FINAL Risk in Focus 2022 V11

2022 RISK IN
FOCUS
Hot topics
for internal
auditors
Read more
PAGE 2 OF 42
CONTENTS
3 Introduction: auditing amid rapid change
5 Methodology
6 Data breakdown: the survey results
13 IT security: response and recovery
16 Rising sustainability regulations
19 Accelerated digitalisation and low-code adoption
22 Workforce fatigue and cultural erosion
24 Pandemic response: organisational and strategic resilience
27 Financial risk and the looming insolvency wave
29 Rising inflation and the global tax clampdown
32 Climate change and sustainability is now a principal risk
35 Supply chain strains and the race to flexibility
38 Health and safety amid the continued COVID-19 threat
42 Appendix
PAGE 3 OF 42
Contents
Introduction:
auditing amid rapid change
INTRODUCTION:
Methodology
Auditing amid rapid change
Organisations and their internal audit functions face a dizzying pace of change and unprecedented
Data breakdown: the survey results uncertainty. The pandemic has destabilised operations and labour, disrupted supply and demand,
and undermined previously sound business models to an extent few would have thought possible.
IT security: response and recovery
With the roll-out of vaccines in the developed world While the economic recovery is promising following
and the return of growth as economies reopened the deepest global recession in living memory,
Rising sustainability regulations in 2021, it may be tempting to see the worst of the businesses are contending with critical supply chain
pandemic as having passed. However, COVID-19 will issues and inflation risks. Production costs have
Accelerated digitalisation and continue to have deep and lasting consequences, a risen at a rate not seen for decades. Businesses are
low-code adoption new reality that organisations must accept. struggling to forecast demand for their products as
virus infection rates and consumption continues to
Workforce fatigue and cultural erosion Large sections of the workforce are reflecting on their wax and wane. This uncertainty and disruption is
futures, seeking new employment to advance careers being felt end-to-end through supply chains.
Pandemic response: organisational stalled by the pandemic or changing course altogether
and strategic resilience by migrating into different sectors. Many countries Last, but by no means least, organisations can no
are witnessing a resignation crisis, staff shortages and longer ignore the climate change and sustainability
Financial risk and the looming
high vacancy rates demonstrating how profoundly the agenda. Those that do not take immediate action
insolvency wave
pandemic has exacerbated the talent management face the genuine risk of extinction. As long-term
Rising inflation and the global risks that existed long before 2020. stewards of capital, institutional investors are
tax clampdown pulling out of companies that are not prioritising
Workforce and labour market disruptions also have the environment or society and failing to make
Climate change and sustainability
major implications for culture. CEOs are having the necessary adjustments to their strategies,
is now a principal risk
to develop a clear vision for the future of their business models and operations.
Supply chain strains and companies, and re-embed core values amid the
the race to flexibility transition to hybrid operating models that balance
remote and on-site working arrangements. They
Health and safety amid the
must reconcile the shifting job expectations and new
continued COVID-19 threat
aspirations of existing and incoming staff with their
corporate strategy and mission.
Appendix
PAGE 4 OF 42
Contents
Introduction:
Methodology
Sustainability regulations have already been rising

Data breakdown: the survey results and renewed policy efforts are sure to follow the UN
Climate Change Conference of the Parties (COP26).
Environmental, social and governance (ESG) themes
have now established themselves as principal risk
priorities. Businesses finally recognise that an
Rising sustainability regulations unwillingness to accept accountability not only for
their environmental and social impacts but their
Accelerated digitalisation and approaches to diversity and inclusion may cost them
low-code adoption their futures, as customers, suppliers and workers
gravitate towards genuine sustainability leaders.
Workforce fatigue and cultural erosion
Change and uncertainty will define 2022 and the
Pandemic response: organisational years that follow. Internal audit must understand
and strategic resilience this change in the outside world, articulate how
well it believes the organisation is adapting to these
insolvency wave pressures and identify how effectively associated
risks are being accounted for and managed. In many
Rising inflation and the global cases this will require a complete rethink of internal
tax clampdown
audit’s strategy, planning and where it focuses
Climate change and sustainability its efforts.
Supply chain strains and The world has changed.

the race to flexibility
Internal audit must
continued COVID-19 threat change too.
Appendix
PAGE 5 OF 42
Contents
Introduction:
METHODOLOGY
Methodology
In the first half of 2021 a quantitative survey was distributed

