In 2022, organisations were hit by a perfect storm of high-impact, interlocking risks that have thrown businesses into a permanent state of crisis, says the latest Risk in Focus 2023 report, by the IIA (Institute of Internal Auditors).
After the covid pandemic, the war in Ukraine has intensified supply chain failures, meaning ‘a state of crisis is the new normality’, according to the report. Besides climate-related natural disasters, looming recession, the cost of living, food shortages, employee welfare and skills deficits, and ‘a rapidly industrialising cyberattack landscape’ businesses face ‘intensifying geopolitical tensions and the very real threat of financial liquidity and solvency risks’. This, the report adds, has forced many organisations not just to rewrite their risk registers, ‘but to tear up outdated risk taxonomies that favour old-style siloed thinking’.
Internal auditors need to get a rapid grip on this, and to think big about what ifs, such as breaks in the supply chain suddenly, or an increase in temperatures, the report advises. It admits there are ‘few obvious, easy answers’. As in the previous year’s report, cybersecurity and data security is rated by most as among the top risks, the risk auditors spend most time and effort on, and the top risk that auditors expect to face, three years from now.
The war in Ukraine took many organisations by surprise, including those with deep commercial interests in the region, the report said.
As for cyber, the report notes that hackers are taking advantage of the burgeoning ransomware-as-a-service ‘industry; and moving into the more ominous area of so-called “killware” to put pressure on those attacked to pay up – those attacks targeting critical infrastructure, such as hospitals or energy supplies, which could result in actual deaths. Auditors who spoke at a round-table as part of the gathering of material for the annual report agreed that ransomware risk continues to be difficult to mitigate and poses a potential existential threat to businesses – financially, in terms of reputation, and if businesses find themselves not able to keep running.
The ability of low-skilled hackers to buy sophisticated off-the-shelf attacks should be on every internal audit team’s radar, one auditor said. The report said that auditors must ‘help to connect the dots’ between what is going on in the business and the board; and board-level engagement is key, to explain how much money their organisations stand to lose when specific risks crystallise – without ‘cloaking the topic in technical jargon’.
The report pointed to the cyber risk of third-party suppliers whose cyber security is less mature. European Union-wide rules such as GDPR and more recently, guidance by the European Banking Authority, place responsibility with of the organisation that owns the data. This trend is likely to continue to grow under the EU’s revised cybersecurity directive, NIS2. Like many new emerging risks, identification, control and mitigation lies partly outside of the business’ remit, and if a business has gone digital, cyber concerns extend to the cloud service provider. As suppliers are further from the sight of internal audit, risks inside suppliers are harder to assess and mitigate; yet an outage in the cloud can bring your infrastructure to a halt.
Cyber response is also about lines of communication in a business, the report makes plain – a ransomware attack may be treated by the IT department as a stand-alone attack by many organisations. But that approach is no longer adequate, the report argues, if a business loses data from a ransomware attack and decides to pay criminals for the data back. But what if that decision leads to a breach in a sanctions regime?
While larger organisations may have cyber specialists, general internal auditors can make a big difference by refocusing on the basics, according to the report. That includes security culture, which a Chartered IIA UK and Ireland study found was often a blind spot, for auditors and businesses overall alike.
As for insurance against cyber-attacks, it’s becoming more difficult to secure, according to a Risk in Focus 2023 roundtable.
About the report
Risk in Focus 2023 involved 14 Institutes of Internal Auditors spanning 15 European countries: Austria, Belgium, Bulgaria, France, Germany, Greece, Italy, Luxembourg, the Netherlands, Slovenia, Spain, Sweden, Switzerland and the UK and Ireland. After responses from auditors across Europe, four roundtable discussions and one to one interviews were run. Visit https://www.iia.org.uk/policy-and-research/research-reports/risk-in-focus/.
