The most effective chief risk officers don’t just see threats, they see themselves. They understand that their character, their style, and their approach to people are as critical as any technical skill. This is where the power of chief risk officer archetypes comes into play.

By exploring these universal models of leadership, you can unlock another level of self-awareness allowing you to not only understand your natural strengths but also strategically adapt your approach to master the ever-evolving landscape of risk.

What is an Archetype?

An archetype is a universal model or pattern. Think of an archetype as a basic blueprint for a character, idea, or behaviour that appears again and again across different cultures and stories.

In business, archetypes are often applied to brands to help companies define their identity, guide strategy, and connect with customers on a deeper, more emotional level. They serve as psychological shortcuts that make complex ideas more relatable and memorable.  For example, “The Hero” archetype is used for brands that empower customers to be their best. Think of Nike and its “Just Do It” slogan. Another example is “The Outlaw” archetype that is used for brands that challenge the status quo and empower rebellion. Harley-Davidson and Virgin are well-known for this.

Archetypes can also be used to understand and categorise leadership styles and professional roles. This helps in talent management, team building, personal development and recruiting the “right” person.

For example, when recruiting a new Chief Executive Officer (CEO), archetypes help identify which leader fits the company’s current stage of growth. The Fix-It Leader, or Change-Catalyst, is a specialised archetype used for company turnarounds. This leader is not a builder or innovator. They are a turnaround expert whose main goal is to diagnose problems, make difficult decisions and start the changes to restore a company’s health.

Using Chief Risk Officer Archetypes

By categorising risk leaders into archetypes, it may help the board and  CEO understand what kind of expertise and risk leadership is required to manage complex challenges. This approach allows for a more intentional and strategic approach to talent management and organisational design within the C-suite.

Warning, archetypes are not static “personality types” as we see in the The Myers-Briggs Type Indicator (MBTI) tool for understanding personality. The MBTI’s goal is to sort people into one of 16 distinct, static “personality types” (like INTJ or ESFP) based on their preferences in four dichotomous categories. In contrast, archetypes are more dynamic and symbolic. An individual may be influenced by several archetypes at different times and in different ways.

The 4 Chief Risk Officer Archetypes

From our literary review, there are a handful of chief risk officer archetypes already identified mainly from large and credible consulting firms.  Most of these models have presented three archetypes for risk leadership.

Deeper research into these models and a reflection from our real-world experience that include our assessment of various risk management frameworks, risk leadership, risk culture, risk maturity and risk capability across public and private sector organisations has revealed a fourth, distinct profile. In total, we have identified four chief risk officer archetypes that serve as strategic blueprints for how a risk leader operates within an organisation. And remember, a risk leader may be influenced by several archetypes at different times and in different ways.

These archetypes aren’t about a person’s personality type. They describe a leader’s primary focus, motivation, and style. Leaders can tailor these approaches to a company’s specific needs at different stages of its risk maturity.

1. The Innovator

The Innovator is a risk leader who see risk as strategic tool for growth and competitive advantage, not a barrier.

They are not just managing risk but actively using it to drive the business forward.  They are forward-looking, visionary, and a strong partner to the business.

Innovators work hand-in-hand with the business to help drive growth and capture new opportunities. Instead of focusing solely on protection, they are visionaries who use advanced technology, risk models and a higher risk appetite to help the C-suite build new business models, launch ventures, and expand into new markets.

They have a higher tolerance for risk and focus on identifying opportunities within higher levels of uncertainty and complexity.   Operating in higher levels of uncertainty is their comfort zone.

Their key questions are “How can we use risk to our advantage?” and “What’s the best way to take a calculated risk?”

As their core motivation is value creation, Innovators are ideal for high-growth companies, start-ups, new product launches, market expansion, M&A projects or supporting innovation within a larger corporation.

2. The Guardian

The Guardians are risk leaders who prioritise building a resilient and sustainable organisation. They see themselves as the ultimate protectors of the organisation.

Their primary focus is on long-term protection, sustainability and resilience – not just short-term problem solving. They typically create strong and stable foundations to withstand future shocks.

Guardians methodically structure their work and focus heavily on risk governance. They build robust frameworks, embed a strong risk culture, and ensure compliance with regulations. Their main concern is with what could go wrong and how to prevent it.

In essence, the Guardians’ mission is to safeguard the organisation from the ground up, thereby making sure it can weather any storm and any emerging risk.

They often ask, “Are we prepared for the future?” and “What safeguards do we need?”

Guardians thrive in established, risk-averse, and highly regulated organisations. In these environments, long-term stability and resilience matter more than aggressive growth. Consequently, the Guardian’s methodical and protective nature perfectly suits sectors where failure is costly and compliance is mandatory. This is why Guardians are prominent in financial services, healthcare, and public sector agencies.

3. The Operator

The Operators are the risk leaders who excel at the practical, day-to-day management of risk. They are pragmatic problem-solvers who excel at managing the day-to-day realities of risk. They are very hands-on and focus on efficiency, crisis management, and immediate results.

Operators thrive in situations demanding efficiency, decisive action, and stability.

They are action-oriented and decisive, with a strong focus on the present. For this reason, they are often brought in to help stabilise a business, resolve a crisis, or streamline operations. Furthermore, they prioritise getting the fundamentals right and aren’t afraid to make tough, unpopular decisions. Ultimately, Operators are all about managing immediate challenges, whether they’re navigating a crisis or ensuring smooth, efficient operations by de-risking them.

Their key questions are “How can we fix this right now?” and “What is the most efficient way to manage this?”

Their value lies in their ability to handle real-world challenges with speed and precision, ensuring the company remains stable and on course.

Operators are ideal for organisations facing a range of immediate risks and resilience challenges, undergoing restructuring, or those that prioritise efficiency and stability over radical growth. They excel in environments where direct problem-solving is a top priority. Operators thrive in organisations with known risk management issues, companies in crisis, and highly regulated industries. Their pragmatic, action-oriented approach helps them solve problems directly.

4. The Influencer

The Influencers are risk leaders who rely on collaboration and communication to achieve their goals. Instead of using a top-down, command-and-control approach, they use soft power to build consensus and unite disparate teams. In other words, they don’t lead through authority, but through collaboration and persuasion.

Influencers are catalysts for change, focusing on uniting people and building a shared understanding of risk across the entire organisation.

They are collaborative, communicative, and empathetic. They build strong networks, facilitate cross-functional dialogue, and empower others to take ownership of risk.

Their primary question is “How can we get everyone on the same page?” and “How do we build trust?”

Therefore, they are natural facilitators who create open dialogue and a common language around risk, ensuring that risk management becomes a collective responsibility rather than a siloed function.

The Influencer archetype is ideal for organisations that need to foster a collaborative risk culture, break down silos, or manage complex transformations where buy-in from multiple stakeholders is critical. Their strength lies in their ability to unite disparate teams and build consensus. Influencers thrive in large, complex organisations, companies undergoing major transformations, and industries where collaboration, project-based work, and teamwork are critical to success.

Final Thoughts

These four archetypes provide a powerful lens for understanding different styles, moving beyond a one-size-fits-all approach to risk leadership.

It is possible for a chief risk officer to possess elements of all four archetypes, but it’s highly unlikely they will master them all equally. Most individuals have a dominant, natural style they rely on, with secondary styles they can develop and use when a situation calls for it.

Ultimately, by recognising if you’re predominantly an Innovator, Guardian, Operator, or Influencer, you can leverage your natural strengths and identify your blind spots. In turn, this allows you to intentionally adapt your approach to fit your organisation’s specific needs.

These archetypes transform the abstract idea of a “risk personality” into a practical framework for self-awareness and professional growth. This lets you do more than just manage risk. It also helps you engage better with key stakeholders and master your role in shaping a resilient, successful future.

The goal isn’t to be all four at once, but to understand which style a given situation demands and to be flexible enough to apply it.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

It’s a marathon, not a sprint, and your first 90 days are less about implementing a grand new system and more about a strategic reconnaissance mission.

Days 1-30: Listening & Learning to Discover

You’ve just landed a new role, you will bring a fresh perspective and a head full of ideas. But resist the “rookie error” of jumping straight into solutions. Your primary goal in the first 30 days is not to fix things immediately but to deeply understand the organisation’s current state of risk management, both formally and informally. This is your strategic reconnaissance mission.

So, your first 30 days are about building relationships, listening, and understanding the company’s culture. You’re connecting with people, their priorities, and their pain points.

1. Understand the business & its objectives

Before you can help you organisation better manage its risks, you have to understand what it’s trying to achieve. Think of yourself as an archaeologist, piecing together the organisation’s strategic history and future.

Start by listening. In Stephen R. Covey’s The 7 Habits of Highly Effective People, the fifth habit, “Seek First to Understand, Then to Be Understood,” is a cornerstone of effective management, emphasising that genuine listening is the key to building trust and solving problems.

Schedule one-on-one meetings with executive leaders, department heads, and key operational staff. But don’t lead with a pitch about risk. Instead, ask open-ended questions like, “What are your top three priorities for this quarter?” or “What’s the biggest challenge you’re facing right now?” Listen for the recurring themes and pain points. This approach will help you connect risk to their day-to-day reality, making you a key partner in their success, not just a compliance enforcer.

Understand the “why” behind the organisation’s existence and its key drivers. Review your organisations strategic plans, annual reports, and existing business unit performance reviews. Look for key performance indicators (KPIs) and business drivers. A financial services company, for example, might be driven by client acquisition and regulatory compliance, while a government agency might be focused on delivering services and managing public perception. Understanding this “why” behind the organisation’s existence will help you align your risk strategy with its core mission.

Listen more than you talk. Absorb as much information as possible before forming conclusions.

2. Understand the culture & key stakeholders

Every organisation has an unwritten rulebook that dictates how things really get done. Your job is to read it and decipher it.

Pay close attention to how decisions are made. Is it a top-down process, or do teams have autonomy? How does information flow…through formal memos or quick chats in the hallway? Observe who people defer to in meetings, as these are often the informal leaders and key influencers you need to win over.

