Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

21 September 2022

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Institute's welcome

Good afternoon, everybody. I am John Wood, CEO at the Chartered IIA UK and Ireland, at the Institute.

The topic for today is ‘Risk in Focus 2023’. In 2022, organisations were hit by a perfect storm of high impact, interlocking risks that have thrown businesses into a permanent state of crisis. Following hard on the heels of the pandemic, the war in Ukraine has intensified supply chain failures, caused a spike in energy prices and fuelled inflation. 

Now a state of crisis is the new normality. Many organisations have not just had to rewrite their risk registers, but to tear up outdated risk taxonomies that favour old-style siloed thinking. Sudden, systemic organisation-wide risks with contagious, unpredictable ramifications throughout the enterprise are no longer seen as Black Swan events - but as interlocking elements of a continuous storm.

This year, the report explores five thematic risks – geopolitical uncertainty, climate change, organisational culture, cyber and data risk, and digitalisation and artificial intelligence. It outlines those challenges in detail, offers practical advice, and know how about how to help organisations adjust to this new reality.

There are few obvious, easy answers to these problems. But internal auditors are uniquely placed to play their part in developing long-term solutions that have a real impact on organisations and the communities they serve. They need to secure from the board the resources and remit to tackle the most pressing risks with urgency.

If there was ever a time for the profession to step up and deliver on its full potential, it is now.

I am joined today by:  

  • Piyush Fatania, Chair for today and a member of the Institute’s Council
  • Liz Sandwith, Chief Professional Practices Adviser for the Chartered IIA UK and Ireland

Chair's opening comments

Thank you and good afternoon everyone.

Unsurprisingly, cybersecurity held on to the top place in the Risk in Focus 2023 survey as the number one business risk that is being faced by organisations. Second is human capital risk which has moved up from last year, followed unsurprisingly again by geopolitical risk which is in third position. The shortage of skills and labour which we all recognise is something that has become more acute as perhaps working habits that were picked up during the COVID lockdowns continue to persist and play out.

Pertinent risks which arose during the pandemic such as those around business continuity, liquidity and insolvency risk faded a little in 2022, but were only replaced by the issue of the war in Ukraine, which has helped to push geopolitical risk and the agenda around that much higher. Rapid changes to the sanction’s regimes for Russian businesses, as well as developments in regulation over a wide range of issues, meant that changes in laws and regulations are still seen as a major threat.  

Again, unsurprisingly, climate change is becoming a more persistent theme in the Risk in Focus surveys. It's risen this year to 6th place, which some of us may imagine needs to be higher. It was eighth last time round, but it is going to become a much more important area and a key area for internal audit activity, as the respondents to the survey expect that risk to rise further.

Organisational governance and corporate reporting, on the other hand, held its position as the second biggest area that received internal audit’s attention and how well internal audit departments continue to align their efforts to the needs of our organisations. That is going to become a more pressing issue as these large scale, global, interconnected risks continue to rise with great speed in the years to come.

Let’s hear from our speaker today Gavin Hayes who is Head of Policy and External Affairs at the Chartered IIA UK and Ireland.

Key takeaways

The Risk in Focus 2023 report, Board Briefing and Slides from the session are attached. Notes below are supplementary.

