A Messy Picture for Risks in 2022
Consulting firm Protiviti recently published its annual survey of enterprise risks worrying corporate leaders for the coming year. As always, the survey is worth a look so you can decipher what might be on the minds of your board and C-suite, and then anticipate the ways they’ll likely exasperate you over the next 12 months.
Protiviti polled more than 1,450 corporate board directors and senior executives around the world, asking them to rate their concern about 36 enterprise risks on a scale of 1 to 10, for both 2022 and 2031. Figure 1, below, shows the top 10 risks for the coming year and one decade hence.
So for the coming year, executives are mostly worried about how the pandemic will pressure both government regulation and macro-economic conditions — and this poll was done in September and October, before the omicron variant cranked up everyone’s uncertainty even more.
For the far side of the decade, executives are more concerned about the persistent disruptive ability of new technology (risks Nos. 1, 3, 6, 10), with a side order of worry about workforce demographics and structural change introduced by the pandemic.
It’s also interesting to see what’s not on these lists. For example, Protiviti’s list from one year ago included concerns about privacy management and large enterprises’ ability to compete against “born digital” competitors with fewer physical assets. Both of those issues are gone for 2022. Cybersecurity barely squeaked onto the list for this year, and is nowhere to be seen for 2031. Worries about regulatory change only placed No. 7 for 2031. Concerns about corporate culture and ethical business conduct, which were standard fare on the Protiviti report several years ago, are gone too.
Does that mean senior executives believe cybersecurity, privacy, and corporate culture will be “solved” in the next few years? I don’t think so. I suspect these lists instead are telling us that executives are awash in strategic uncertainty. They worry that technological change will only accelerate even more, demographic change is not on their side, and the organization won’t be nimble enough to respond to either.
What to Do With These Risks
Internal auditors and compliance officers alike can put this Protiviti report to good use, each in their own way.
Internal auditors can use this report to inform your enterprise risk assessment, or to sit down with your board and tease out long-term challenges here. For example, it’s still the case that many internal audit functions spend most of their time on compliance with the Sarbanes-Oxley Act or other nuts-and-bolts regulatory obligations — but those aren’t the risks on executives’ minds for 2022 and beyond.
The risks at the top of Protiviti’s lists are all about strategic challenges, and a company’s ability to use technology to stay ahead of those challenges. Well, how can senior leaders get perspective and assurance on such challenges? Who does that legwork, if your audit team is pinned down with SOX compliance tasks? Even if you somehow have SOX compliance under control, do you have IT audit expertise to tackle risks around cybersecurity, data analytics, or digital transformation of business processes?
And to which committee of the board would you report your findings, anyway? Because pretty much none of these issues should go to the audit committee, which already has its hands full with financial reporting. Therefore the logical candidates are the risk committee, which too many boards still don’t have; or the full board, which can be an unwieldy structure that doesn’t allow enough time and focus for wise decision-making.
For auditors, then, the Protiviti study (or other “here’s the big picture” analyses that come along) can be a good launching point for deeper conversations with your board about the long-term challenges of the organization. It can help you talk about how well the internal audit team is or isn’t positioned to assist the board as it grapples with all these risks — in 2022, 2031, or any other year.
Compliance Officers, Meanwhile…
Compliance officers have a different set of concerns. Notice that increased regulatory enforcement isn’t among 2022’s top risks. Only one item related to corporate culture cracked the top 10 at all (shifts in expectations around diversity, equity, and inclusion), and that was more a compliance-adjacent issue than something clearly under your purview. There’s just not that much in the Protiviti report that directly speaks to compliance officers.
Well, that’s what gives me pause. If board directors and senior executives are so occupied with operational issues — and who can blame them? The pandemic, supply chains, cybersecurity, the labor force, and economic conditions are a mess — that doesn’t leave much time to consider ethics and compliance issues. Compliance officers may be left to handle corporate ethics, compliance, and conduct issues on their own. That could be even more challenging in 2022 than it usually is.
Let’s remember, the Justice Department recently announced that it will enforce corporate misconduct laws more vigorously. That crackdown will include (a) taking an expansive look at a company’s past behavior when deciding how to resolve a specific matter; and (b) taking a tougher stance against corporate recidivists, especially when the company commits some act of misconduct while under a deferred-prosecution deal for some prior act of misconduct.
There’s nothing wrong with such actions unto themselves, but they mean that the Justice Department is serious about wanting to see companies embrace a culture of compliance. It wants to see evidence of real, lasting, enterprise-wide change.
So if the company needs to redouble its efforts at a strong culture of compliance, complete with commitment and engagement from senior executives — how difficult will that be in 2022 and beyond, if the board’s attention is swamped by other issues?
That’s where I worry for compliance officers. Briefing the board and holding directors’ attention is hard enough in the best of times. I don’t believe 2022 is going to be an awful year, but “best” might not be the right adjective either. Boards and C-suites are going to have a lot on their minds. Compliance officers should plan accordingly.