Find your allies by identifying the “risk champions” i.e. the people who already do risk management well, even if it’s not in their job description. These individuals are your most valuable allies. They might be a project manager who meticulously tracks potential roadblocks or a finance officer who instinctively thinks about fraud. Find them, build rapport, and learn from them. They will be crucial in helping you drive change.

You may be the new kid on the block, so find the people who have the “institutional knowledge”. Build relationships with long-serving staff and administrative personnel. They often hold a wealth of knowledge and understand the informal power structures better than anyone. They can give you invaluable context on why certain processes exist or why previous change initiatives failed.

Be a partner, not a police officer. Position yourself as an enabler of objectives, not a blocker.

3. Assess the current state of risk management

This is where you get into the nitty-gritty, but remember to stay in “assessment mode” not “judgment mode”.

Dig into the paper trail by looking into the existing documentation and reports. Do risk registers and risk assessments exist? If so, are they living documents or dusty relics? How are risky decisions escalated to leadership? Do conversations about risk even occur in meetings, and if so, how? Look for formal processes, but also observe if they’re actually being followed.

Conduct informal interviews with people to look beyond the official documents. Ask staff at all levels about their experiences with risk management. Ask questions like, “What works well when it comes to managing risks in your area?” and “What do you believe are the biggest threats to our team’s success”? Pay close attention to the “grapevine”  as sometimes, the most valuable insights come from informal conversations over coffee. It can reveal what people are truly worried about, regardless of what’s written in a report.

Days 31-60: Confirming & Benchmarking

With a clearer picture of the organisation, culture, and existing frameworks, your focus now shifts. The second month is about solidifying key relationships, validating your initial observations, and beginning to outline potential areas for improvement. This phase is for bringing order to the chaos i.e. this is where you transition from an observer to a trusted partner.

4. Cultivate key relationships & build trust

A month in, trust is the single most important currency you will have. Everything you do now should be in service of building it.

Show you’ve been listening by following up on your initial meetings. Send a brief email or schedule a quick chat to share a summary of what you heard. For example, “Thanks again for the chat. I heard your team is really focused on onboarding a new strategic vendor this quarter, and that their cybersecurity posture is a key concern. I’d love to explore how we can support you in that”. This simple act shows you were listening and value their input.

Identify some “quick wins” by looking for low-hanging fruit where you can offer immediate, tangible value. Maybe a manager is struggling with a clunky risk register or a risk reporting process. You could offer a workshop to review the risks or to streamline the report. Or perhaps a team is launching a new project and needs help thinking through the key risks. Offering to facilitate a short, informal risk brainstorming session can be a huge win. These small successes build goodwill and demonstrate that you are a resource, not a roadblock.

Maintain transparency by scheduling regular check-ins with your direct manager or sponsor. Be proactive in updating them on your progress, sharing your observations, and seeking their guidance. This ensures they’re never surprised and keeps them invested in your success.

Build credibility through action. Small, consistent successes speak louder than grand pronouncements.

5: Benchmark against better practice

Now that you have a sense of the organisation’s current state, you can subtly introduce new ideas about what’s possible. The key here is to do this without criticizing the past.

Subtly introduce new ideas and concepts.  But, instead of saying, “Your risk management process is broken”, try, “In other organisations I’ve worked with, we found that having a clear risk appetite statement helped us make faster decisions. Is that something we could explore here?” This frames the conversation around improvement and a shared benefit, not problems.

As you review documentation and speak with people, your will identify clear differences between the current state and a functional risk management framework. Start planting seeds for change.  For example, ask questions like, “Is there no clear accountability for key risks? Are risks only discussed reactively, after an incident has occurred?” Use these gaps as focal points for future conversations and improvement plans.

6. Develop a preliminary assessment & vision

It’s now time to translate your findings into a clear, high-level narrative.

Begin to consolidate your observations into a concise assessment of the current risk management maturity. What are the top 3-5 challenges? Is it a lack of clear ownership? A culture of blame? Or simply a lack of effective tools? You should be able to articulate these challenges in a clear and compelling way, grounded in the conversations and documents from the results of your first 60 days.

Next, draft a preliminary vision for what improved risk management would look like. This isn’t a final plan, but a simple, compelling statement. For example, “Success would look like a culture where everyone feels empowered to identify risks, and we can make better, faster decisions as a result”. This serves as your guiding star, a simple vision you can keep coming back to as you navigate the next 90 days and beyond.

Days 61-90: Catalysing Change & Outlining the Path Forward

You’ve now spent the last two months as an anthropologist and an analyst. You’ve listened, learned, and identified the pulse of the organisation. Now is the time to translate that knowledge into visible momentum and a clear strategic roadmap.

As a Risk Officer, you’re not just a manager; you’re a catalyst for change, driving early wins, and initiating the strategic plan that will accelerate the organisation’s risk maturity. This is where you demonstrate your value and secure buy-in for the future.

7. Deliver an early tangible win or two

Based on your observations and stakeholder feedback, you should have a solid idea of a quick win project. Now, execute it.

Choose a project that will have a real, visible impact on a key business unit or process. For example, if you discovered that a crucial department is struggling with fraud prevention, deliver a targeted workshop on common fraud indicators and best practices.

8. Communicate success widely

Once a quick win project is complete, ensure you publicise it. Write a brief memo or present a short update at a team meeting. Be sure to credit the individuals and teams who helped you. This shows you’re a team player and that your work translates into tangible benefits.

Communication helps to enhance stakeholder trust in your capabilities, makes you visible to key stakeholders. and builds momentum to demonstrate your value to the organisation.

Focus on value. Always articulate how risk management contributes to the organisation’s success. How a better risk process isn’t just about compliance; it’s about making better decisions, enhancing organisational resilience, and ultimately, achieving strategic objectives.

9. Present your findings & proposed roadmap

You’ve built trust and delivered a quick win. Now is the time to formalise your observations and present your vision for the future of risk management.

Prepare a concise presentation for the leadership team and key stakeholders. Don’t start with a list of problems. Instead, begin with what you’ve “learned” from them. Talk about the strategic priorities you’ve heard and how you’ve observed risk impacting those goals. This positions you as an ally and team player.

Based on your findings, propose a high-level strategic roadmap for the next 12-18 months. Focus on 3-5 key priorities. This isn’t about creating a rigid plan, but a living document that can be refined with feedback. For example, your priorities might be to clarify ownership of top risks, integrate risk discussions into business planning sessions, or enhance fraud detection capabilities. For each priority, briefly outline the benefits and the first steps.

10: Establish governance & communication channels

Your final goal for the 90-day mark is to set up the structures that will sustain momentum into the future.

Begin establishing or revitalising formal risk governance structures. This could involve creating a new risk committee or simply clarifying the responsibilities of key risk owners. This formalises the changes you’re introducing and gives them authority (e.g., a risk committee, clear responsibilities for risk owners).

Develop a communication plan for ongoing engagement. Outline how you will regularly communicate with stakeholders about risk. This might be a monthly email update, a standing agenda item in leadership meetings, or a quarterly risk report that is easy to understand. Consistent, clear communication is crucial for keeping risk top of mind and ensuring your efforts don’t fade into the background.

Be patient, but persistent.  Cultural change takes time, but consistent effort will yield results.

Final Thoughts

Your first 90 days as a new Risk Officer are about building trust and momentum. It’s a three-phase journey. You’ll spend the first month as an anthropologist, listening and learning to understand the business, its people, and its culture. The second month is for building bridges, validating your findings, and subtly introducing better risk management practices to prove your value as a partner. Finally, in the third month, you’ll deliver on your promises by executing a small, visible project, then presenting a strategic roadmap that is tied directly to the organisation’s business goals. Remember, your credibility comes from empathy and action, not from a checklist.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

Therefore, internal audit is an important function within any organisation. Managed well and aligned to strategic initiatives, internal audit can be one of the organisations most valuable assets. Managed poorly, it can be a waste of money, time and valuable resources.

Many boards and CEOs value an effective internal audit function, but we cannot always say that internal audit is valued by all stakeholders. Sometimes, the relationship between the CEO, management and internal audit can come under strain due to the competing priorities of each party.

Having worked closely with boards, audit committees, CEOs, senior managers and internal auditors and having collectively performed thousands of internal audits over 20 years, the internal audit team at InConsult looked at the role of the CEO in internal audit and identified a number of strategies to guide the CEO to get more value from internal audit.

The Sources of Audit Tension

Tensions to a positive internal audit experience can come from internal audit, CEO, management and the board and can occur for many reasons.

Competing objectives and priorities

Management’s focus is primarily on achieving strategic goals and financial performance.  Internal audit also interested in the organisation achieving its goal. However, if management is so focussed on the outcome that they don’t pay proper regard to the process, skimp on compliance and don’t manage risks effectively, it can lead to conflicts, disagreements and tensions between the parties.

Lack of understanding

Management may not fully understand or appreciate the purpose, value and importance of the internal audit function. They may view it as a compliance-driven activity rather than recognising its role in providing independent assurance and valuable insights to improve organisational processes and controls.

Perception of criticism

Internal audit’s role is designed to assess and evaluate the effectiveness of controls, processes, and risk management practices of management. If management perceives these assessments as personal criticisms or threats to their authority, it can strain the relationship.  When internal audit identifies control weaknesses or areas for improvement, it can be perceived by the CEO as a criticism of their leadership or decision-making. This can lead to defensiveness and strained relations between the CEO and internal audit.

Ineffective communication

Effective communication is essential for a strong relationship between internal audit, the board, CEO and management. If there are communication gaps, misunderstandings can occur, leading to mistrust and strained relations. Lack of clarity in explaining audit findings and recommendations can further exacerbate these issues.

Gaps in internal audit capabilities

Poor internal audit practices or an under resourced internal audit team will compromise the quality of internal audit work. Limited staffing, budget, or access to necessary information can impact the quality and timeliness of audit work, leading to frustrations on both sides.

Lack of trust and independence

Internal audit must operate with a high degree of independence to provide unbiased assessments. Internal audit must have unfettered access to information.  If management perceives internal audit as lacking independence or being influenced by external factors, it can erode trust and strain the relationship.

