Risks Confronting Boards 2016 - Managing Risks
While we're focused heavily on directors, management and internal audit, we realize there are far more roles within operations that play a part in risk management. Directors were asked to define several varying entities' [not all within] management of key risks ranging from very well to not at all:
IT security, internal auditors, external consultants, and risk management groups see double digit percentage responses in the poorly and not at all categories when asked how effectively they are managing key risks.
Further, internal auditors receive the lowest percentage in well enough out of all 8 entities coupled with having the highest percentage in not at all rating. At face value, this contradicts the internal audit question responses we received saying boards use internal audit and are mostly happy with their work.
Across all 3 board types, the external auditors see identical results with the lowest negative feedback. Only 2, 5, and 4% of public, private, and not-for-profit boards (respectively) find external auditors managing key risks either poorly or not at all; albeit the external auditors are precluded from managing their clients risk, though they often identify areas of risk and educate on best practices.
We asked directors what the most common challenges are for internal functions to manage risk effectively. Although we asked in an open response format, the results were very conclusive and it is evident that certain challenges are top of mind for the directors.
Overall, the main challenges include inadequate staff size, limited resources and lack of focus/ prioritization.
Even major public organizations are not immune to staffing issues:
Public boards remain concerned with cybersecurity:
Focus and prioritization:
Private boards were mostly concerned with focus/prioritization and the lack of resources:
Not-for-profits are most concerned with having enough staff to fill the positions, let alone knowledgeable talent:
Again, there seems to be a constant struggle of keeping the budgets low while trying to adequately staff these internal positions. This works against them since compensating for one risk requires spending money which potentially takes resources away from other vulnerabilities.
Concerns About Risks Confronting Boards - 2016 Survey Results