Data breakdown: the survey results
amongst the CAE members of 12 Institutes of Internal
Auditors in Austria, Belgium, France, Germany, Greece, Italy,
IT security: response and recovery Luxembourg, the Netherlands, Spain, Sweden, Switzerland
and the UK & Ireland. This survey elicited 738 responses, an
Rising sustainability regulations all-time high for this research project.
Simultaneously, a sample of 35 Chief Audit Executives (CAEs),

Accelerated digitalisation and
low-code adoption
12 Audit Committee Chairs (ACCs) and 3 CEOs from across these
countries were interviewed to provide deeper insights into how
these risks are manifesting and developing.
The following topics in this report were determined by the

Pandemic response: organisational
quantitative survey results; the qualitative feedback
13
and strategic resilience
from the interviews has been used to contextualise the
Financial risk and the looming survey results, providing colour and up-to-the-minute
insolvency wave considerations for CAEs, with priority given to new
issues and emerging themes that warrant attention.
Rising inflation and the global
tax clampdown European
This report should not be considered prescriptive, but as
a tool to inform internal audit’s thinking and provide a
countries
is now a principal risk benchmark against which CAEs can contrast and compare involved
Supply chain strains and
their own independent risk assessments.
We also hope that CAEs will use this report as an agenda item
50
in-depth 738
for audit committee discussions and as a sense-checking tool to
continued COVID-19 threat support their internal audit planning and strategy. interviews responses
from CAE
Appendix
members
PAGE 6 OF 42
Contents Data breakdown:

Introduction:
The survey results
Methodology

What are the top five risks
that your organisation 2022
currently faces? 2021
Rising sustainability regulations

low-code adoption Cybersecurity and data security
Cybersecurity and data security
Regulatory change and compliance
Changes in laws and regulations
Workforce fatigue and cultural erosion Digitalisation, new technology and AI
Digital disruption, new technology and AI
Financial, capital and liquidity risks
Human capital, diversity and talent management
Pandemic response: organisational Human capital and talent management
Business continuity, crisis management and disasters response
and strategic resilience Disasters and crisis response NEW for 2021
Financial, liquidity and insolvency risks
Macroeconomic and geopolitical uncertainty
Financial risk and the looming Macroeconomic andand
geopolitical uncertainty
Supply chains, outsourcing ‘nth’ party risk
insolvency wave
ClimateCorporate
change and environmental
governance sustainability
and reporting
Rising inflation and the global Supply chain,
Communications, outsourcing
management and
and 'nth' party risk
reputation
tax clampdown Organisational
Corporate culture
culture
Bribery, fraud
Organisational and other
governance andfinancial crime
corporate reporting
Climate change and environmental
Health,sustainability
safety and security
Health andrelationships
Communications, reputation and stakeholder safety
Supply chain strains and Mergers and acquisitions
Fraud, bribery and the criminal exploitation of disruption
the race to flexibility 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Mergers and acquisitions
continued COVID-19 threat 0 10% 20% 30% 40% 50% 60% 70% 80% 90%
Appendix
PAGE 7 OF 42
Contents
The risk landscape has shifted over the past year in the eyes of Europe’s CAEs.
Introduction:
One of the more notable changes which have a human dimension. Human But the real story is that Climate change
observable in the survey data is that capital, diversity and talent management, and environmental sustainability is surging
Methodology
Financial, liquidity and insolvency risk Organisational culture, and Health, safety up the agenda, climbing as many as four
has become less of a priority. However, and security have all gained positions in positions in the ranking and seeing a 41%
Data breakdown: the survey results it’s important to view this in context. In the survey ranking and more of the overall gain in the proportion of CAEs who view
the second quarter of 2020, large swathes vote over the past year. This demonstrates it as a top five risk. Last year 22% of audit
of business activity were shut down and that CAEs are concerned about the leaders had this among their five biggest
record levels of government stimulus impacts the pandemic and the extended risks; that has risen to 31%. No other risk
were infused into the economy to avert a homeworking period are having on the area has shown a bigger year-on-year
Rising sustainability regulations financial crisis. Consequently, Financial, workforce, including personnel turnover as increase and this is a continuation of a
liquidity and insolvency risk spiked in staff reflect on their careers and reset their trend: in 2020 a mere 14% of respondents
Accelerated digitalisation and priority in last year’s report. aspirations. The implications of a more put climate change among their top five
low-code adoption fluid employment market are likely to be risks. It’s now time to act.
Since then, businesses have weathered felt for some time and these challenges will
Workforce fatigue and cultural erosion a historic recession and may have have to be actively managed.
newfound confidence as growth returns.
Pandemic response: organisational But this macro recovery may be masking Organisational culture in particular has
and strategic resilience unforeseen financial risk. As stimulus seen a 35% gain in the proportion of
is withdrawn over the coming months, CAEs who view it as a top five risk, from
insolvency wave companies should be liquidity stress 20% to 27%. This is supported by audit
testing and planning for worst case leaders in this year’s qualitative interviews
tax clampdown
scenarios as the economy remains
sensitive to further shocks and a potential
consistently speaking of their sense that
culture is at risk of eroding—and the 41%
increase
Climate change and sustainability wave of delayed insolvencies. Banks are knock-on effects that this could have.
is now a principal risk now placing increasing demands on their Inevitably, against the backdrop of the
corporate customers to understand their ongoing pandemic, the question mark that in the proportion of CAEs who view
Supply chain strains and exposure to financial risks. remain over emerging variants and the Climate change and environmental
return to the workplace, the health and sustainability as a top five risk since
In parallel, a number of risks have come safety of staff, customers and suppliers is last year’s survey.
continued COVID-19 threat further to the fore this year, most of also of paramount importance.
Appendix
PAGE 8 OF 42
Contents
Introduction: Risk trends over time
40%
Methodology Human capital, diversity an
Percentage of CAEs who cited the risk