Resistance to audit recommendations

Internal audit often provides recommendations for improving controls, processes, and risk management. If management is not confident in internal audits capabilities, resists findings or fails to take recommendations seriously, it can create a perception that the internal audit function’s efforts are being disregarded or undervalued.

Strategies for the CEO to Establish Solid Foundations

Whilst internal audit is an independent function, the CEO is often in the drivers seat for ensuring it is effective, with some oversight from the audit committee and/or board for larger organisations.  An effective internal audit function is built on a solid foundation of key principles, practices, and structures.  The CEO should work with the Chief Audit Executive and support laying these foundations.

Recruit a capable audit team

Internal auditors should possess the necessary knowledge, skills, and professional qualifications/certifications. The internal audit department should also follow the standards and ethical guidelines of the profession as set out by the Institute of Internal Auditors.

Ensure adequate resourcing

For internal audit to be effective, it needs to have the appropriate resources in terms of staffing, budget, and technology. The CEO should ensure that the internal audit department is adequately resourced and has the necessary tools and technology to do its job effectively.

Use a risk-based audit approach

Due to budget and time constraints, internal audit should take a risk-based approach to its work, focusing on areas where the organisation is most at risk and providing assurance that the internal controls are designed and operating effectively to mitigate these risks.

By engaging with key stakeholders, contextualising the organisational objectives and conducting a comprehensive risk assessment (or using risk information from the risk management department), the internal audit department can identify the areas of the company where the risk of loss or failure to achieve objectives is greatest. This helps the internal audit function to focus on the areas of the company that are most at risk and provides assurance that the company’s internal controls are designed and operating effectively to mitigate these risks.

Open communication between audit and management

Establish regular communication channels between internal audit and management to enhance understanding and address any concerns or misunderstandings promptly.

Clear audit plans and reports

The internal audit function should have plans and reports in place to communicate its intentions, approach, findings and recommendations to the CEO, the board of directors, and other stakeholders.  Key plans and reports include:

• Strategic Audit Plan – outlines the internal audit activities and objectives for a three-year period. It serves as a roadmap for the internal audit function, guiding its efforts in evaluating and assessing the organisation’s operations, risks, controls, and governance processes over the specified timeframe.
• Audit Engagement Plan – outlines the specific details and objectives of an upcoming audit engagement. It is a roadmap for the internal audit team, providing a structured approach to conducting the audit and ensuring that all relevant areas are addressed.
• Audit Report – summarises the audit approach, methodology, findings, observations, and recommendations resulting from an internal audit engagement. The report is a communication tool between internal audit and management, providing valuable insights and recommendations for improving processes, controls, and risk management practices.
• Quarterly Audit Report – provides an update on the progress of audit engagements completed, highlights key issues, and tracks the progress of audit recommendations to completion/closure.

Be visible

It’s important that the CEO is visible and promotes internal audit and encourages management take appropriate actions on the recommendations in a timely manner. This shows the importance placed on internal audit and helps to maintain the integrity of the internal control environment.  Also, it’s important that the internal audit team is seen as approachable by any member of staff, which enhances their standing within the organisation and provides an avenue to identify issues at the coalface.

Continuous audit improvement

The internal audit function should be continuously looking for ways to improve its processes and procedures. The department should also monitor and evaluate the effectiveness of its work and the impact of its recommendations to continually improve the control environment. Every 5 years, internal audit process should undergo an external independent review.

Strategies for Optimising Internal Audit

Having the foundations in place helps to ensure that the internal audit function is able to provide the assurance that the CEO and the board of directors need, but it may not relieve all the tension. The CEO and board can expect more from internal audit.  They may expect internal audit to take a more proactive approach to identifying and assessing risks, rather than just being reactive to issues that have already occurred.

Monitoring and analysis of key performance indicators

The internal audit department can use monitoring and analysis of key performance indicators (KPIs) to identify potential issues and risks before they become major problems. This could include monitoring the company’s financial performance, compliance with laws and regulations, and the effectiveness of key processes and systems.

Data analytics

Internal audit can use data analytics tools to identify patterns or anomalies in data that may indicate a potential risk or control weakness. These tools can help internal audit to uncover issues that may be hidden and would not be identified through traditional audit methods.

Continuous control monitoring

The internal audit function can be proactive by continuously looking for ways to improve its processes and procedures. This could include ongoing monitoring of the control environment.

Predictive auditing

Predictive auditing is a new way of auditing that allows internal audit to make predictions about future events, scenarios, or risks, by identifying and analysing patterns or trends, and build in assessments and controls to prevent potential events from happening.

Stay current with industry/sector developments

Internal audit can also be proactive by staying current with industry developments and emerging risks, such as regulatory changes and technological advancements, so they can identify potential risks to the organisation and take appropriate actions.

Takeaways

By addressing these ‘tension’ factors and promoting a culture of cooperation and mutual respect, the relationship between the CEO, internal audit and management can be improved, leading to more effective risk management, a stronger control environment and governance practices within the organisation.

Taking a proactive approach, an internal audit department can help the company to identify and manage potential risks before they become major issues, and provide assurance that the company’s internal controls are effective in mitigating those risks.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of internal audit.

We have supported small to large organisations establish a cost effective internal audit function and to refine and optimise internal audit practices.

We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

Nevertheless, each charity and not-for-profit organisation makes an important impact to someone and ‘giving’ to a charity or not-for-profit is at the heart of our social fabric.  Good governance, financial management and risk management are critical to maintaining registration as a charity which is effectively its ‘license to operate’ and the Board and management should do what they can to protect their charity from adverse risks and compliance breaches.

Compliance obligations

The Australian Charities and Not-for-profits Commission (ACNC) is the national regulator of charities and not-for-profit organisations.  To be registered with the ACNC, charities and not-for-profit organisations need to show that their organisation meets the requirement of being a not-for-profit.  In addition, they have mandatory reporting, notification, compliance and record keeping obligations that include:

• Reporting change of company details.
• Advising change in responsible persons.
• Reporting  changes to governing documents (such as its constitution, rules or trust deed).
• Keeping financial records that correctly record and explain their transactions and financial position.
• Submitting an Annual Information Statement every year within six months of the end of a charity’s reporting period.
• Complying with the Governance Standards that set out the minimum standard of governance, risk management and audit, to help promote public trust and confidence in charities.
• Charities that operate overseas, must comply with the External Conduct Standards that require them to take reasonable steps to ensure appropriate standards of behaviour, governance, oversight and recordkeeping when undertaking activities or providing resources overseas.

These ‘minimum’ requirements are in addition to any other obligations a charity may have under other laws or to other Commonwealth, state and territory regulators such as the Australian Securities and Investments Commission (ASIC) and Australian Taxation Office (ATO).

Staying compliant as a not-for-profit

Complying with ACNC’s minimum reporting, notification, compliance and record keeping obligations is critical to maintaining your registration as a charity and not-for-profit organisation.  This registration is your ‘license to operate’ as a charity.  Without this, you may not exist at all and your purpose/vision cannot be achieved.

The ACNC’s Governance Standards are the foundations.  They are a set of core, minimum standards that deal with how a charity is run (including its processes, activities and relationships).  There are 6 Governance Standards:

1: Purposes and not-for-profit nature
2: Accountability to members
3: Compliance with Australian laws
4: Suitability of Responsible Persons
5: Duties of Responsible Persons
6: Maintaining and Enhancing Public Trust and Confidence in the Australian Not-For-Profit Sector

In addition, there is a useful self-evaluation tool that aims to help charities assess whether they are meeting their obligations, and to identify issues that may prevent them from doing so. The self-evaluation comprises of 10 short parts that cover each of the ACNC’s 6 Governance Standards and a charity’s other obligations to the ACNC.  The questions and examples in the self-evaluation are only a guide and not a comprehensive list of compulsory requirements.

The ACNC has many other resources to support charities and not-for-profit organisations meet their compliance obligations.

Risk management considerations

What are the ACNC’s risk management requirements?

The self-evaluation and Governance Standards outline a number of specific risk management related matters that charities and not-for-profit organisations should consider.  The questions include:

• What are the risks most relevant to the charity’s work? Think about the risks the charity needs to manage. For example, working with vulnerable people, or working with third parties to deliver services.
• Is the charity complying with all its regulatory obligations? This includes ACNC, ATO, ASIC etc.
• Is there a process in place to identify and manage all compliance risks, including the risk of misuse from terrorism financing and other serious criminal activities?
• Is the charity identifying and managing risks relating to conflicts of interest, failure to address potential harm to beneficiaries, and financial mismanagement?
• Is there a policy to mitigate risks when working overseas or sending funds overseas?
• Are there other financial controls in place to protect against risks such as fraud, terrorism financing and misuse of funds?
• Do the Responsible People regularly conduct reviews of the charity’s risks and its risk management systems and processes?
• Is there are processes in place for identifying and managing the charity’s risks, including financial, operational and reputational risks?
• Are the charity’s risks recorded in a Risk Register?

So what does this mean for the Board and management?

At minimum, the ACNC wants each charity and not-for-profit entity to manage the risks most relevant to the work it performs.  Better practice risk management would require:

• Maintaining a risk management framework and practices that are appropriate to the size and operations of the organisation.
• The Board defining its risk appetite and how it will be monitored.
• Drafting a Board-approved risk management policy and plan/strategy that describes the key elements of the risk management framework.
• Building management capabilities for understanding and manging risks.
• Ensuring adequate time and resources are dedicated for reviewing risks and considering emerging risks.
• Periodic reporting to the Board for risk oversight.

Done well, risk management is a powerful management tool and may be the difference between success and failure.

Compliance powers

Whilst the ACNC aims to promote good governance and risk management practices, it also has significant powers to ask questions, gather information and monitor whether charities are meeting their obligations, and it can take action against charities not meeting their obligations.

