When auditing operational risk is your bread and butter, and meets the demands of the board, and when time pressures are high and resources tight, auditing strategic risk might seem… risky.
But the need is clear.
Our fourth Governance and Risk Survey was published towards the end of January. As in previous years, the heads of internal audit who responded to our survey identified certain risks to their organisations, but told us that their teams are spending most of their time addressing other matters.
Economic uncertainty is a top-five risk for the employers of 46 per cent of our respondents. This increases as we look into the future, with 51 per cent putting it in their top five for five years’ time.
Regulatory change makes the top five for both the here and now, and the five-year forecast. Government economic policy and reputation also loom large in our future risks.
Yet the strategic space that this describes does not seem to be the space that internal audit is occupying. While we might expect significant convergence in the lists, the only top-five risk that reappears in the top-five for internal audit teams’ time and effort is data security.
Of course, internal audit must attend to operational risks, but are we doing so to the exclusion of the strategic risks that we have identified?
These "big picture" strategic risks pose a real danger for organisations – CEB put the chances of a risk failure leading to significant market decline at 86 per cent for strategic risks, against 9 per cent for operational (and yet they have the time spent by audit departments at 6 per cent and 42 per cent respectively).
So, as you are putting together your audit plans for this year, ask yourself: should you – could you – devote more time to strategic risk?
This article was first published in February 2017.