35% Human capital, diversity and talent
management Business continuity, crisis m
Data breakdown: the survey results disasters response
30%
among their top 5

Business continuity, crisis
Climate
management and change
disasters and environ
response
25%
IT security: response and recovery Climate change Organisational culture
and environmental
sustainability
20% Health, safety and security
Organisational culture
Rising sustainability regulations 15%
Health, safety and security
Accelerated digitalisation and 10%
low-code adoption
2020 2021 2022
Risk in Focus is an opportunity to track how to them. Businesses have been forced to Human capital risks related to talent
Workforce fatigue and cultural erosion risk priorities are developing over time. A flex and adapt over the past 18 months, management and diversity are likely to
number of dominant themes are emerging. protecting their workforces from harm be less transitory. Demographic pressures
Pandemic response: organisational Climate change and environmental as health risks sharply escalated. As the associated with plateauing, and in some
and strategic resilience sustainability shows the steepest curve, cases declining, population growth across
pandemic has rolled on for longer than
gaining in prominence more than any many expected, companies have had to much of Europe combined with digital
insolvency wave other risk type over the past three years, think about the psychological wellbeing of skills shortages will make recruitment
according to CAEs in our sample. their staff and what socially distanced and and retention a persistent challenge.
Rising inflation and the global Meanwhile, a lack of diversity is not
The remaining four risks highlighted in remote working conditions mean for staff
tax clampdown
cohesion and culture. something that organisations can
the graph that are gaining in priority are
Climate change and sustainability resolve overnight.
highly thematic when viewed against the It remains to be seen what the trajectory
is now a principal risk backdrop of the pandemic. Risks related Finally, Climate change and environmental
of these risks will be in future, but it is
Supply chain strains and to Business continuity, crisis management reasonable to expect that health and sustainability is a moving target that
the race to flexibility and disasters response have been heavily safety considerations will abate over the companies will have to make continuous
impacted by recent events, and the same medium term as the uptake of vaccines efforts to mitigate for decades to come.
Health and safety amid the is true of Health, safety & security, Human This should therefore be considered a
increases. Similarly, as—or perhaps if—the
capital, diversity and talent management pandemic comes under greater control and “forever risk” that is likely to move up the
and Organisational culture. These latter potentially recedes altogether then crisis risk rankings over time, a view shared by
Appendix
three have a clear human capital element management will likely fall in priority. the CAEs we surveyed.
PAGE 9 OF 42
Contents Looking ahead

Introduction:
Methodology

What are the top 5 risks
that your organisation will 2025
face three years from now? 2022

