Internal Audit’s response to the new risk multiverse

About the PwC Global Risk Survey

PwC’s 2022 Global Risk Survey focused on embracing risk in the face of disruption. It highlighted the need for executives to adapt their strategies and operating models and transform their risk capabilities to avoid disruption and capture new opportunities. The survey recommends five key actions that organisations should consider to drive their risk management capabilities forward.

The 2022 Global Risk Survey is a survey of 3,584 business and risk, audit and compliance executives conducted from February 4 to March 31, 2022. Business executives make up 49% of the sample, with the remaining 51% split among executives in audit (16%), risk management (24%) and compliance (11%).

This survey was conducted by PwC Research, PwC’s global Centre of Excellence for market research and insight.

Below, we discuss what this means for Internal Audit (IA).

Understanding the new risk multiverse

The world is interconnected. The impacts of geopolitical and pandemic events, financial market volatility, supply shortages and more, ripple across geographies, industries and organisations of all sizes. Just as the world is interconnected, so are risks. In this fast-changing risk multiverse, a single risk event, such as a cyber attack, can wreak havoc across operations, technology, financials, customers, suppliers, regulatory compliance, and business reputation.

While risks are often viewed as threats to be managed, embracing them can be critical in decision-making. Strategic moves such as new product launches, entry into adjacent markets, acquisitions, digital transformation, or third-party relationships are examples of conscious risk-taking to drive success for the organisation.

What this means for Internal Audit

IA’s purpose, objectivity, and reach across an organisation makes it ideally placed to help connect the dots in this new multiverse and help companies navigate risk. This means IA can deliver on its mandate to both protect value and create value, achieving its potential as a trusted advisor that is able to provide confidence to different stakeholders across the whole risk panorama.

Risk Survey message	What this means for Internal Audit
Engage early and get risk insights at the point of decision	Redefine IA’s role in a unified governance model and the importance of having ‘a seat at the table’ for early involvement in transformation initiatives
Take a panoramic view of risk	Leverage technology and data across the whole IA life-cycle, not just for testing, to provide different insights or highlight new risk areas
Set and employ risk appetite to take advantage of the upside of risk	Work with first and second line functions to help align priorities and agree on a common risk language
Use technology to support risk-based decision-making	IA should understand how management uses technology to incorporate risk into its decision-making—and be willing to share the data, tools and techniques to help do this

PwC's survey asked respondents who, in their view, had accountability for risk management. The responses showed a wide variation in who was perceived as having this accountability. This suggests that there is still a lot of work to do in creating a unified and effective approach to risk; however, it also provides an opportunity for IA to be agile, proactive and a ‘pioneer’ in helping achieve this.

Perception on the accountability for risk management

Risks	Financial	Strategic	Operational	Digital	Reporting	Compliance	Reputational
Chief Risk Officer (CRO)	9%	16%	14%	12%	21%	17%	18%
Chief Financial Officer (CFO)	58%	8%	8%	7%	20%	9%	8%
Chief Executive Officer (CEO)	10%	29%	15%	10%	13%	13%	25%
Chief Operations Officer (COO)	5%	12%	39%	6%	7%	8%	9%
Chief Information Security Officer (CISO)	3%	7%	4%	18%	7%	6%	5%
Chief Information Officer (CIO)	3%	5%	4%	16%	9%	5%	6%
Chief Technology Officer (CTO)	2%	5%	4%	22%	4%	4%	4%
Chief Audit Executive (CAE)	3%	3%	2%	2%	6%	4%	4%
Chief Compliance Officer (CCO)	1%	2%	1%	2%	3%	24%	5%
General Counsel (GC)	1%	2%	1%	1%	3%	4%	4%
The Board	2%	8%	3%	2%	3%	3%	7%
No single responsible executive	1%	2%	3%	2%	3%	2%	5%
Do not know	0%	0%	0%	0%	1%	0%	1%

^{*Source: PwC’s 2022 Global Risk Survey}

Engage early and get risk insights at the point of decision

IA needs to cement its ‘seat at the table’ and be involved early in transformation initiatives—not just retrospectively

Our Global Risk Survey found that:

79% report that keeping up with the speed of digital and other transformations is a significant risk management challenge
39% of business executive respondents say that they are making better decisions and achieving sustained outcomes by consulting with risk professionals early
70% are prioritising diversity in risk teams

This provides IA with a significant opportunity for proactive involvement to increase its value and offer more timely input on new or emerging risks. We see some high performing IA functions being requested to perform pre-go live health check assessments before transformation initiatives or technology is implemented. This ensures that risks are highlighted before they crystallise into post-implementation issues, which are often more disruptive and expensive to resolve.

IA’s involvement in projects, for example, can provide steering committees with a more diverse and independent lens on risk, and helps them take an early view on whether the project is on track to realising the intended benefits.

Actions that IA leaders can take:

Build an awareness of planned digital or other capex transformation initiatives, to allow IA input to be built into the budget and governance forums (such as steering committees).
Explore how real-time feedback can be delivered by IA when involved in transformation initiatives; for example, using a discussion document, risk position paper, or Key Risk Indicator (KRI) monitoring instead of a traditional IA report.
Share past case studies with stakeholders that demonstrate the benefit of having IA involved early, such as cost savings or cost avoidance from better project decisions.

Take a panoramic view of risk

IA should continue to leverage technology and data across the whole IA life-cycle, not just for testing, to provide different insights or highlight new risk areas

Our Global Risk Survey found that:

65% of companies are increasing overall spending on risk management technology
75% are planning on increasing spend across data analytics, process automation (74%) and technology to support the detection and monitoring of risks (72%)
38% report that their risk function is not actively seeking external insights to assess and monitor risks

These findings mean that there is an appetite in companies for more data-driven insights. IA can be a pioneer in providing this by using its experience extracting and analysing data, and turning it into actionable insights. This includes helping the business to identify and quantify risk exposures and direct attention towards matters of higher opportunity or magnitude.

