidly. |
Aging workforce, stalling economic growth, and increasing health-care costs in developed countries. Young workforce and rapid growth in emerging economies. |
What are the organization's dependencies on traditional sources of revenue growth? What new competition sources are emerging? What will be the impacts of supply chain redistribution internationally? Are existing locations viable? What risks specific to emerging markets need to be factored into normal business operations? |
| 3. Population pressure on limited resources causes resources to be used more quickly than they can be replenished on a global basis. | Structural shift in supply/demand balance leading to increased competition for water, soft commodities, and hard commodities. |
Will the organization withstand a significant change in the price of key inputs? Is the organization able to become less resource intensive? Are the organization’s corporate social responsibility obligations understood? How will resource constraints shape consumer behaviors? Do the organization’s demand projections take these pressures into account? |
| 4. Structural currency rebalancing. | East/West balance changes globally, leading to permanent changes in exchange rates and the role of key currencies. |
What is the "balance of trade" within the organization? What materials are sourced and sold domestically and internationally? How will the organization be affected if a new standard takes over from the U.S. dollar? |
| 5. Climate change. |
Increased frequency and severity of weather events. Previously viable locations require changes to be viable, or they become unviable. |
Are the potential impacts of climate change understood? Have these impacts been analyzed by business unit and by site? |
Each of these five areas is significant by itself, but the risks gain even greater complexity if all are emerging at once, particularly when governments, corporations, and individuals change their policy and personal settings in response.
A Trusted Voice
Organizations have a strong tendency to “repave the cow path” — that is, operating in an incremental manner rather than anticipating and responding to structural shifts. Although internal auditing is not meant to function as a crystal ball, it does play a key part in ensuring the organization has an appropriate basis for risk foresight and, if not, ensuring that one is put in place.
Any organization that was blindsided by the global economic crisis or that has not considered some of the issues highlighted by leading authorities most likely has an inadequate risk framework and faces high potential for value destruction. As regulators are well aware, foresight around strategic risk, structural breaks, and systemic risk was systematically absent during the crisis, and there’s every indication that the snooze alarm has been hit. When the next structural breaks occur, will internal auditors be culpable, or will they be seen as a trusted voice that helped the organization prepare for success in the face of change? This question should receive serious consideration from any audit practitioner interested in the viability of the profession and the clients it serves.
To comment on this article, e-mail the author at todd.davies@theiia.org.
Author comment
Thanks for all of the comments. This is a difficult area, and one that I've always struggled to tackle within word count limits. 12 months later I thought it prudent to reflect back and see how we went and acknowledge some of the feedback above. This article can be found here for those who are interested. http://www.todddavies.com.au/2011/01/26/a-look-back-top-10-risks-for-2010/
Posted By: Todd Davies
2011-01-26 5:26 PM
A brief note from the author
My apologies for not checking in sooner, I didn't realise that this article was open for comment or that comments had been made. I received a reader inquiry today asking 'So can u please tell me what should be the answers to the questions in "What to look for" section.' My response was that some answers would be immediately apparent and some may require engaging specialist expertise. The intent of my article wasn't to be a futurist, but to point out some significant risks as I see them, mainly in the strategic risk class which are often overlooked due to a short term focus on the here and now. There are three standard responses I normally get when talking or writing on this topic: 1. These risks are not here and now, and I've got bigger things to deal with in the near term, so please don't waste my time 2. I don't believe these risks are going to manifest during my tenure, so they're not my problem 3. You're right, there are some blind spots, and thanks for pointing it out so I can find out more. Now invariably on these risks our timing is always going to be a bit off as are many in my reference group on emerging strategic risks. These risks by their very nature tend to move from impossible to possible and probable on your risk matrix over time and with increasing consequence. It is worth looking back to see how the top 5 themes list fared 12 months later with the benefit of hindsight. Here's a few thoughts. 1. Energy prices. Forecasters are saying we're still 12 months away from $100/barrel, but today world leaders are leaning on OPEC to increase supply to try and postpone the rise. Coal prices are increasing. Governments are strategically positioning around energy security as they understand the consequences to be catastrophic. 2. Industrialised world atrophies while the emerging economies grow. There are clear signs of this. Have a look at the Europe vs China story. 3. Population pressures and constraints on commodities. Notice that the resource companies are the ones driving economic growth in the developed world over the past 12 months? Seen what's happening with food prices lately? 4. Structural currency rebalancing? I'm pretty glad I advised my clients to get out of certain currencies, the consequences would have been more than material and in some cases catastrophic leading to a crisis of confidence in management and the board. 5. Climate change. Sure, I'll agree, not a risk in itself, but on three of the 6 boards and audit and risk committees I sit on, it's a key driver which those organisations will struggle to deal with. I guess all of this raises a philosophical question about who should be responsible for keeping an eye on strategic risk. In my experience the board and independent risk committee tends to do okay at it, but management is very much immersed in delivering this year's plan. The results can be devastating. We've seen those. Either way, if internal audit is to provide assurance over the risk frameworks and risk reporting of organisations as the IIA is calling for then, we need to have an eye on the horizon, including matters like this. I hope this has stimulated debate, including people who don't agree with me, and if it has, then this has been very worthwhile. __ Note: I am no longer on staff with the IIA and these represent my personal views.
Posted By: Todd Davies
2011-01-26 2:37 AM
Risks to Watch Closely
The risks highlighted aren't necessarily those that pose the greatest risk to the business environment in the short and medium term. That said, I will not rule out the opinion that they indeed require close, continuous monitoring, with clear concise reporting on their actual and likely potential impact on the achievement of business goals and objectives. I am also of the opinion that the identified themes constitute risk classifications that are too broad and as a result require much more detailed risk analysis than has been presented.
Posted By: Mark Otonglo
2010-05-17 5:07 AM
Climate change
I believe climate change is 2015 risk and in 2010 it is not change.See fact of world economy in 2008 and 2009 to believe this case
Posted By: Gholamhossein davani
2010-05-01 12:50 PM
top risks 2010
This is a listing of few ''common issues don’t appear to be showing up in mainstream corporate thinking''. Uniqueness of each organisation in terms of its mission and vision generates specific risks. A ''generalisation'' and identification of key risks will be purely hypothetical.
Posted By: suresh kumar manicketh
2010-04-17 9:23 PM
Top Risks for 2010
I believe that the 5 areas highlighted above are very relevant no matter where we are located around the world... Dont you feel that organisations are still exposed to risk arising from the recent financial crisis?
Posted By: Youveraj Nathoo
2010-03-31 3:21 AM
risks for 2010
I am more than a little skeptical that the biggest risks facing companies in 2010 are things like 'climate change', 'population pressure on resources', and 'energy price change', at least as a result of the phasing out of carbon. This article sounds more like a political agenda than a serious auditing paper. Lets focus on some of the real risks facing companies-- actual cases and the threat of cyber espionage, financial regulation and oversight burden and the rapidly changing rules landscape; and the risk of altered international relations with key trading partners.
Posted By: Robert Mullan
2010-03-15 11:31 AM
Top 10 Risks
Fantastic
Posted By: Jaime Humberto Leal Guajardo
2010-03-11 10:59 AM
Top Risks of 2010
Climate Change, top risk for 2010... Really ?
Posted By: K Andreatta
2010-03-11 10:36 AM
It is very helpful , since the the modern internal audit become risk-focussed
Posted By: Mutaz
2010-03-07 8:01 AM
Good staff.
Posted By: Mulenga Kambikambi
2010-02-24 6:29 AM
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
