Business Continuity and Cybersecurity Lead Risks in a COVID-Disrupted Year

Unprecedented challenges brought by the COVID-19 pandemic as well as expanding reliance on technology and data collection are driving business continuity/crisis management and cybersecurity as top-rated risks, according to a new report from The Institute of Internal Auditors (IIA). OnRisk: A Guide to Understanding, Aligning, and Optimizing Risk 2021 offers a unique and insightful examination of the interactions and views from those who most directly involved in risk management – boards, executive management and internal audit.

The OnRisk 2021 report presents The IIA’s groundbreaking approach of collecting stakeholder perspectives on risk and risk management in support of good governance and achieving organizational success. The combination of quantitative and qualitative research provides a robust look at 11 top risks facing organizations and allows for both objective data analysis and subjective insights based on responses from risk management leaders. Business continuity/crisis management and cybersecurity were the two most relevant risks among OnRisk 2021 respondents, which reflects 2020’s unique context.

The pandemic’s existential threat to organizations combined with the extreme measures taken to cope with the deadly virus created new cyber vulnerabilities. For example, the newly ubiquitous work-from-home environment introduced the monumental task of enforcing cyber-safety protocols for entire offsite workforces. The perceived relevance and urgency of cyber-related risks was heightened further by changes to operations, mitigating the vulnerabilities of popular communications software, managing customer and vendor relationships strictly online, and internal audit’s inability to perform on-site visits.

Close to 9 in 10 (87%) board members ranked business continuity/crisis management as highly or extremely relevant, while 93% of CAEs rated it as highly or extremely relevant. However, far fewer members of the C-suite identified it as such, with just 6 in 10 (63%) describing it as highly or extremely relevant. Board and C-suites respondents rate their level of personal knowledge lowest when it comes to cybersecurity. This may reflect continued uncertainty about a risk that is constantly evolving via technological advancement and related disruptive innovation.

“The COVID-19 pandemic has accelerated the intensity of risk to unprecedented levels, not just around public health, but in the very survivability of organizations and institutions. Risk assessments done early in the year, and even after the first cases of COVID-19 started to appear, were obsolete within days and weeks. This report is intended to help organizations confront such challenges – not only during a crisis, but to avoid one – through effective alignment of their three essential risk-management players: the board, management, and internal audit,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA.

Among other key observations from the OnRisk 2021 report:

• Two risks offer priorities for organizational improvement. All respondents rated disruptive innovation and talent management as among the most relevant risks. Yet, C-suite respondents ranked their personal knowledge and the organization’s capabilities related to these risks as among the lowest.
• Management perceptions on risk relevance are generally not aligned with boards and CAEs. Board members and CAEs were largely aligned on their perception of the relevance of risks included in OnRisk 2021. However, management relevance rankings were lower overall with an especially large gap in the perception of governance and economic and political volatility. The C-suite assigned higher relevance to operational risks such as talent management, culture, and business continuity.
• Perceptions on capability to manage risks are more aligned. This year, responses were more tightly clustered in ranking organizational ability to manage risk. The board overconfidence noted in last year’s report appears to have eased. Responses to COVID-19, which focused in part on renewed risk assessments and more frequent communication and collaboration among risk management players, likely drove stronger alignment on organizational strengths and weaknesses.

“Although many unknowns remain as we navigate through another wave in this pandemic, we must not be shortsighted,” Chambers said. “The organizations that will persevere and even thrive are looking at the broader risk landscape to prepare for and effectively address the challenges – as well as the opportunities – that lie ahead. OnRisk 2021 reveals shortfalls and gains in capabilities and understanding of risks with actionable recommendations for closing any gaps.”

OnRisk 2021 is similar to the ECIIA Risk in Focus 2021 report. OnRisk also provides insight into the alignment of risks between boards of directors, management and internal audit.

Read the full OnRisk 2021 report.

Read Richard Chambers' blog about the OnRisk 2021 report

Read the Risk in Focus 2021 report