We see, for example, the most appreciated IA functions are those that demonstrate digital competency not only by tapping into data, but presenting it in a way that highlights opportunities to create or protect value. This includes using data analytics at the risk assessment stage to focus effort, and deploying visualisation tools, such as PowerBI, Tableau, or Qlikview, to help see risk differently. The adage “a picture is worth a thousand words” is true for IA reporting.

Actions that IA leaders can take:

Invest in sourcing or upskilling digital capability and technology to complement existing risk, control and process expertise. IA can multiply its value when combining its existing human ‘superpowers’ with technology.
Provide quantifiable and visualised insights, metrics and analysis that showcase the power of using data to detect and monitor risks prior to them materialising into an issue or missed opportunity.
Experiment with different styles of reporting to find the best impact for the audience. Consider reports that include visualisation and data-led metrics and analysis to 'tell the story'.

Set and employ risk appetite to take advantage of the upside of risk

IA can increase its relevance to first and second line functions by helping align priorities and agree on a common risk language

Our Global Risk Survey found that:

33% are realising benefits from defining or resetting risk appetite and risk thresholds
56% are investing in risk culture and considering behavioural risk in 2022
47% are very confident in their risk function’s ability to build a more risk-aware culture

This gives IA an important role in helping to build stakeholders’ confidence in the way the organisation sees—and addresses—risk. We see boards and audit committees increasingly engage IA for data-informed perspectives on a widening panorama of risk, including in areas like Environmental, Social, and Governance (ESG), cyber security, regulatory change, M&A, third party management, and workstyle reform.

IA understands the impact and likelihood of risks across an organisation and can connect the dots between different functions, geographies, and processes to give a consolidated perspective on overall risk culture and emerging threats.

IA cannot, however, do this alone and it is important that an organisation has a unified approach across the different lines. This includes the language that is used to talk about risk, the approach and tools used to assess it, and the effort deployed to mitigate or embrace it. Without this alignment, the complexity and interconnected nature of the risk multiverse means companies can quickly get confused, lost or overwhelmed, which undermines overall risk culture. As a last line of defence, IA can help avoid this.

Actions that IA leaders can take:

Keep up to date on the company’s risk appetite and be aware of the potentially diverse views across the different stakeholder groups (such as the board, audit & risk committee, executives).
Deliver IA insights and recommendations with reference to the company’s risk appetite and thresholds to help prioritise what is important now and what might be important later as risks change.
Work with first and second line functions to highlight differences in the language, approach and priorities taken to risk across the organisation. This also includes highlighting and celebrating examples of good practice where functions or individuals have demonstrated innovation or significant progress in addressing risk.

Use technology to support risk-based decision-making

IA should understand how management uses technology to incorporate risk into its decision-making, and be willing to share the data, tools and techniques to help do this

Our Global Risk Survey found that:

74% of companies are increasing their spending toward adding technology and digital capabilities to the risk function
54% complement risk technology investments with people and process changes
75% claim that having technology systems that do not work together is a significant risk management challenge

It is important that IA is able to not only use technology effectively to deliver its own work, but understands how technology is built into decision-making at every level in the organisation. The pace of technological change, and the rate of its adoption in organisations, makes this a strategic imperative for IA.

IA’s experience in understanding and evaluating complex information flows, data integrity, system configuration and reporting, means that it is well placed to provide its advice. This can help the business identify critical decision points, understand the risk factors involved, and obtain comfort over the underlying systems and data relied upon. Incorporating this into an integrated assurance approach with second line functions can also reduce duplication of effort in assurance activity.

Furthermore, IA should be prepared to share their tools and techniques, and the data they collate, to support the first and second line in evolving their capabilities, where appropriate. In some cases, this could involve co-developing approaches so that risk-based decision-making and controls are ‘built in’ to processes downstream. This can include, for example, analytics scripts to highlight trends or outliers in a data set, Robotic Process Automation (RPA) to collate and test reports, or visualisation tools to help inspect and present information.

Actions that IA leaders can take:

Identify the tools, techniques and data that IA might have that could be helpful to the first and second line in developing their capabilities for risk-based decision making.
Update IA methodology and provide training to help internal auditors plan, look for, and assess key management decision points in a process, the related risks, and underlying systems and data involved.
Review the IT strategy and plan for the organisation and compare this to the IA technology strategy to see where there are opportunities to invest together, co-develop or share knowledge.

Final thoughts

The risks for companies—and the world—have never been more complicated or interconnected. Equally, the opportunities for IA to step up and help others navigate this new risk universe have never been greater, or more important.

IA already has many of the core capabilities needed to meet this challenge, but needs to combine these with other capabilities, assets and resources in the first and second line, or plan to develop them if they don’t exist. Achieving this ‘multiplier effect’ will be the only way the panorama of risks can be effectively tackled, particularly in areas like ESG, cyber, and regulation.

Ultimately, how successful IA is, and how relevant it remains, will depend on the extent to which it can think about risk differently, and help the business to do the same.

© 2023 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Download the article (PDF, 2.1MB)

PwC Global Risk Survey: Internal Audit's response to the new risk multiverse

Internal Audit can help organisations navigate the new risk multiverse

How can Internal Audit’s superpowers help organisations ‘see through walls’ to avoid hazards, remove complexity, and find new opportunities? Find out in PwC’s Global Internal Audit Study.

Read the report