Gavin Hayes, Head of Policy and External Affairs, Chartered IIA UK and Ireland

  • The big movers and shakers in this year’s Risk in Focus include human capital and talent management, geopolitical uncertainty, climate change and supply chains, all of which are clearly rising up the risk agenda.
  • However, the most dynamic emerging risk this year is geopolitical risk, and this is the one to watch. Geopolitical risk is likely to remain a top risk and could grow in prominence if there are further geopolitical upsets. In terms of geopolitical risks, we need to be mindful of other potential upsets on the horizon, such as growing tensions between the West and China – a reminder that that geopolitical risk doesn’t sit in silo but exacerbates and intensifies a number of other risks.
  • Cyber security once again dominates the top spot. 8 in 10 cited this as a top five risk and this reflects the rapidly weaponised cyber-attack landscape that we're now seeing. Recent research which was based on Freedom of Information requests suggests that UK local authorities experience 10,000 attempted cyber-attacks every day, really underlining the importance of this risk area.
  • Over half now regard human capital and talent management as a top five risk and this reflects the severe recruitment and retention challenges that are facing many organisations. Looking down the track, human capital is likely to remain in the number 2 spot, but climate change is likely to continue to ascend the risk agenda in the next three years with digital disruption likely to increase in severity. In terms of human capital, areas internal audit could consider include evaluating whether the organisation's human resources strategies are aligned with its vision and mission, as well as assess how well the social purpose of the business and its culture is embedded.
  • Less people cited digital disruption this year as the aftermath of the pandemic and war in Ukraine pushed this down the agenda, although this is likely to be short-lived.
  • Climate change has risen up the risk rankings for five years in a row, which is no surprise after the record-breaking temperatures experienced this summer.
  • Are you spending too much time in your comfort zone on traditional audit areas at the expense of emerging strategic risks? Macroeconomic and geopolitical risk is a case in point in that this year it's been voted the third biggest risk, yet once again, it's the risk where internal audit is spending the least time and effort auditing.
  • Internal auditors can help by assessing how far management has considered the organisation's impact on the environment and the environment's impact on the business, assess the reliability of the organisation's climate related KPIs, and assess the robustness of the controls and risk management processes associated with climate goals and risks.
  • Respondents believed that digital disruption will be the second biggest risk in terms of time and effort spent on it. Soaring inflation, the spike in energy cost, pressure on employers to increase pay packets, and a looming recession could mean that digital transformation projects get put on hold. Businesses with digital innovation cultures tend to outpace their competitors and help deliver greater levels of growth.

Chair's closing comments

There was such a useful amount in the Q&As which resonated with me because on the surface, we could look at the report and say, this has a very private sector feel to it and we are a local authority forum. If I asked my section 151 officers what their top five risks were, I don't know if geopolitical risk would be on there. I would suggest it would be things like, funding for demand-led services, adult social care, children's services.

But I always find this report so useful, and the magic word Liz used is granularity. In terms of geopolitical risk, we're not Starbucks or McDonald's and I don't know of any Council that has a branch in Kyiv or in Moscow that would be affected. Geopolitical is not always about the direct effect it has, so I’d suggest looking at the indirect effects, with the most obvious would be on utility prices, which obviously affects all of us. I would look at supply chain issues. Councils are often the biggest or one of the biggest purchases in their locality and a lot of firms rely on us.

But as Liz said, are they subject to sanctions? What about their suppliers? It’s about looking a bit differently around sanctions. Would they directly affect us, maybe in terms of where our pension funds are being invested? I know my members, and probably yours to take an interest in this and ask questions about ethical investments.

For me it is looking a little bit more deeply in between the lines.

Thank you very much Gavin for an interesting discussion there.

Institute's closing comments

Thank you all.

As usual, notes, chat comments and the slides shared today will be placed on our web pages in the next day or two.

Following today’s session there may be value in reading our report Risk in Focus 2023 which is available to all on our Policy and Research page on the website.

Our topic for the second September session on 28 September 2022 is Risk Appetite/Risk Tolerance – with risk appetite being the amount of risk an organisation is willing to accept to achieve its objectives, and risk tolerance being the acceptable deviation from the organisation's risk appetite – let’s explore.

Don’t forget our Annual Conference is 18-19 October 2022 so time to start booking, it will be in London at the QE2 centre, there is an in-person option and/or a hybrid option.

Our October session on 26 October 2022 is Wellbeing, looking at lessons learned from the Future Generations Wales Act, legislation introduced by the Welsh Government.

Thank you everyone, see you next week.

Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith.

Q&A and chatbox comments

Q: Does the statement need to be a standalone one or could it be included in the annual governance statement?

A: It must be clear, visible and easy for people to see. Whether it needs to standalone depends on how robust the other statements are. What you don’t want is for it to be lost. In good practice and if you look at the corporate companies that are doing it now, they’ve got it as standalone, but there’s nothing that says you must have it as standalone. It’s about the visibility and how accessible it is on your website and how quickly it can be accessed.   

