The 5 Cs That Should Be Keeping Boards (and Auditors) Awake at Night
Blogs Richard F. Chambers, CIA, CRMA, CFE, CGAP May 26, 2019
I travelled to South Africa earlier this month to speak at an Institute of Directors (IOD) event in Johannesburg. In addition to interacting with seasoned corporate governance leaders from this important country, I was lucky enough to learn a bit more about the long history of diamond mining in South Africa.
The Eureka Diamond, the first diamond found in South Africa in 1867, created a massive disruption in the diamond trade. Its discovery along the Orange River — its pre-cut weight was an impressive 21.25 carats — revolutionized the industry. Within 10 years of the diamond's discovery, South Africa became the center of the industry and global diamond production increased tenfold.
South Africa's diamond mining history serves as a vivid example that disruption is, and always has been, part and parcel to business. Today, disruption is often linked with technology, but the reality is that disruption is anything that creates massive and rapid change. In my remarks at the IOD event, I noted that the speed of disruption onset, or what I call change velocity, is a significant risk for all organizations today.
Another disruption in the diamond industry was the campaign by the Gemological Institute of America to standardize quality ratings for diamonds in the early 1940s. Today's familiar 4 Cs of diamond rating — cut, clarity, color, and carat — was simple but revolutionary at the time it was introduced.
In addressing the corporate governance professionals in South Africa, I noted that the question I dread most in the wake of a high-profile corporate failure is: "Where were the internal auditors?" I also noted a companion question: "Where was the board?" It is the next source of such debacles on which we should all be keenly focused. In keeping with the 4 Cs of diamond ratings, I'd offered the 5 Cs that should be keeping boards and internal auditors awake at night as we round the curve in the middle of 2019.
Change Velocity. The velocity of change is a direct contributor to the speed of risk. It is influenced by many things, including technology, geopolitics, and natural disasters. All players in the risk-management process should be keenly aware of how rapidly a significant disruption can emerge and impact the organization. The risk here is as much about the organization's ability to cope with the unexpected as the disruption itself, which leads me to the second C on the list, crisis management.
Crisis Management. How an organization survives a crisis is directly tied to how it plans for one. It is therefore essential to have a vigilant internal audit function with a proactive vision of crisis management. This starts with providing assurance that disaster-preparedness plans are in place and are flexible enough to handle sudden upheaval, but robust and detailed enough to give sufficient guidance. When a crisis occurs, internal audit must actively provide assurance on how crisis-management plans are executed.
As with change velocity, organizations must identify and look for the early warning signs of developing crises. Equally as important is for internal audit to help position the organization to look for the silver lining in the clouds, by helping to identify the fleeting moments when crisis can be turned to opportunity.
Cybersecurity. In little more than a decade, cybersecurity has grown from an obscure IT issue to one that dominates the risk landscape of nearly every organization. The potential for financial, reputational, and increasingly regulatory damage seems to grow exponentially each year. Indeed, in just the past five years, risk management involving cybersecurity has evolved from preventing cyberattacks to responding to the inevitable cyber breach, to protecting data, to complying with increasingly stringent data-privacy laws and regulations. Along the way, the potential for reputational harm has grown as a weary public once numbed by the sheer volume of data breaches has awakened to demand accountability.
Compliance. Regulatory compliance is listed among the top five risks of virtually every survey of C-suites and boards. Cybersecurity has spawned a new genre of compliance risk for organizations as regulations, such as Europe's General Data Protection Regulation and the California Consumer Privacy Act, demand protection of customer data. This added layer of compliance risk only promises to become more complex and demanding as other countries and territories adopt laws designed to protect customer data. I have written in the past that the arc of the regulatory pendulum tends to swing wider in times of crisis. This is one of those times.
Culture. Culture is one of the most overlooked yet substantial risks, because it plays a significant role in so many other risks. An organization's culture influences every aspect of risk management, from efforts to stop simple phishing attacks to the organization's overall ability to collect, manage, leverage, and protect data.
Internal audit must become more comfortable and skillful about auditing culture, but it also must educate stakeholders to its pervasive impact throughout the risk portfolio.
The 5Cs of risk that should be keeping us all awake are inevitably interconnected. Just as change velocity impacts and dictates crisis management, so does culture influence cybersecurity and compliance. Boards must remain on high alert regarding these risks, and internal audit must educate stakeholders on this complex web of related risks and be prepared to provide assurance and insight to help the organization navigate them.