If a charity fails to meet its obligations, the ACNC may:

• Issue a warning: notify the charity that it is not meeting its obligations and explain what action the ACNC may take.
• Make a direction: direct the charity to do or not do something.
• Issue an enforceable undertaking: make arrangements with the charity for what it needs to do to meet its obligations – these arrangements can be enforced by a court.
• Seek an injunction: ask a court to make the charity do or not do something.
• Suspend or remove a Responsible Person (for example, a member of the charity’s board or committee).
• Disqualify a Responsible Person who has previously been suspended or removed for 12 months. During that time, the person is not allowed to be a responsible person of any charity and will be listed on the disqualified persons register.
• Revoke the charity’s registration (which may affect its eligibility for tax concessions).
• Apply administrative penalties if it makes false or misleading statements or fails to submit documents on time.
• Publish compliance decisions to ‘name and shame’ the organisation and warn the public.

Risk based approach to regulation

When deciding whether to use its powers or make certain decisions, the ACNC considers the following matters:

• Type of problem/issue/incident.
• Person or situation at risk (for example, whether it affects people, money or public trust and confidence generally).
• Nature and degree of potential harm.
• Likelihood and frequency of the problem occurring or reoccurring.
• Risk profile of the charity (for example, its size, its processes for accountability and its history of compliance and cooperation).
• Behaviour of the charity’s Responsible Persons.

As you can see, the ACNC uses a risk based approach to regulation.  Therefore manging the risks in your charity or not-for-profit is not negotiable and absolutely critical.

How we can help your not-for-profit take better risks

InConsult works with leading not-for-profit organisations.  We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management, resilience and audit capabilities include:

• Supplying an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Undertaking risk culture assessments.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, sustainability, modern slavery, third party risk and fraud risk.
• Providing a co-sourced or outsourced internal audit service that is appropriate to the size, risk and complexity of your organisation.
• Web-based risk management, audit, compliance and incident management technology.

Take your charity or not-for-profit to the next level and contact us to discuss your needs.

The demand for a highly versatile and more strategic risk professional has been increasing steadily over the last 30 years.  But in recent years, there has been a rapid acceleration in demand due to the uncertainties and risks experienced during the COVID-19 pandemic, increasing frequency of cyber-attacks, more challenging geopolitical and cultural issues, growing regulatory requirements and the need to consider climate change risk impacts.

Let’s take a walk down memory lane to see how the role of the Risk Officer has evolved over 30 years and some of the contributing factors.

Pre-1990: Risk Management by Silos

Before the 1990’s, relatively few organisations had a designated Risk Officer or a formal risk management function.  In most cases, the management of risk was built into systems and processes.

Formal risk assessments were often in paper based forms and checklists at project, function or activity level.  The main tool for identifying major risks was the ‘threat’ identification piece in the SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis.

At a decision-making level, the Six Thinking Hats approach created by Edward de Bono in the mid-80s was a popular way of looking at issues and decisions from a variety of perspectives.  The six hats were different colours, and the black hat was about being cautious and assessing risks that required employing critical judgment and identifying concerns.

More ‘sophisticated’ risk management functions, policies, plans, systems, techniques and processes could be found, but often in silos and only in a few sectors:

• Large, international financial service organisations employed Risk Officers who were responsible for approving higher risk loan contracts, overseeing investment/trading positions and monitoring large financial transactions.  In the 1970’s, financial institutions used Monte Carlo simulations to value and analyse financial instruments and investment portfolios by simulating the various sources of uncertainty affecting their value.
• Big and complex manufacturing, engineering, and mining organisations employed a Safety Officer who was responsible for the safety of people and engineers were responsible for the equipment, quality output and continuity of production.
• Public and private sector organisations seeking Quality Management System (QMS) accreditation under the ISO 9000 family of quality standards which were first published in 1987, had to develop formal risk management processes and plans to obtain certification.
• Risk-based auditing was alive and well.  It required auditors to identify and evaluate the risks and controls at process and activity level.

Risk management existed, but it was ad-hoc and not well understood across the business with little oversight by the governing body.

Early 1990’s: A New Standard Emerges

As more organisations were looking to achieve quality management accreditation and apply QMS, there was a big knowledge gap in respect to risk management. There were very few risk management books and risk management practitioners around in the early 1990’s.  There was no Google and no YouTube for resources and tips!

Many organisations started to develop their own risk management approach and guidelines with mixed results.

In 1993, the first role of Chief Risk Officer was established at GE Capital and James Lam is reported as the first Chief Risk Officer. Over the next 5 years, larger financial institutions followed by recruiting Risk Officers.

In 1995, Standards Australia released AS/NZS 4360:1995 Risk Management Standard. This was the world’s first popular and most widely used risk management standard until 2009 when AS/NZS 4360 transformed into an updated international standard, ISO 31000:2009 Risk management – Principles and guidelines.

AS/NZS 4360 did not mandate the role of a Risk Officer per se, it just guided an organisation in designing and implementing an appropriate risk management framework. For the first time, a Standard was available to help answer the question – how should we think about and manage risk more proactively and more formally?

Following its publication, many organisations started to apply the AS/NZS 4360 Standard. The Standard was referenced widely in risk management guidelines by industry and professional bodies.  It became the ‘go-to’ Standard to help manage risk.

So the new AS/NZS 4360:1995 Risk Management Standard helped to define how risks should be managed, but organisations often lacked the resources, skills, expertise and experience in risk management.

Who had the skills to help? Where would future risk resources and the Risk Officer come from?

Late 1990’s: Growing Need but Limited Talent Pool

By the late 1990’s, the adoption of technology had accelerated.  The ‘Tech Boom’ was on! US technology stock equity valuations fuelled more investments in internet-based companies and the dotcom bubble was growing exponentially. Organisations introduced personal computers, local servers and business processes changed as they move away from pen and paper to computers and hard disks.

It was now a great time for technology-based organisations like Apple, Microsoft, WorldCom and Enron in the US and OneTel in Australia.

However, a large talent pool of risk management professionals who understood the depth and breadth of enterprise-wide risks to support the new and more complex world did not exist. The risk management talents were often in the audit division of large accounting firms, large financial institutions and large insurance brokers.

Risk management education as we know it today, didn’t really exist either. Risk management education was in pockets and contextualized to an industry or membership association.  The Institute of Internal Auditors was founded in 1941 and the Risk and Insurance Management Society, Inc. (RIMS) was founded in 1950.  Both provided some form risk management training that were incorporated into one or two modules of study. At the time:

• Insurance professionals understood the concept of risk and physical hazards but limited in operational risks.
• Banks were brilliant at quantitative risk analysis and modelling.
• Engineers understood technical design, production risk and project risk very well.
• Information technology professionals were security conscious, but the risks were mainly internal and around availability, physical and access controls.  The Y2K bug was around the corner and the internet was still evolving. Organisations were becoming more interconnected, but hackers were still teenagers only interested in accessing government departments for the thrill of it and not for the data.
• Accountants had a great understanding of financial risks and some basic knowledge of operational and strategic risks via the business planning process.
• Internal and external auditors (who were often qualified accountants) were seen as best positioned to help.  This was thanks to their training and experience in risk-based audit methods. Although not perfect, auditors were recognized and respected for their ability to assess company wide risks and monitor control effectiveness. Internal auditors had one more advantage – they worked across many departments, projects and functions in an organisation and could see broader risks and their connectivity.

The lack of risk management talent meant that risks continued to be managed in their silos and in most companies, there was no formal risk function or person responsible for looking at risks across the organisation.  Often, there was no one specifically designated to helping management understand, evaluate, manage and monitor the big risks.

With the new dotcom technology bubble came more opportunity, more innovation and more risk taking.  But there is a new risk management standard in Australia and New Zealand gaining popularity around the world and an array of professionals who can think and manage specific areas of risk.

What can possibly go wrong?

Early 2000’s:  The Scandals of the Noughties

The spectacular collapse of Barings Bank in 1995 highlighted not only the importance of managing risk, but the importance of risk oversight and the need for strong internal controls to manage operational risk in a world now relying more on technology with an appetite for taking even more risk.  Remember banks are the masters of quantitative risk analysis!  Is that enough?

Barings Bank was founded in 1762 and was one of England’s oldest and best capitalised merchant banks.  Money wasn’t an issue. It was the bank used by the Queen of England. However, it took one person, halfway across the world (in Singapore) who circumvented normal accounting, internal controls and audit safeguards to send the bank into bankruptcy. Dutch bank ING later purchased Barings Bank in 1995 for the nominal sum of £1.

But it wasn’t until the new millennium (the noughties) that we saw a spate of high-profile collapses that included Enron, WorldCom, Swissair, Kmart, Arthur Anderson, Parmalat, CINAR, FlowTex, MG Rover, HIH and OneTel. These failures had an adverse impact on people, the economy, the stock market, politicians and stakeholder confidence.

After these collapses, the political and social tolerance for future failures reduced significantly.  We saw regulators around the world strengthen risk management and governance practices through various instruments including legislation, prudential standards and guidelines.  For example:

• The Sarbanes Oxley Act was introduced in the United States in 2002.
• Introduction of Prudential and Reporting Standards in Australia in 2002, Singapore and United Kingdom.
• Strengthening of risk management practices for listed companies through the release of the Corporate Governance Principles and Recommendations in 2003.
• Rating agencies start evaluating risk management systems as part of their credit rating assessment.
• COSO, a Committee of Sponsoring Organizations of the Treadway Commission, used the concept of Enterprise Risk Management for the first time when they published in 2004 the Enterprise Risk Management—Integrated Framework.
• Increased oversight responsibilities for the governing body/Board over risk management governance and practice.

One of the first publications about enterprise risk management is published by James Lam in 2003 – Enterprise Risk Management: From Incentives to Controls.  The book becomes a best seller and an important reference point to all aspiring future Risk Officers.

The bar has now been raised. This required organisations to establish more formal, structured and proactive processes around risk management.  Something that is now well beyond the previous siloed approach to risk thinking.

The new approach required a more strategic approach to risk management that required leadership, structure and resources.

Can risk management save the world? Not quite!

