[
Participants during the ‘Emerging Enterprise Risks with Evolving and Effective Control’ webinar, recently.
Doha, Qatar: The Institute of Internal Auditors Qatar Chapter conducted training on ‘Emerging Enterprise Risks with Evolving and Effective Control’ by Tejjashree Rao, Chief Internal Auditor of British American Tobacco, UK, Middle East and Africa Regional Operations and Global Technology. The session focused on three areas: Emerging Risks Landscape, Controls and effective management of emerging risks.
Tejjashree mentioned the Emerging risks landscape as “The perfect storm of high-impact interlocking risks faced by organizations.” Top risks were listed as macroeconomic and geopolitical uncertainty, Digital Transformation, Cyber and data security, Human capital and talent management, and ESG.
“The emerging risks to move from reactive (measure & manage) to proactive (sense and respond) risk management. Predictive risk identification requires techniques like Horizon Scanning and Key Risk Indicators (KRI), Continuous monitoring, and Data analytics for audit risk assessments. Dynamic Risk Prioritization involves using risk velocity to gauge which emerging risks need immediate attention and warrant an audit. Adaptive Risk Response uses Agile Audit Principles to refine the design of controls as the risk evolves,” Tejjashree explained.
Macroeconomic and geopolitical uncertainty risk-related controls that should be in place are scenario planning, liquidity management, financial modeling, and operational resilience. The consideration for audit is continuous monitoring with stakeholders.
Digital transformation risk requires control by aligning project benefits to the organization’s strategic goals and a robust program Governance, Oversight, and Status Reporting. “Internal audit should add more ‘Advisory reviews’ on the plan for key projects to provide real-time inputs as the project progresses through its lifecycle,” stated Shree as a solution.
Cyber and Data Security risk mitigation controls consist of Cyber Incident Response and Recovery Plans, Identity and Access Management Policies and Standards, and Cyber threat intelligence and monitoring procedures. Internal audits should consider Automated Continuous Control Monitoring reports to provide a more real-time view of vulnerable areas.
Human capital and talent management risk cannot be taken lightly by auditors. Conducting thematic culture audits covering identified hotspots and additional audit ratings for management risk awareness and control culture is recommended. “During all audits, evaluate how the Function/business area is mitigating People risks,” Shree enforced.
The main aspects of ESG risks and controls are to monitor progress made against ESG goals and regulatory requirements from international laws on ESG. Focus is to be given to ESG Data Management, especially on those metrics that are externally reported.
“The training imparted invaluable insights into emerging risks, effective internal control, and internal audit preparedness. Shree emphasized auditors deliver value through planned assurance and continuous controls monitoring, insights & foresight through increased automation & data analytics, and an improved organizational risk & control culture. The perspectives provided were compelling, relatable, and adaptable,” Sundaresan Rajeswar, Board Member, said in his concluding remarks.
Girish Jain, seminar chair, conducted the Question and Answers session and opened the meeting. Robert Abboud, Past President of the IIA, spoke during the closing session.