Digital disruption, new technology and AI
Workforce fatigue and cultural erosion Changes in laws and regulations
Pandemic response: organisational Climate change and environmental sustainability
Financial risk and the looming Supply chain, outsourcing and 'nth' party risks
insolvency wave Macroeconomic and geopolitical uncertainty
tax clampdown
Organisational governance and corporate reporting
Climate change and sustainability Communications, reputation and stakeholder relationships
is now a principal risk Fraud, bribery and the criminal exploitation of disruption
Supply chain strains and Health, safety and security
the race to flexibility Mergers and acquisitions
Health and safety amid the 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Appendix
PAGE 10 OF 42
Contents
Introduction: Three years from now European CAEs models and operations—and can articulate
auditing amid rapid change believe that Cybersecurity and data this to investors, governments and the
security will become somewhat less of public—will succeed in the long term.
Methodology a risk, although this is relative. It is still
One fast-track method for achieving these
expected to dominate the risk rankings and
goals is through acquisition. Rather than
any threat mitigation will come from the
Data breakdown: the survey results wholly relying on internal development
fact that businesses are becoming better
and organic growth, companies can buy
equipped at managing and minimising the
innovation, talent and market access via
IT security: response and recovery risk of attacks and data breaches. Other
M&A. For example, the financial services
risks that are expected to abate or come
sector is currently in a state of reinvention,
under greater control include Business
Rising sustainability regulations banks acquiring fintechs to protect and
continuity, crisis management and disasters
grow their market share and maintain
response, Financial, liquidity and insolvency
Accelerated digitalisation and their relevance. In the consumer and retail
risks, and Health, safety and security. All
low-code adoption sectors, companies are scaling down their
three of these have been directly influenced
physical footprints and leaning heavily
by the pandemic and therefore it should
Workforce fatigue and cultural erosion into digital channels, a shift that is
be expected that they will recede in
also being achieved via strategic
due course.
Pandemic response: organisational acquisitions. Consistent
and strategic resilience The biggest gainers over this period with this, the survey
are expected to be Climate change and results show that CAEs
insolvency wave environmental sustainability, and Digital expect Mergers and
disruption, new technology and AI, both acquisitions risk to
Rising inflation and the global of which are becoming fundamental rise over the next
tax clampdown existential risks. The winners and losers three years.
Climate change and sustainability over the coming years will be defined by
is now a principal risk their ability to adapt to the twin pressures
of becoming digital-first organisations
Supply chain strains and with minimal environmental impacts and
best-in-class sustainability reporting and
Health and safety amid the transparency. It is becoming increasingly
continued COVID-19 threat clear that only those who prioritise
sustainability in their strategies, business
Appendix
PAGE 11 OF 42
Contents Risk priorities vs.

Introduction:
audit’s focus
Methodology

What are the top 5 risks on
Risk
which internal audit spends priority
the most time and effort? Time
spent

Workforce fatigue and cultural erosion Digital disruption, new technology and AI
Pandemic response: organisational Business continuity, crisis management and disasters response
Financial risk and the looming Macroeconomic and geopolitical uncertainty

insolvency wave Climate change and environmental sustainability
Supply chain, outsourcing and 'nth' party risk
tax clampdown
Organisational governance and corporate reporting
Climate change and sustainability Health, safety and security
is now a principal risk Communications, reputation and stakeholder relationships
Supply chain strains and Fraud, bribery and the criminal exploitation of disruption
the race to flexibility Mergers and acquisitions
Health and safety amid the 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Appendix
PAGE 12 OF 42
Contents
The Risk in Focus survey also shows how corporate reporting sees much of internal harness the third line to assess big
Introduction:
auditing amid rapid change closely internal audit’s time, attention and audit’s attention and yet is not viewed as and rapidly emerging risk themes.
resources are being matched to what CAEs high risk. Conversely, Macroeconomic and
Looking ahead three years from now,
consider to be the biggest risks to their geopolitical uncertainty and Climate change
Methodology CAEs expect internal audit’s attention to
organisation. There are numerous reasons and environmental sustainability are viewed
be increasingly directed towards
why these differentials may exist and a as significant risks to the business and yet
Data breakdown: the survey results risks related to Climate change and
direct correlation between risk priority and see limited attention from internal audit.
environmental sustainability, and Digital
time spent auditing should not necessarily This is a major problem.
disruption, new technology and AI. Audit
IT security: response and recovery be expected. Internal audit must be bold. If audit leaders must push for the resources to
However, any gaps could be cause for committees expect the third line to build highly competent and highly relevant
Rising sustainability regulations concern, potentially indicating a lack of concentrate on traditional risk areas that functions that can tackle these shifting
assurance maturity or that internal audit are already well controlled, the business is assurance needs with confidence. This
Accelerated digitalisation and is not pointed in the right directions. For not realising the full potential of internal should be addressed urgently. Waiting
low-code adoption instance, as has been observed in previous audit. In such cases, CAEs must push back until 2025 may be too late.
years, Organisational governance and and educate stakeholders, urging them to
What are the top 5 risks you expect internal audit to spend 2025
the most time and effort addressing 3 years from now?