Late 2000’s: The Global Financial Crisis

Whilst the US based Sarbanes Oxley Act of 2002 did well to minimise the risk around inaccurate financial reporting (the root problems with Enron and WorldCom), the focus of the Act was too narrow.  A very simple interpretation of the Act is “take whatever risk you like, just make sure your annual accounts are correct, let someone know if they’re not, otherwise you will end up in jail for a long time!”.  Feel free to read the entire Act when you have time. Yes, it is a narrow and siloed approach to risk management.

Meanwhile, other global law makers and regulators had taken a broader and more strategic approach to risk management.  For example, following the HIH collapse in 2001, the Australian Prudential Regulation Authority (APRA) required all financial institutions to adopt a more comprehensive and broader risk management approach covering all risk categories in 2002.  The risk framework could be risk based, use the AS/NZS 4360 Risk Management Standard to help and have a formal plans, systems and procedures with clear responsibilities for activities.  It was basically saying “manage all your risks very well, or we will take your license to operate away from you”.

Well, thanks to the Global Financial Crisis (GFC) between 2007 and 2009, we know which one of the above approaches was more effective.  During the GFC, we saw very large US based financial institutions like Lehman Brothers, IndyMac, Bear Stearns, AIG and Washington Mutual collapse due to very poor risk-taking and deficient investment practices. Sure, the Sarbanes Oxley Act was successful in reducing the risk of creative accounting, but it failed to encourage better enterprise-wide risk management practices.

The lesson here is clear, risk management is only as good as the weakest link and a broader risk management approach is always better.

The Risk Officer Today

As you can see, the role of the Risk Officer is relatively new, but it has been around for many decades now.

There has been a shift from a siloed approach to managing risk to a more structured, proactive and integrated risk management approach and broader oversight of risks by management and the governing body.

The adverse consequences from the spectacular corporate failures of the last 30 years have also shaped risk management practices and reinforced the need for a dedicated Risk Officer today.

Just like any other field of management, it is not perfect.  The Risk Officer helps the governing body and management navigate the issues.

Fortunately for many organisations, the role of a dedicated Risk Officer or Chief Risk Officer is now well entrenched into many well run and successful organisations. Sure, an effective risk management framework and a capable Risk Officer who leads risk management does not mean that nothing will ever go wrong, but done well, it does help reduce the frequency and impact of the big risks and nasty surprises.

Today, the Risk Officer or the Chief Risk Officer in larger organisations, is the designated leader for enterprise-wide risk management responsible for a number of activities that include:

• Designing, operating, embedding, maintaining and continually improving the enterprise risk management framework.
• Monitoring the risk management framework and practices to ensure it operates as designed.
• Providing analysis, advice and support to the Board, Audit and Risk Committee and all lines of management on risk management matters,
• Encouraging a proportionate and balanced approach to risk taking, but also have the courage to call out decisions that involve excessive risk taking beyond the capacity, appetite, values and capability of the organisation.
• Co-ordinating the delivery of appropriate and relevant training to enhance risk management capabilities across the organisation and promote a positive risk, compliance and control culture.
• Reviewing and enhancing key risk management related documents including risk registers, incident registers, risk profiles, policies, plans, risk appetite statement, procedures and authorities to realign to the changing environment and business needs.

The specific activities of the Risk Officer outlined above are not exhaustive and will vary on the nature, size and complexity of the organisation as well as stakeholder requirements. The important point here is the Risk Officer now has a seat at the table with the governing body and management.

A capable Risk Officer can build positive relationships across the organisation, promote the benefits of managing risks, support managers and help navigate risk and uncertainty using both simple and complex risk assessment techniques.

Whilst the Bureau of Labour Statistics US predict that hiring for Risk Officer positions will rise by 11% through 2022, sadly, not all large, complex and growing organisations see a need for a formal risk management function or a dedicated Risk Officer. Risk management is often one of many responsibilities for the Company Secretary, Audit Manager, Governance Manager or the Finance Manager.  That doesn’t mean that these organisations are necessarily worse off, but it can make effectively managing risks more challenging as it competes with other activities, management time, priorities and resources.

Broad Based Skills are Key to Success

According to Willis Towers Watson, the majority of Risk Officers agree that having only exceptional analytical skill is not sufficient. The most successful Risk Officers are able to combine analytical skills with highly developed commercial, strategic, leadership and communication skill to be able to drive change and make a difference in an organization. Risk Officers typically have post graduate education with over 20 years of experience in accounting, economics, legal or actuarial backgrounds.

In another study by Morgan McKinley, a successful Risk Officer must be able to deal with complexity and ambiguity and understand the bigger picture.

How we can help you take better risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

But consider the following scenario:

• As part of the development of the organisation’s next internal audit plan, management tells the Chief Audit Executive (CAE) that “Process A” is completely defective. It’s not working as intended, there are some large risks, there are regular issues and errors and Process A desperately needs review.
• At management’s request, the CAE includes an internal audit of Process A as a high priority on the audit plan.
• Internal audit conducts an assurance audit of Process A and confirms that it is indeed a mess and needs urgent review and remedial action. Remedial options are presented and recommendations for improvement are made.
• Management expresses disappointment in the audit outcome because they already knew the process was broken and they thought an audit would help to fix it.
• Management defers or disagrees with the timing of a number of audit recommendations because there are insufficient resources available to fix the problem.

Sound familiar? How much value has internal audit really added?

The role of internal audit

Often the root cause of the above scenario is a lack of understanding about the potential roles that internal audit can play.

According to the Institute of Internal Auditors, the definition of internal audit is:

“… an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

This definition recognises that internal audit can undertake two broad types of activities – assurance and consulting. Whilst assurance engagements are relatively commonplace and generally well understood, internal audit consulting engagements are perhaps less prevalent.

Internal audit as consultants

The Internal Audit Standards define consulting services as:

“Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”

Going back to our scenario above, would a better approach be to consider whether internal audit could provide consulting services to assist those responsible for Process A to design and implement process improvements and more robust controls? Rather than spending time and resources independently corroborating what management already knew, wouldn’t it be better to get in and help fix the problem?

The above scenario highlights a common problem whereby management and even the internal audit function have a limited or conflicting view of the role of internal audit. There is often an automatic assumption that everything on the audit plan is an assurance assignment that involves testing of controls and providing assurance. If consulting or advisory services are required these typically get added to the internal audit work program as extras or one offs after the plan has been adopted.

Extracting more value from internal audit

But there is no reason why the audit plan can’t include consulting assignments. If an area or process has already been identified as requiring remedial action and the responsible business unit needs help and assistance to do this, why can’t it be included on the audit plan as a consulting engagement?

This is envisaged by the Internal Audit Standards which state:

“2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.”

The Standards also provide considerable guidance on everything from scoping a consulting engagement to ensuring that internal audit maintains independence and doesn’t assume management responsibility.

For example, the Standards state:

“2201.C1 – Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

2210.C1 – Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client.

2210.C2 – Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.”

Overcoming internal audit independence issues

In relation to the potential for a consulting engagement to impair a future assurance review, the Standards provide:

“1130.A3 – The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.”

If there are concerns that a consulting engagement may impair a future assurance review another option would be to outsource the assurance review especially if it is within a year or two of the consulting engagement. Diagram 1 below provides some guidance on consulting roles that internal audit should and shouldn’t undertake.

Diagram 1: Consulting roles internal audit should and shouldn’t undertake

As indicated already, part of the problem may stem from a lack of understanding by management and the Audit Committee that internal audit can play a consulting role as well as an assurance role. If this is the case, then there is a need for CAE’s to educate management and the Committee about the different ways in which internal audit can add value to the organisation.

In some jurisdictions, there is a specific requirement for Audit Committees to look at business improvement initiatives. For example, the NSW Local Government (Governance and Planning) Act 2016, will, once commenced, require councils to have an Audit, Risk and Improvement Committee. Amongst other things, the Committee will be required to keep under review programs and measures to improve the performance of council and the services it provides. This could be partly achieved through engaging internal audit to undertake or assist with service reviews and process improvements.

Takeaways

So in summary, it is really important to understand the role internal audit can play in your organisation to add value.  Next time someone suggest that internal audit of a broken process would be a good idea, consider whether a consulting type engagement to help fix the process would be preferable to an assurance audit that confirms what everyone already knew. If it is, then, subject to resourcing, experience and capacity constraints, include it on the internal audit plan.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of internal audit.  We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

As a company director, you have a duty of care and diligence under section 180 of the Corporations Act 2001 and under the common law. Organisations are increasingly focusing on the impact of climate change and environmental issues on current and future corporate performance. The Board, CEO and leaders have started to realise that climate risks and opportunities are not abstract concepts, but are essential for creating a sustainable business model that delivers long-term value.

This guide aims to help directors understand their climate risk responsibilities, ask questions and take steps in the right direction. The guide includes:

• a valuable checklist that directors can use to evaluate their climate risk posture.
• a summary of the legal and regulatory climate reporting and disclosure requirements.
• typical climate risk assessment challenges that are often experienced.

What’s inside the Climate Risk Guide

• The Consequences for Breaching Directors’ Duties.
• The Regulatory Landscape and Climate Change.
• Recognising and Managing Climate Risks and Opportunities.
• Disclosing Climate Related Risks.
• Beware the Challenges Ahead.
• The Board’s Climate Risk Checklist

Download today

Our Climate Risk Guide is complimentary, download your copy.

How we can help you manage climate risk

We are here to help you on your climate change risk journey. Our services include:

• Climate-risk awareness and TCFD compliance training.
• Facilitating workshops and financial climate change impact assessments to identify and understand the threats that climate change pose to your organisation.
• Perform scenario analyses of the threats identified looking at different possible scenarios over the short, medium and long term over a particular asset, activity or area.
• Provide a roadmap to enhance the organisation’s climate change risk management strategy.
• Conduct reviews to ensure regulatory disclosures are robust and relevant.

How far do you want to go to minimise the impact of climate change on your business? Be more resilient and contact us to discuss your needs.

What does cyber resilience really mean? How is it different to cyber security? What are the essential elements of cyber resilience?  At InConsult, we help build more resilient organisations. So in this publication, we take a deep dive into the topic of cyber resilience.