Q: If 7 out of 10 organisations did not have their statements transparent / you had to go deep to find it, does it mean most of the organisations are not interested in fighting modern slavery or do they not want to address the issue?

A: That’s a good question. It’s a mixed bag. It’s a lot for organisations to take this seriously and put in place to ensure that the risk is managed. I think that some of the companies that we’ve been talking to will do the bare minimum to get their statement out there, because they must comply. But enlightened good organisations which take this seriously go up a level and put in place some good stuff and have good processes behind the scenes to be able to support the statement in case of a spot-check.

Q: You mentioned in your slides that if they haven’t done anything they should be honest and say they haven’t done anything yet, so could they be equally honest and say ‘We’re on a journey and we’ve done xyz but still have things to do and provide a plan for what they will do, is that possible?

A: That is possible and the legislation says that if you do qualify, based on the threshold, you should provide the information from the slides on your transparency statement. If you can’t you must say you can’t and why not. It is a journey that people are on. It’s better to say you don’t have anything and you’re dealing with it, than put something up that has no substance. 

Q: Mapping the suppliers of suppliers to a council sounds like an onerous task. Is this realistic? I would be grateful if Jacky can provide any guidance on this.

A: Organisations struggle with this. It’s about mapping out what you can for your Tier Ones. They’re the easier ones. Although I was doing a presentation for an employer lawyer recently and I was saying it was easier to do Tier Ones and they were saying sometimes it isn’t because sometimes they are not in the UK, therefore how easy is it for you to get over to China for example. There are organisations out there where you could get them to visit and map out your tiers in different countries. Again, that’s a cost and in a constrained environment that’s not always possible. You could give it to your sustainability team, your procurement team or put in place a working group. There are different ways you could approach this, but fundamentally it’s about getting an understanding of the people closest to you that are providing you with services. That’s why we’re saying unpick now, rather than wait until the legislation comes as it can be so complex to be able to do that.      

Q: I know our council has provided training for Environmental Health officers and social care staff to help spot the signs of modern slavery, while they conduct their work visiting establishments or areas where there is recognised risk. I notice our transparency statement is not updated annually, should I be chasing this up, given we do at least have one?

A: The suggestion, because again it’s not mandated is that you do update this annually, because things change, you put new things in place, your supply chain changes, your organisation updates its structure; nothing is stagnant. If you go on to corporates that are covered by it now, you will see that they go back three or four years, and you can see the progress the organisation has made. So yes absolutely, I would go back to them and say we need to review this and update it. 

Q: I assume one of the key mechanisms would be to look at the statements of our suppliers, if they meet the reporting threshold - so we could draw some assurance from these? Is that a reasonable approach?

A: If you’ve got suppliers that meet the criteria and need to produce a transparency statement, that is a level of assurance, but it’s about whether there is substance behind that statement that you’d then need to unpick. It’s a starting point and about how deep you go, but you can start with that.

Q: When is it expected that the legislation will apply to Councils?

A: We thought it was coming in this year, but it hasn’t yet. The consultation was over a year ago, so probably next year, but that’s not yet been confirmed. Don’t wait until it comes before you do anything. 

Q: In the organisations you’ve worked with, has ownership for modern day slavery risks been an issue? It sounds like a lot of focus currently rests with the Procurement colleagues and talks mainly about supply chains. Are there any good practice processes for how the Head of Procurement would be expected to identify and report on the wider spectrum of modern slavery risks that might be spotted by officers out on the ground e.g. by Trading Standards, or Social Workers in Adults/Children’s services?

A: Yes you’re right in that the procurement function is a big part in capturing the risk because of the supply chain, but it doesn’t rest solely with them, because finance get involved, other functions get involved in choice of suppliers, so everyone who’s involved has a responsibility to unpick the risks that might come out of that. Good practice would be to consider the whole system impact, it’s not one function or individual which is responsible for doing this; it’s about making this a part of your wider organisation conversations, because if everyone is trained, everyone can spot and report issues. It’s about looking at your risks and controls against all the different components and populations that touch this. That’s another thing to look at – how does the organisation address that?