2022
Financial risk and the looming Cybersecurity and data security

insolvency wave Organisational governance and corporate reporting
tax clampdown
Fraud, bribery and the criminal exploitation of disruption
Supply chain, outsourcing and 'nth' party risk
Supply chain strains and Digital disruption, new technology and AI

the race to flexibility Health, safety and security
Health and safety amid the Communications, reputation and stakeholder relationships
continued COVID-19 threat Climate change and environmental sustainability
Mergers and acquisitions
Appendix Macroeconomic and geopolitical uncertainty
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

PAGE 13 OF 42
Contents
Introduction:
IT SECURITY: RESPONSE AND RECOVERY
Methodology
The research data
82% of CAEs say that Cybersecurity and data security is among their top five risks, once again putting it ahead of any other risk type
Data breakdown: the survey results (#1). Not only that, 34% of CAEs say this is their single biggest risk (#1). This coincides with a material increase in cybercrime over
the past 18 months, as criminals have sought to exploit the security weaknesses exposed by operational disruptions.

CAEs in the most cyber mature security breaches result from human error.3 “We want to see that there is a
organisations, particularly in the financial Staff training and awareness is the most
Rising sustainability regulations services sector, explain that organisations effective way of minimising the likelihood
crisis organisation established
are turning their attention to response and of workers clicking on malicious links and and that it meets on a regular
Accelerated digitalisation and recovery processes and procedures, and harmful attachments (e.g. .doc, .dot and basis and it’s trained. You want
low-code adoption
what to do in the event of ransomware .exe files). to see exercises where the
events. Companies must be confident whole data centre is switched
Workforce fatigue and cultural erosion However, no amount of training can totally
that they know how to respond when bad
actors strike and can bring operations back prevent assaults from slipping through off because of a breach and
online with minimal disruption by following the cracks. Businesses that have yet to that the back-up works well,
established protocols. suffer a major incident need to recognise restarting the applications and
Financial risk and the looming that it is not a question of if attackers so on. You cannot wait for the
insolvency wave Naturally, the best means for avoiding will be successful, but when. Further
crisis to appear. People need to
disruption is by preventing attacks in the along the maturity curve from protective
Rising inflation and the global first place. One of the two most common measures (e.g. software configuration know what to do in the event of
tax clampdown an emergency.”
ransomware attack vectors is software management, strong password policies
Climate change and sustainability vulnerabilities, with VPN (virtual private and staff awareness) are response and
CAE, Switzerland,
is now a principal risk network) servers used for connecting recovery protocols. The ultimate goal is to
one of the country’s
homebound staff to centralised systems reduce downtime and loss of revenue while
being a particular point of focus for cyber maintaining customer trust. These protocols
top five banks
extortionists over the past 18 months. The also need to be organisation-wide and not
Health and safety amid the other is emails.1 This is why the human only repeatable but adaptive, so that they
continued COVID-19 threat element is so important. It is estimated that remain relevant and effective as the nature
97% of phishing emails now contain some of the risk develops and the IT environment
Appendix form of ransomware2, and that 95% of IT expands and grows more complex.
1 Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
2 Phishing Statistics You Need To Know To Protect Your Organisation
3 134 Cybersecurity Statistics and Trends for 2021
PAGE 14 OF 42
Contents
Introduction:
Methodology
An internal audit perspective
Every organisation is at a different Once internal audit is confident
Data breakdown: the survey results “You do not know
point in their information security that these foundations have been
journey, therefore internal audit what is happening at
laid, its attention should turn to
IT security: response and recovery must focus its assurance efforts the business’s ability to respond the beginning of the
where they are most needed. and recover. If IT continuity plans ransomware attack,
For the least mature, the third are not well understood by staff the decision-making is
line should concentrate on or, worse, there are no plans, difficult, there is time
the foundations: whether the the organisation is exposing
business is properly risk assessing pressure. I’m trying to
low-code adoption itself to unnecessary risk. The
and putting in place hard and soft third line should therefore seek see if we are ready or
defensive controls. Hard controls evidence that these scenarios not to take the right
include regularly updating are being planned for, including decisions.”
software patches, properly dry run exercises, and that
and strategic resilience configuring firewalls and threat there are dedicated cyber crisis CAE, France,
detection systems, and using least management and recovery CAC 40 manufacturer
Financial risk and the looming privilege access and two-factor resources in the business with
insolvency wave
authentication (2FA) to contain clear lines of accountability and
Rising inflation and the global attacks from spreading through timely incident reporting.
tax clampdown the entire network from the
initially compromised computer.
Climate change and sustainability Soft controls centre on the
risk awareness throughout the
Supply chain strains and organisation, sound cybersecurity
the race to flexibility culture being a key risk mitigator.