What is cyber resilience?

The US National Institute for Standards in Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources.”

At its core, cyber resilience is the ability to anticipate, prepare for, respond to and recover from cyber attacks or disruptions impacting information technology. It acknowledges that cyber security on its own is not enough. Cyber resilience is built on the premise that disruptions, attacks and incidents are bound to occur and availability should continue even when affected by adverse cyber events. So, while it would be great to prevent them, organisations should take time to plan how they will detect, respond and successfully recover.

Cyber security is a sub-set of cyber resilience that focusses on preventing cyber attacks and incidents. It consists of technologies, processes and measures that are designed to protect systems, networks and data from cyber attacks. It’s proactive and aims to significantly reduce the likelihood and impact of bad things from ever happening in the first place.

Hackers are always looking for the vulnerabilities or weak points to opportunistically pursue.  These weaknesses are not always ineffective cyber security, they can be weaknesses in human psychology or simple human errors.  In fact, according to Gartner, system misconfigurations accounted for over 75% of breaches.  In another study, 40% of breaches occurred due to human error. So it is reasonable to assume that misconfigurations, human errors and disruptions will occur and hackers will eventually gain access to your network, systems and data, and therefore you should always prepare for the worst.

Accepting that a cyber attack will occur does not mean you are giving in to hackers. It does not mean you should be complacent about your cyber security.  It simply means you are prepared and ready.

What are the benefits of cyber resilience?

As a result of developing a robust cyber resilience framework, organisations will have in place layers and layers of internal controls, across all information systems, at different levels in an organisation and at different stages of preparedness.  Done well, an effective cyber resilience framework delivers many benefits:

• Improves overall cyber risk governance and culture
• Proactively anticipates the types of cyber risks
• Strengthens internal systems, plans and processes to prevent, detect and recover from a cyber attack
• Enhances existing controls through continual review and improvement
• Enhances compliance to regulatory requirements
• Reduces financial costs and productivity losses
• Protects the organisation’s brand and reputation

What are the key elements of cyber resilience?

After an in-depth, literary review of several cyber resilience frameworks and from our own experience working with a range of clients, we have proposed a cyber resilience framework containing 6 essential elements.

No framework will ever be perfect or be suitable to every organisation.  However, our cyber resilience framework has a number of subtle differences from the current frameworks we observed such as:

• Governance is the first step and forms the foundations of cyber resilience.  Governance exists across all elements of the framework.
• We separate resilience into 2 states – (1) pre incident state and (2) post incident state.
• We include ‘refine’ as a centrepiece of the framework to ensure continuous improvement is considered before and after an incident.

1. Governance

Achieving cyber resilience is unlikely to happen unless there is a formal and proactive governance framework in place that outlines the organisations intent, commitment, practices, plans and responsibilities for achieving cyber resilience.  The level of governance will vary depending on the size, complexity and nature of each organisation.

The cyber resilience framework can be stand alone or be part of a broader resilience framework.  Whatever you choose, it should be aligned to the overall governance and risk management framework of the organisation.  This means documented strategies, principles, policies, rules and procedures are in line with the overall governance framework as well as the organisations IT Strategy.

The board

Cyber resilience must be a primary focus of the board (or governing body) and senior management. They must provide leadership and commitment to help define the organisations culture.  It is not something that can be left solely to the Chief Information Officer, security team or incident response team.

Boards should take ownership of cyber resilience oversight and ensure key policies and written directions are reviewed on a periodic basis. The board should also support and participate in key cyber risk management decisions, and receive regular updates on security issues, risks and overall compliance.

Accountability

Roles and responsibilities within the framework should be well defined. At minimum, roles and responsibilities should be defined across the three lines e.g. the board and committees, senior management, risk management and internal and external audit.

It is important to also identify the key stakeholders within the cyber resilience framework to ensure their needs are addressed. Stakeholders will be internal and external – including vendors, security analysts and threat intelligence agencies.

Continual improvement

A process for monitoring, reviewing, exercising and continually improving the resilience framework should also be in place.  This can include well-known improvement practices such as PDCA (Plan-Do-Check-Act) or ITIL’s Continual Service Improvement.

2. Identify

Once the base line governance structures are in place, the next step is to anticipate and recognise the range of possible cyber risks, their causes and consequences.  This step is about better understanding your organisation’s environment and cyber risk posture.

Risk assessment

A formal cyber risk assessment is used to identify, analyse, evaluate, and prioritize risk arising from the operation and use of information systems and network, including key vendors across the supply chain.  The risk assessment should:

• Consider the information assets and owners.
• Consider the value of information.  If boards and senior management understand the value of their data to those with malicious intent, if they know where that data is, how it is protected, and who has access to it (including external sub-contractors), then they are in a stronger position to implement a cyber resilient business model.
• Identify and prioritise information assets e.g. hardware, software, data and processes.
• Identify the compliance obligations across the legal jurisdictions you operate in.
• Identify cyber risks and sources e.g. unauthorised access, service disruption, human error.
• Identify and evaluate the many layers of controls that currently exist and the effectiveness of their assurance.
• Determine the level of risk that remains after the controls are considered.
• Prioritise risks and develop additional risk treatments as required.

Risk identification

There are many ways to identify cyber risks.  Typically, organisations use several methods including:

• Brainstorming
• Focus groups
• Experience and knowledge
• Scenario analysis
• Incident analysis
• Data analytics
• Penetration test results
• External security experts
• Industry experts

The risk assessment process should follow good practice standards such as ISO 31000 Risk management – Guidelines or The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides which address how companies can use ERM Frameworks to assess cyber risks.

Identification of the risks is not a one off activity. Since hackers are continually finding new ways of penetrating systems and escaping detection, it is critical that risks and controls are evaluated regularly.

3. Protect

Now that the risks are known, this element is about implementing the right controls (policies, procedures, plans, activities) to either prevent or mitigate the impact of a cyber risk.

What are we protecting?  What are we trying to achieve? At this point, lets look at the Cyber Security CIA Triad.

Confidentiality, integrity and availability

The CIA Triad is a security model that aims to help people think about various elements of IT security. It comprises of three elements:

• Confidentiality – the set of rules that restricts access to information to the right people
• Integrity – ensures the information is trustworthy and accurate
• Availability – a guarantee that the information is readily available to authorised people when needed

These elements of the CIA Triad security model are considered the three most important concepts within information security

Types of controls

To protect the organisation, layers, and layers, and layers of rigorous controls are needed. Why? In the event one layer fails, there are other layers that work to reduce the cyber risks. In fact, good cyber security will require a wide range of controls that work in different ways and at different points.  Controls will have different characteristics such as:

• Preventative controls e.g. passwords or passphrases
• Detective controls e.g. intrusion detection systems
• Corrective controls e.g. data back up and recovery
• Hard controls e.g. user access logs
• Soft controls e.g. policies, training

Layers of controls

Now that we know the characteristics of internal controls, here are some examples of controls that help protect from cyber risks:

• Information and security policies covering data, computers and devices, emails and internet sites
• Physical and environmental security
• Network and communications security
• Network segmentation and segregation procedures
• Data encryption at rest and in transmission
• Patch management
• Configuration and change management
• Application controls
• User application hardening
• Enforce strong password policy
• Use passphrases instead of passwords to protect highly sensitive data
• Systems security
• Email and web content filtering
• TLS encryption between email servers
• Asset classification and management
• Endpoint security & intrusion detection
• Identity and user access control
• Email spoofing policies (e.g. DMARC)
• Multi-factor authentication
• Review and secure administrative privileges
• Security team competence and regular training
• Redundancy and backup systems of data and applications
• Decommissioning of systems no longer needed
• Crisis management team exercises
• Cyber security staff awareness training
• Conduct of email phishing simulations
• Vendor risk assessment and formal risk management
• Formal incident response and recovery plans
• Cyber liability insurance

The bottom line is, every layer counts and every layer is important.

Control monitoring

Final warning! Just because you have layers of controls to protect the organisation does not mean you can stop thinking about cyber risks.  Effective cyber resilience requires continuous monitoring, review and investment in upgrading and refining of these protective systems as a normal part of business.  An appropriate budget is therefore critical.

4. Detect & Refine

Having effective controls to protect against cyber risks is only part of the solution.  Ongoing, active and continual monitoring of the wider network and information systems to detect and escalate issues and potential cyber security incidents quickly is a key element of cyber resilience.

Early warning systems

Organisation-wide continuous monitoring and incident detection systems are implemented to monitor incidents on the organisation’s network and systems using Intrusion Detection Systems and Security Information and Event Management (SIEM) technologies. They are designed to detect and alert management to anomalies including user behaviour and abnormal changes in information across the networks, measured against a baseline reference of ‘normal’ activity.

It is good practice to have automated dynamic analysis of email and web content that blocks suspicious behaviour when identified.

Penetration testing

Using information security specialists to attempt to break into an organisation’s networks e.g. penetration testing, engaging ethical ‘white hat’ hackers or ‘red teaming’ also helps to detect weaknesses.

Vendor monitoring

Don’t forget about your vendors!  Vendor monitoring tools are becoming increasingly important to detect breaches as they are reported.

Stay up to date with the latest cyber scams and security risks by subscribing to cyber security newsletters and other news sources.

Audit and assurance

Internal Audit can also add value at a technical and non technical level.  Some audit departments have strong IT audit and Artificial Intelligence capabilities to interrogate data and security logs.  Internal auditors are also excellent at identifying gaps in processes, control design weaknesses and unmanaged risks.

Keep your finger on the pulse

Stay on top of the latest developments in cyber security by joining professional associations, subscribing to newsletters from different sources and following thought leaders on social media.

Exercise your plans

World champion boxer, Mike Tyson once said “everyone has a plan until they get punched in the mouth”. What he was saying is basically – plans are useful until you have to put them into action in the real world.  That is why regular exercising of the various response plans is important.

Refine

Adaptability is important.  Once vulnerabilities have been detected after a penetration test, audit or exercise or after a cyber incident has been resolved, refinements need to be made to better protect the information assets and systems.

