Fascinating and thought-provoking speakers raised some important questions with five golden threads:
- Risks do not respect organisational boundaries.
- First line comes first.
- Resilience must replace risk management.
- Tell stories, not scores.
Our keynote speech was on the intersectionality of risks with an increasingly complex environment to navigate. Michael Lucas (Brave Within LLP) talked us through Objectives@Risk™. Risks are not neatly defined. They don’t respect organisation structures or boundaries. Determining how they work together and engaging the first line is all important. We need to move away from silos to meaningful discussion of what matters to the business and the directors’ strategic priorities and objectives.
Eilish Jamieson spoke to the priorities of the Audit Committee, the most critical stakeholder for internal audit. She emphasised that directors want internal audit to drive trust. Audit Committees have fiduciary responsibilities, but they are equally concerned about reputational damage. They are looking for “stories, not scores”. “Insight beats information every time.” She asked us to consider how internal auditors might have the courage to say more and be clear about what is important. Remaining constantly curious is perhaps the best way to achieve this.
Focussing in on specific heightened risks, our first panel considered the intersection of human and digital risks. There is concern that pervasive risks are not being seen in that way. Processes and governance need to be designed through a human-first lens. And we need to be careful not to play undue deference to technology. It’s too easy to talk about “human-in-the-loop” but not really recognise what that means. The panel also reflected on the request for stories and the fact that we see “data fatigue”. There is a need to create a meaningful narrative, whether that be in respect of AI, ESG, geopolitics or multiple other risk lens.
Artificial Intelligence is one of the areas driving rapid change. Most of us are still trying to get up to speed with what it means and how it combines with a range of other technologies so that we can leverage its full potential. It’s important to consider this both through the lens of auditing the rest of the organisation and through improving our own internal audit processes.
Interestingly, amongst those who answered our poll, only 12% have built an audit of AI into their current plan. Concern was raised about how smaller companies with less resource should utilise AI effectively.
While many of us have recognised geopolitics as a significant driver of risk historically, the landscape feels even more pronounced today. AI and social media mean risks materialise and spread systematically much more quickly. The Trump impact cannot be underestimated. Nick Alcock, Chair of G3, advised us to get ahead of the game and be prepared. Recognise the intersectionality of issues. Ensure the supply chain and third party relationships are resilient and agile.
The three lines model is critical to maintain integration and to avoid silos. However, individuals have differing views as to how to protect the independence (real or perceived) of the third line at the same time. Perhaps the language should be more around objectivity.
All agreed that a first-line self-assessment process is critical to embed accountability and ownership.
The intersection of risks and the fragmented nature of controls mean issues can easily fall between the gaps. Colin Grey of IHG described this as being somewhat like snow blindness. To help the directors its essential internal auditors use the language of the CEO and simplify the messaging (on no more than one page if you want them to read it). His advice is not to expect mental gymnastics and repeat the message in the same way so it becomes recognisable and unforgettable.
While its tempting to focus on the mechanics of the audit programme and organisation, Caroline Pankhurst (Be Braver) reminded us of the importance of how we operate and the dynamics of the relationship between the three lines. Making progress will always require a level of personal risk. We each have triggers that we should consciously be aware of and lean into. These might include alienation as we feel excluded from the wider organisation, a sense of chaos or unpredictability, and powerlessness when we feel we cannot effect the change we believe is necessary. The Be Braver approach requires us to consider the elements of: Courage, Confidence, Connection and Clarity.
This means developing ally ship, seeking to learn from the methods that have worked for groups who are marginalised because of their personal characteristics. Finding allies for internal audit from across the business who can provide support and mentorship is perhaps something we can all take away.
We finished with Arleen McGichen, the new President of the Chartered Institute of Internal Auditors, taking about the future of the profession. She asserted we are at a crossroads. We need to have pride in the value we bring and be prepared for risks to manifest in all their forms. There are no longer “black swans”.
Organisational resilience with the accelerated pace of innovation is critical.