Appendix
PAGE 15 OF 42
Contents
Introduction:
Methodology
Data breakdown: the survey results Questions for internal audit DID YOU KNOW?
The volume of ransomware attacks increased by 150% in
• Does the organisation have a cybersecurity strategy or
IT security: response and recovery 20204, more than any other kind, as criminals have sought
roadmap? How far has the organisation progressed in
to exploit the migration to remote working for financial gain.
achieving this?
Victims also paid 311% more in ransom to have their data
Rising sustainability regulations • Is there a staff awareness and training programme
and systems decrypted by perpetrators over the
in place to prevent successful attacks? Are these
same period.5
Accelerated digitalisation and regularly updated?
low-code adoption • Is a cybersecurity response and recovery plan in place It is estimated that among recent ransomware victims,
and is it tested? 56% recovered their data via system backups and 26%
Workforce fatigue and cultural erosion paid the required ransom to have their data returned.6
• Does the organisation make data backups that it can use
in the event of an attack? How does the organisation know This underscores the importance of response and recovery
Pandemic response: organisational measures. Even paying criminals is a form of response and
that the backups are secure?
a route to recovery and if this is agreed policy, it must be
• What is the organisation’s ransomware policy (does it pay
Financial risk and the looming documented and understood by the IT security function the
up or not?) and are people aware of it?
insolvency wave CISO, the rest of senior management and the board.
• Do insurance policies appropriately cover IT security risks?
Rising inflation and the global Is incident reporting likely to be fast enough to meet the
tax clampdown coverage requirements of insurers for successful claims?
Climate change and sustainability • Is the organisation confident that it won’t suffer an attack
is now a principal risk via its vendors or clients? Why is it confident, e.g. are third
parties ISO 27001 certified?
• Does any penetration testing include all areas of the
business, including potentially overlooked subsidiaries in
Health and safety amid the non-core markets?
Appendix
4 Ransomware Attacks Soared 150% in 2020