5. Respond

If a cyber incident is detected…the time starts ticking instantly.  Depending on the type of cyber attack, the sooner you start the response, the less impact the attack is likely to have and the better the chance of a successful recovery.

A prompt response will help an organisation to continue to operate and get back to business as usual as quickly and efficiently as possible after a cyber attack or major disruption.

Incident response plan

In order to respond quickly, a well documented, rehearsed and tested Incident Response Plan is critical. Remember, the worst time to develop a response plan is during an actual incident, so good planning and preparation is good practice.

Other sub-plans may also assist in the response to a cyber incident e.g. Crisis Management Plan, Communication Plan.

The Incident Response Plan should be executed by a capable Incident Response Team with clearly defined roles and responsibilities.  The Incident Response Plan should:

• Cover a range of cyber incidents
• List specific activities
• Define roles and responsibilities
• Establish invocation and escalation protocols
• List key contacts
• Outline communication protocols
• Be aligned to the organisation Crisis Plan and Business Continuity Plan

As part of the response, organisations should notify their insurer, anti-virus provider, cyber security experts and/or other cyber security service providers as a means of preventing further spread. Timely reporting also assists them to develop and deliver new solutions to manage and neutralise malicious intrusions in the future.

For some organisations, depending on the size, industry and geographic location, it is mandatory to report information security breaches to stakeholders impacted and/or a regulator.

Event log

During the response, it is important to keep an event log, copy of all emails, copy of communications and situation reports in a single folder to help you in the next stage – the lessons learned.

6. Recover

This  final phase aims to restore data and services after a cyber attack or disruption to the pre-incident state.

Ideally, the organisation will have a number of pre-existing and pre-tested recovery sub-plans that are clear and thorough to execute an effective response. These recovery sub-plans typically include:

• IT Disaster Recovery Plan
• Elements of the Business Continuity Plan
• Crisis Management Plan
• Communication Plan

Lessons learned

Once the recovery is complete, a lessons learned debrief should be scheduled to identify what went well and what can be done differently so that elements of the cyber resilience framework are refined and enhanced.

The lessons learned report should document exactly what happened, what impact it had and what actions you took for future reference and potentially claiming on any cyber insurance policy.

The actions from the lessons learned will be used to further refine your cyber security controls.

Antifragile

Our final thought. Author of the popular 2007 book The Black Swan: The Impact of the Highly Improbable Nassim Nicholas Taleb wrote another book in 2012 called Antifragile: Things That Gain from Disorder.  This is a great book about “resilience plus”.  The key theme of this book is that unlike fragile systems, which break when put under stress, antifragile systems actually benefit from volatility and shock. Shocks and stressors strengthen antifragile systems by forcing them to build up extra capacity. Antifragile systems don’t bounce back to normal, but better and stronger.

Cyber security is excellent defence, but cyber resilience is a much broader concept. When you’re developing your cyber resilience framework, ask yourself how can you recover faster, stronger and better as an organisation.

Are you cyber resilient and ready?

Information assets are valuable and information technology is at the heart of all successful organisations. As clients and customers grow more and more accustomed to sharing highly sensitive personal information online, effective systems to govern, manage, detect, respond and recover from cyber risks are more important than ever.

It is now widely accepted that it’s no longer a matter of ‘if’ but ‘when’ an organisation will suffer a cyber attack or major disruption. Cyber resilience provides an organisation with an opportunity to look at and manage cyber risks from the top down and across different elements.

How we can help you achieve cyber resilience

Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations manage cyber risks and opportunities.  We have extensive experience in audit and assurance, risk management, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like support in becoming a more cyber resilient organisation, contact us to discuss your needs.

For many businesses, the pandemic has shattered the traditional 9-to-5 work at the office mind set. In 2016, the Australian Bureau of Statistics reported that around 30% of Australians regularly worked from home (WFH). Today, as people and businesses adjust to the realities of the ‘new normal’, between 80% to 90% of organisations encourage or require their employees to work from home as travel restrictions, lock-downs, hard borders and COVID-19 hotspots become part of the new normal.  In response, many organisations have adopted hybrid workforce models that combine remote working with office work to maintain business continuity and minimise disruption of services.

The Hybrid Workforce

In the hybrid workforce model, employees come into offices when it makes sense, but have the flexibility to work remotely also, and this helps optimize the balance between collaboration and flexibility.  Whilst many organisations reported success with remote working during the immediate response to the pandemic, some still question the long-term value of the hybrid workforce model.

As we enter 2021, COVID-19 vaccine distribution is underway, and more people will continue to be vaccinated throughout the first half of the year. That means companies will soon be faced with the difficult dilemma of if, when, and how they should return to in-office work.  Research shows that organisations that never offered remote work before are now embracing it. The hybrid workforce model brings many risks and opportunities and just like any other business model, understanding and managing the risks and opportunities are critical to success.

1. People risks

Health & Safety: Whilst in the office, the organisation has a greater ability to control the physical health and safety risks within the office environment.  There are rules to follow, emergency procedures, regular cleaning, ergonomic desks and chairs and designated responsibilities…so things work in an orderly manner.  At home however, there are other distractions like partners, kids, pets and neighbours.  That means, the organisation can only try to influence an employees physical working environment at home, but it is more difficult to control.  Some of the most common issues are those related to excessive use of computer screens and bad posture. This can be prevented with the right equipment and small adjustments. For some employees, the lack of space and unsuitability of the home working environment are real issues.  Some employees may feel a weight of responsibility when it comes to risk and safety issues.  Work with each employee to designate a dedicated work area.  Regular risk assessments of the home workspace and physical environment as well as education in respect to wellbeing, safety and good ergonomic practices are important.

Isolation & mental health: Out-of-sight, out-of-mind is another risk.  In this situation, organisations or managers fail to engage regularly with employees other than at necessary times or for important matters. This lack of social interaction and feeling isolated remains one of the most significant challenges for people working remotely.  It is also important for managers to ensure all employees are psychologically safe. The impact of isolation due to WFH and the inherent uncertainties of the pandemic can increase anxiety and the risk of employees developing mental health issues.  A recent survey found that 82% of remote workers complained of burnout and 52% said they worked longer hours than office-based colleagues.  It is very important to maintain regular communication through emails, virtual meetings and phone calls to check in from time to time.  When it is safe to do so, face-to-face events are encouraged as social interaction is strongly correlated with workplace engagement and satisfaction.

Skills and capabilities: Not all employees will have the skills necessary in a hybrid workforce model.  Training and development of people will be even more important.   Many of us can adapt to new technology and new business processes, but not all of us. With the possible changes to systems and processes from the shift, a training needs analysis has never been more important.

The small things will matter more and more.  Remembering birthdays and work anniversaries will be more important in a hybrid workforce model.  Organisations will need to engage their employees like their customers for a positive employee experience.

2. Cyber risks

In response to the pandemic, organisations adopted cloud services faster than they had planned, which unintentionally increased attack surfaces and created security opportunities for hackers. Some experts believe that this rushed procurement will heighten the cyber risks. A UK study last year found that 3 in 5 of IT decision makers believe that remote workers will expose their firm to the risk of a data breach. Hackers have started to capitalise on this increased connectivity, hasty solution adoption and organisations will have to balance the shift to new technological innovation with security and business continuity development.

Whilst people may be physically working from home, they are not disconnected from the organisation’s information system and processes.  At the office, the organisation has a greater ability to control the cyber security risks through many layers of cyber security controls.  At home however, many different devices could be connected to a single WiFi and just one compromised device could pose a security risk to an organisation’s information assets. A recent survey of 400 security operations (SecOps) professionals found:

• Insecure home networks and cloud adoption are the biggest threats
• 57 percent reported seeing more phishing threats since the shift to remote work
• 42 percent said that their alert volume is higher now than it was prior to the pandemic
• 26 percent of respondents said their security posture is worse than it was before the pandemic

At minimum, all employees should have up to date antivirus and malware software installed on their devices, organisations should encrypt all sensitive data at rest and during transmission, and multi factor authentication should be standard for all credentials.

During the time of heightened risk, additional controls are required and providing all staff with regular communication and training about the range and types of cyber risks is essential. With even the most cyber-security aware home workers just one click away from making a mistake, organisations need policies in place so that employees know who to immediately report a threat to.

3. Productivity risks

Are people more productive at home than at the office? Remote working has really challenged attitudes towards presenteeism as people move to WFH. There is a risk that people may not be as productive, falsify timesheets and look to secondary employment opportunities.

Some organisations are going to extreme measures to monitor the activities of employees by tracking system audit logs and using Artificial Intelligence…we call this ‘snooping’.

Sure some employees may abuse the work from home situation, but most won’t.  Whilst the organisation can put the appropriate WFH policies and procedures in place, it is up to managers to enforce them.

Management by outcomes will become more important in a hybrid workforce model. Rather than micro-managing, good managers set clear objectives, expectations and timeframes and communicate them with employees.  They trust their employees.  Weekly one-on-one meetings and regular touchpoints help to build trust and provide regular feedback. Clearly define each employee’s scope of work and your expectations of them while working remotely.

Some employees have enjoyed working form home and now prefer not to return to the traditional 9-5 office grind…even when it is safe to do so. According to the Institute of Internal Auditors, talent management is seen as one of the “most relevant” risks facing organisations in 2021.

For employees who believe a home-office setup is more productive, is it because of a lack of commute or fewer office interruptions. The largest take-up in remote work was office based work e.g. in educational services and finance.  However, service companies in food, retail and construction were among the lowest adopters, because it is more difficult to do their work remotely.

4. Governance risks

Organisations that are committed to good governance and transparency build trust with their stakeholders. A shift to a hybrid workforce model will require adjustments to a number of policies and procedures, even position descriptions and performance management processes. Whilst some organisations may have remote working policies, there may be additional broader matters that need to be considered.  “Remote” work can mean different things to different people—are employees expected to be online a certain number of hours each day? Will they need to travel to the office on a regular basis? What happens if there is a new COVID-19 cluster in their suburb?

