Risk, No Action

A recent EisnerAmper report, Concerns About Risks Confronting Boards – 2015 Survey, includes an interesting warning the authors describe as “risk, no action.” The report identifies reputational risk, cyber security, and regulatory compliance as the top three risks driving concerns among board members. No real surprises there. But there remain troubling gaps between what board members acknowledge as risks and the actions they or management take.

For example, while identifying reputational risk as the top risk, the survey found little board knowledge about one of the biggest vulnerabilities to organizational reputation — social media. According to the survey, just 6 percent of board members feel they are well-versed in social media risk.

Similarly, there is little doubt that cybersecurity issues now have the rapt attention of most boards, yet the survey found a scant 24 percent of board members believe their boards are “well-versed” in understanding cybersecurity risks, while another 10 percent feel they are falling short of fully understanding it.

The report’s authors offer a minor concession to board members, noting, “While the action may very well fall to those in the day-to-day operational roles, there seems to be little happening at the board level to encourage addressing the risks in a more comprehensive fashion.”

One would be naïve or ignorant about risk management in modern business to think every identified risk is addressed equally. The IIA’s International Standards for the Professional Practice of Internal Auditing mandates that risk assessments serve as the basis for the audit plan, but it is no secret that audit plans do not address every risk an organization may face.

What the EisnerAmper report highlights is subtle and, frankly, more dangerous: It is one thing for an organization to prioritize risks and make conscious decisions to delay or forego audits because of limited resources or inadequate staff expertise. It is another for boards to recognize a high-level risk and not address it comprehensively.

How can we help?

360factors, Inc. is a cloud based Enterprise Risk and Compliance Management Technology and Services Company that will help you improve business performance by reducing risk and ensuring compliance. We also offer EHS consulting through our professional services consultants. RSA offers a wide range of professional services in regulatory compliance and permitting (air, water, and waste), site investigation and remediation, environmental and dredge material sampling and evaluation, and health, safety and risk management services. RSA maintains a staff of experienced key personnel including registered professional engineers, geologists, and health and safety specialists.

 

Remain up-to-date on industry news / updates through our  Twitter & Linkedin profiles.

*All images are property of their respective owners.