5 Key Recommendations from the Ransomware Task Force
6 The state of ransomware 2020
PAGE 16 OF 42
Contents
Introduction:
RISING SUSTAINABILITY REGULATIONS
Methodology
The research data
Data breakdown: the survey results The regulatory burden is a perennial risk that stays firmly at the top of business’s risk registers, especially for banks and
others operating in regulated markets. Changes in laws and regulations is among the top five risks for 46% of CAEs this year (#2,
maintaining its position from a year prior but with a significantly smaller share of the vote), though only 8% have it as their number
one risk (#5). Regardless of their sector, companies should be paying close attention to rising sustainability requirements.
Rising sustainability regulations In November the UK will host the COP26 55% by 2030, and reach carbon neutrality
UN climate summit, world leaders by 2050. The package includes the final
Accelerated digitalisation and convening to discuss how actions can EU Taxonomy Climate Delegated Act, Changes in laws and
low-code adoption be accelerated towards the goals of the applicable from 1 January 2022. The act regulations is among the top
Paris Agreement and the UN Framework is the first set of technical criteria defining five risks for 46% of CAEs.
Workforce fatigue and cultural erosion Convention on Climate Change. Inevitably activities that contribute substantially to
this will mean more policymaking and climate change mitigation and adaptation,
Pandemic response: organisational increased regulations. However, the essentially supplementing the broad
and strategic resilience regulatory train is already in motion. brush framework of the EU’s Taxonomy
insolvency wave
Global ESG regulations and laws
have grown by 90% since 20167 and
Regulation, which entered into force on 12
July 2020. A second delegated act is due to
46%
policymakers continue to step up their follow in 2022.
Rising inflation and the global efforts. CAEs, ACCS and CEOs in our
tax clampdown The broader package also included
research almost universally spoke of the
Climate change and sustainability increasing regulations their organisations a proposed Corporate Sustainability
Although only 8% of CAEs see it as their
is now a principal risk face, with attention quickly turning to Reporting Directive (CSRD), intended
number one risk.
sustainability reporting. to replace the existing Non-Financial
Supply chain strains and Reporting Directive (NFRD), which is widely and the public can use comparable
In April 2021, the EU adopted a package seen as having fallen short of the mark. The and reliable information. Crucially, the
Health and safety amid the of measures as part of its mission to CSRD aims to make sustainability reporting proposal significantly enlarges the scope
continued COVID-19 threat slash greenhouse emissions by at least more consistent, so that investors of the current reporting requirements
Appendix
7 McKinsey Global Private Markets Review 2021

PAGE 17 OF 42
Contents
Introduction:
from the 11,000 companies that are “The main thing is around who
Methodology
currently subject to the NFRD to some we lend to. Do we lend on clean
50,000 companies.8 This nearly five-fold
energy? How do we make sure
Data breakdown: the survey results increase in scope is because the rules are
expected to apply not only to every single
that it’s really green? How do
company with tradeable instruments on we aggregate the reporting?
Europe’s stock and bond markets, but all How do we stress test for
large companies whether they are listed climate risk? There’s a lot of
Rising sustainability regulations or not. Unlike the Sustainability Finance
movement in that space with
Disclosure Regulation, which came into
Accelerated digitalisation and effect in March 2021, these reporting
the new taxonomy.”
low-code adoption requirements are intended to apply across CAE, Luxembourg,
sectors, not just in the investment industry. development finance bank
While Britain has left the EU, UK
Pandemic response: organisational businesses cannot ignore the rising tide
and strategic resilience of sustainability regulations. As part of its
2020 Roadmap and Interim Report, the
insolvency wave government intends the UK to become the
first G20 country to make reporting aligned
Rising inflation and the global with the Task Force on Climate-Related
tax clampdown Financial Disclosures (TCFD) mandatory
Climate change and sustainability across the economy, so this is not solely
is now a principal risk a concern for EU businesses.