Without appropriate policies to reflect the new hybrid workforce model, defined expectations and outlined responsibilities, there is a risk of inconsistent application of the hybrid model, inconsistency and imbalance in decision making across the organisation and potentially disengaged employees.

5. Process risks

Business processes have been designed, refined, implemented and audited over many years. Business processes typically include internal controls that are designed to safeguard against a number of possible problems that can affect the organisation.

Will the same processes that worked effectively in the office environment still work remotely? What effect would a process failure have on the organisation? What are the new risks the organisation is exposed to?

Some processes and activities rely on face-to-face meetings and interactive business relationships.  Remote work could put some business relationships at risk—particularly those that rely on face-to-face meetings and networking. Some processes rely on hard copy documentation, reports and physical signatures.  How will remote working impact these processes?

Some processes heavily rely on third parties.  How will your third parties continue to deliver services? Do they have a recovery plan? Is there a risk your third parties could be adversely impacted by the pandemic or even be put out of business?

Any new hybrid workforce model will require a review and possible change to business processes and controls.

6. Culture risks

Let’s start with leadership. Leaders must have the right mindset and skills to lead and manage both in a remote and office environment to effectively implement a hybrid workforce model.  Leaders should show empathy to people who prefer to work from home – provided it does not impact organisational objectives, the quality of work or service delivery.

During the initial stages of any crisis, like the pandemic, an authoritative, commanding and directive style of leadership is needed because of the level of uncertainty.  During recovery stage, a different style of leadership is needed – one that is more consultative and empathetic.

Todays leadership requires much more than driving results and productivity – it requires keeping the company norms, values and culture alive and looking after employees as they navigate the challenges of remote work and the new normal. Management need to reinforce these goals and values regularly.

Managing a remote team comes with its own set of challenges.  Management should cultivate an environment of trust and psychological safety with remote employees. Collect feedback regularly and make adjustments and more importantly – people should feel confident that the team will not embarrass, reject or punish someone for speaking out.

For managers, emotional intelligence (EQ) will be more important than cognitive intelligence (IQ) or any kind of technical skill. EQ requires self-awareness, self-regulation, motivation, empathy, and social skills.

Communication is sharing information to support the organisation’s objectives and strategy. Communication may sound simple, but it’s easy to get it wrong. Overcommunication overwhelms employees, whereas under-communication makes them suspicious.

When organisations made the shift to remote working, there was an emphasis on mainly digital communication and collaboration tools.  With a hybrid workforce model, organisations need to review the communication frameworks to reflect that some people may be working from the office, while others continue to work remotely to minimise the risk of communication breakdown.  A range of communication channels should be considered:

• some face-to-face events – training, team building and meetings
• regular and prescheduled online check-ins with employees
• regular department meetings ranging from weekly, fortnightly to quarterly town hall meetings
• instant messaging apps – to add some variety

Remote working isn’t always conducive to building meaningful relationships with co-workers in the same way that working in the office is. Social interaction is strongly correlated with workplace engagement and satisfaction i.e. when employees are continuously exposed to the behaviour of their managers and colleagues, they are able to grasp the culture, standards of behaviour, performance and communication much more quickly than they would remotely.

The Opportunities

Lower business operating costs – Social distancing will mean less staff per square metre and higher cost per head.  Enhanced hygiene will result in an increase in cleaning costs as well as consumables like disinfectants, wipes and sanitisers.  By adopting a hybrid workforce model, organisations may be able to reduce office costs such as rent, outgoings, office supplies, utilities, consumables etc. and can reinvest the savings in growth strategies to improve profits. A survey of business owners on their pandemic insights found that 44% of organisations expected remote work to increase profits.

Improving job satisfaction – One of the most significant advantages to working from home is having the flexibility to juggle other things to create a work-life balance to enjoy life more. Other benefits include decreased commuter stress, lower travel costs, being able to work in solitude – without too much interruptions.  Done well, all these things lead to improved job satisfaction.

Access to a global workforce – Allowing workers to work remotely opens up a whole new world…literally. The work-from-anywhere shift will unlock new productivity and growth opportunities. Emerging countries are producing more skilled workers and organisations can tap into people located 5,000 miles away in another state or country. Some organisations will benefit from a multi-lingual workforce.  If you do engage resources from another country, beware of culturally appropriate communication and non-verbal business etiquette. Management must understand the time zone differences, local employment laws, religious and cultural diversity, local customs and accepted norms of behaviour.

Thriving local businesses – As less people travel to central business districts, local businesses like cafes and restaurants, gyms and retailers are experiencing greater patronage from people who work from home.

Refresh the business model – Some businesses have used the pandemic to change the business model they were previously operating under and either refine or rebuild a new business model.

Reduce carbon footprint – Our planet is also experiencing environmental benefits from reduced travel.  Less travel to work has alleviated the stress on our roads and public transport systems resulting in a noticeable drop in pollution and greenhouse gas emissions across the globe.  Carbon Brief experts predict the environmental impacts of the coronavirus lockdown will contribute to the largest-ever annual fall in global carbon emissions.

Ok, so our list of opportunities is not exhaustive, but we encourage every business to think through the opportunities specific to them.

Are you ready to reimagine the workplace?

Whilst the Covid-19 pandemic has increased risks, it has really challenged organisations and people in a good way. In 2021, organisations have an opportunity to reimagine and improve the workplace. Gone are the days of rows and rows of desks as we welcome community hubs that will accommodate a more hybrid workstyle tailored around people, collaboration and engagement.

The 9-to-5 work day is dead. In our always-on, always-connected world, it no longer makes sense to expect employees to work an eight-hour shift, every day and do their jobs successfully. Through good risk management, effective leadership and secure technology, a hybrid workforce model can be a welcome change for better in the post-pandemic world.

How we can help

Now is the time to shift from crisis response to embracing uncertainty. InConsult is committed to helping organisations manage risks and opportunities.  We have extensive experience in audit and assurance, risk management, cyber security, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like support in becoming a more resilient organisation or managing the transition risks and opportunities to a hybrid workplace model, contact us to discuss your needs.

Unfortunately, this is not entirely true…

The extensive reliance on information technology to provide services or products is undoubtedly a cause of increased risk. Now take that IT infrastructure and place it in the hands of a third or fourth party and grant them access to an organisation’s private internal network. Without adequate assurance and some quality due diligence, organisations are exposed to a vast number of risks, with the most popular being a significant third party data breach. With over 50% of all data breaches being caused by third party vendor relations, and IT-related costs increasing by as much as $370,000 to remediate a data breach, organisations should be taking greater care to review their third party vendor expectations. (Ponemon Institute study 2019)

Now that we are aware of the potential outcomes of inadequately assessing third party vendor risks, how can they be avoided?

These are the top five areas to focus on to manage third party vendors and mitigate risk:

1. Old fashioned due diligence

Due diligence should be the bare minimum when selecting a vendor. Any third party vendor should align with the expectations of the organisation’s executive leadership team, more so if they will be handling confidential, personal or strategic data. Be cautious of the fact that the conditions of due diligence change over time. What was once considered acceptable compliance then, may be considered a partial compliance now. This highlights the necessity to re-evaluate existing vendors to ensure they still meet the expectations of the organisation. Conduct a formal risk assessment to evaluate delivery risks, financial risks, compliance risks and legal risks. Favour vendors who provide you transparency into their operations and allow you to audit their processes.

2. Communication

Establishing an open communication channel with third party vendors not only helps develop relationships and can result in cost benefits, it can also keep an organisation informed of changes to the vendor’s environment, future plans and even issues they are experiencing. It is worthwhile subscribing to a vendor’s newsletters as they may include a product road map including quarterly milestone projections. This can pave the way for predicting future risk and developing workarounds.

3. Regular review

Re-evaluating existing vendors is not only part of managing changes in vendor compliance, it should be a process performed annually to provide an organisation with the ability to benchmark vendors against each other and to compare a vendor’s performance against their own performance of the past. Through the use of security questionnaires, cyber security ratings (CSR) and acquisition of compliance reports (e.g. SOC1, SOC2, ISO27001), an organisation can leverage sensitive or crucial data to vendors that are the lowest risk. At the absolute worst, vendors can be provided with feedback for improvement. Select vendors who have a continuous improvement program and are responsive to feedback from you.

4. Vendor comparison

While long term vendor relations can have immeasurable benefits, complacency can get the better of us. The market is always ripe with competitors trying to establish their brand, and us such there may well be a vendor that can match pricing while boasting greater risk maturity. Don’t be afraid to let vendors go if the costs associated with a security incident outweigh service or product savings. While the probability is low and an incident may never occur, it only needs to happen once. According to the U.S. National Cyber Security Alliance, 60% of small organisations never recover from a cyber incident alone.

5. Planning for vendor contingencies

Many organisations have a business continuity management (BCM) framework in place that addresses all critical business functions internally. Unfortunately, many BCM frameworks fail to appropriately analyse third party vendor functions and the criticality of their services or products. As such, a lack of workarounds for a variety of third party contingencies puts the organisation at great risk of prolonging a disaster or worse. To simplify the process, third party vendor assessment can be included in the next annual BCM review to ensure a confident recovery strategy when an incident occurs.  Good practice is to have at least one other vendor selected where possible in the event of a failure of the primary vendor.

The future of third party assessment

As Software as a Service (SaaS) systems have engulfed every industry imaginable, one must wonder what SaaS systems offer when organisations attempt to simplify the task of adequately assessing third party vendors and their associated risks. GRC applications have been around for some time allowing comprehensive management of risks, some even including specific third party vendor management modules. In the last couple of years particularly, there has been the introduction of systems that manage online questionnaires, provide Cyber Security Ratings (CSR) and much more. These systems used in conjunction with a well founded BCM framework provide the ability to challenge vendors using multiple vectors and thinking far beyond the continuity of merely internal functions.

How we can help

InConsult is committed to helping organisations become more resilient to third party vendor risks.  We have extensive experience in risk management, cyber security, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like to know more about our third party assessment services or would like to see how you or your vendors score on the Cyber Security Rating scale, contact us to discuss your needs.