Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un document de la firme Thomson Reuters (White Paper) très intéressant sur le rôle de l’audit interne dans l’identification des risques émergents.
Key elements of emerging risks
Reinsurance company Swiss Re defines emerging risks as “newly developing or changing risks which are difficult to quantify and which may have a major impact on the organisation.” This identifies their key elements.
Emerging risks may be entirely new, such as those posed by social media or technological innovation. Or they may come from existing risks that evolve or escalate – for example, the way counterparty credit risk or liquidity risk sky-rocketed during the 2008 financial crisis.
Newly developing risks lack precedent or history, and their precise form may not be immediately clear, which makes them difficult to measure or model. Changing risks are at least familiar in their shape and nature, although the rate of transformation and intensity can make them hard to quantify.
The final key element of emerging risks is their potential impact. New or changing risks can be as menacing as those the organisation deals with on a daily basis, and sometimes even more so. To give just one example, the way in which the music business failed to address the implications of digital downloads allowed a complete outsider, the computer company Apple, to step in and define and dominate the new market.
Emerging risks also threaten through their apparent remoteness or their obscurity. US Secretary of State Donald Rumsfeld distinguished between things we know we do not know (‘known unknowns’), and things we do not know we do not know (‘unknown unknowns’). In the first category are risks whose shape might be familiar, but where we do not necessarily understand all of their elements – causes, potential impact, probability or timing. Unknown unknowns are events that are so out of left field or seemingly farfetchedthat it takes great insight or a leap of the imagination to even articulate them. These include the ‘black swan’ events highlighted by the investor-philosopher Nassim Nicholas Taleb, where the human tendency is to dismiss them as improbable beforehand, then rationalise them after they occur. The 9/11 terrorist attack, or the financial crash of 2008, or the invention of the internet show that not only do black swan events happen, but they do so more frequently than is generally recognised, and they have an historically significant impact (and not always negative).
Many emerging risks are characterised by their global nature, their scale or their longer-term horizon – climate change is an example that displays all of these elements. In other cases, it is less the individual events themselves, some of which may be relatively moderate or manageable on their own, as the conflation of circumstances that creates a ‘perfect storm’.
Vous pouvez aussi consulter l’enquête de Thomson Reuters Accelus Survey on Internal Audit dont nous avons parlé dans notre billet du 7 juin.
As strategic opportunities emerge, internal auditors also are adjusting to new compliance duties, according to the survey. Globalization has resulted in increased revenue from emerging markets for many companies, so new regulatory, cultural, tax, and talent risks are emerging.
Internal audit will play a more prominent role in evaluating these risks, according to the survey report. Although slightly more than one-fourth (27%) of respondents are heavily involved in identifying, assessing, and monitoring emerging risks now, 54% expect to be heavily involved in the next two years.
The biggest primary risks that respondents said their organizations are tracking are:
- Economic stability (54%).
- Cybersecurity (52%).
- Major shifts in technology (48%).
- Strategic transactions in global locations (44%).
- Data privacy regulations (39%).
Survey respondents said the skills most often found to be lacking in internal audit functions are:
- Data analytics;
- Business strategy;
- Deep industry experience;
- Risk management; and
- Fraud prevention and detection.
“As corporate leaders demand a greater measure of strategy and insight from their internal audit functions, CAEs will need to move quickly to close competency gaps and ensure that they have the right people in the right place, at the right time.” Schwartz said. “If they fail to meet organizational expectations, they risk being left behind or consigned to more transactional compliance activities.”
* En reprise
Articles récents sur l’audit interne :
Keeping Internal Auditors Up to the Challenge (forbes.com)
Internal Audit Has To STOP Focusing On Internal Controls (business2community.com)
Changement important dans la relation auditeur externe/interne | Financial Reporting Council (FRC) (jacquesgrisegouvernance.com)
Useful Internal Auditing in 4 Easy Steps (isocertificationaustralia.com)
Thomson Reuters Develops Accelus Governance, Risk and Compliance Platform (risk-technology.typepad.com)