Appendix
8 Sustainable Finance and EU Taxonomy: Commission takes further steps to channel money towards sustainable activities
PAGE 18 OF 42
Contents
Introduction:
Methodology
Third lines in banking and insurance companies are now
long familiar with the rising tide of regulation, so, while Questions for internal audit
challenging, these emerging rules are the continuation of
• Is internal audit providing assurance over the translation
IT security: response and recovery a theme. For others, recent cross-sector efforts to deliver
of relevant sustainability regulations into organisational
assurance around GDPR should stand internal audit in good
commitments, policies and plans? Are the plans adequate and
stead for stricter compliance obligations.
Rising sustainability regulations are they being delivered?
The introduction of the EU Taxonomy Climate Delegated Act • Is the organisation aware of its sustainability reporting
Accelerated digitalisation and and the forthcoming CSRD provide greater clarity on what is requirements and is it taking action to address this? Is internal
low-code adoption audit or some independent party providing assurance over
expected of EU companies in their sustainability reporting.
The same is true for UK businesses with the intention of this reporting?
the UK government to make TCFD-aligned sustainably • Do the data and statements disclosed in non-financial reporting
obligatory. These developments give the third line concrete accurately reflect the activities of the company? Could it be
criteria to audit against. reasonably concluded that the company is greenwashing or is
it doing what it claims?
Financial risk and the looming While internal audit is not usually directly responsible • How well developed is the governance around sustainability
insolvency wave for compliance, for smaller, less mature organisations it reporting? For example, are roles and responsibilities
may choose to raise flags, highlighting which forthcoming clearly defined?
regulations may need to be met. For instance, given that
tax clampdown • Does the company have a system of prioritising
the CSRD will capture far more EU companies within its
regulations, whether related to
Climate change and sustainability scope, the third line can bring to the board and senior
sustainability or otherwise, and does
is now a principal risk management’s attention that the first set of standards are
it take an appropriately risk-based
expected in October 2022, with a second set to follow in
Supply chain strains and approach to managing compliance?
2023. For more mature organisations, internal audit will
need to assess the compliance function’s work, checking
Health and safety amid the the efficacy of any processes and controls that have been
continued COVID-19 threat modified to deliver on these emerging requirements.
Appendix
PAGE 19 OF 42
Contents
Introduction:
ACCELERATED DIGITALISATION
Methodology
AND LOW-CODE ADOPTION
The research data
Digital disruption, new technology and AI remains a priority, with 45% of CAEs citing it among their top five risks
IT security: response and recovery (#3, maintaining its position from a year prior) and 8% putting it as their top risk (#4).
The pandemic and its restrictions on allowing businesses to roll out mission- Citizen development helps to address the
Rising sustainability regulations physical contact brought the necessity critical solutions and expand digital shortage of technically skilled workers by
for digital transformation into sharp channels at speed when they were most empowering non-technical employees to
Accelerated digitalisation and focus. Digital laggards were left especially needed. It has been estimated that 64% of build apps that solve immediate problems.
low-code adoption prone as countries went into lockdown, UK software developers increased their use This can help overstretched IT functions
while those that had already executed on of low-code tools in 2020 in response to the unable to keep up with the many demands
Workforce fatigue and cultural erosion their digital strategies were at a distinct global lockdown.9 of the business. The benefits of this should
advantage. Any businesses that did not not be understated.
Pandemic response: organisational previously recognise the need to digitalise Businesses are expected to increasingly
and strategic resilience rely on low-code software development That is the opportunity. The risk is that by
their operations and business models
certainly do now. using tools such as Microsoft’s Power lowering the bar for who can develop apps,
insolvency wave Platform, Salesforce and Mendix10 to help effectively democratising digitalisation,
Virtually all CAEs, ACCs and CEOs we accelerate their progress. It is estimated the organisation may be increasing its
Rising inflation and the global interviewed flagged the risks and that by 2024, 75% of large enterprises blind spots. Companies may no longer
tax clampdown
opportunities associated with digitalisation will be using at least four low-code have a true picture of the extent of
Climate change and sustainability and the pace of this change as a priority development tools.11 Meanwhile, the global digitalisation within their organisation,
is now a principal risk area of attention. Aiding this digital low-code market is expected to grow by who is responsible for it and where the
acceleration is the use of low-code 22% in 2021, to $13.8bn.12 risks lie. In an effort to drive swift change,
Supply chain strains and development platforms. By enabling digitalisation may proliferate unchecked
the race to flexibility While much of this will be reserved for
developers to create software apps using and key controls may not be paid their due
Health and safety amid the graphical interfaces instead of hand use by IT functions, the rise of so-called attention, increasing security and data
continued COVID-19 threat coding them, low-code has expedited citizen development initiatives shows the privacy vulnerabilities.
digitalisation during the pandemic, opportunity, and the risk, that lies ahead.
Appendix
9 The ‘low-code’ imperative 11 Gartner 2020 Magic Quadrant for Enterprise Low Code Application Platforms
10 Magic Quadrant for Enterprise Low-Code Application Platforms 12 Surge in Remote Development Boosted Low-Code Adoption Despite Ongoing Cost Optimization Efforts
PAGE 20 OF 42
Contents
Introduction:
ACCELERATED DIGITALISATION
Methodology
With digitalisation shifting up a gear, the been deployed for years already, such patches, critical updates are not rolled
IT security: response and recovery third line’s first concern should be whether as the use of pivot tables and macros out in a timely manner, particularly if
the business model is being sufficiently in Microsoft Excel to create invoice the organisation loses track of its
Rising sustainability regulations adapted to meet the new digital reality. management systems or Microsoft Access low-code components.
Any evidence identified by internal audit of to run database queries.
competitors innovating in ways that could Internal audit may choose to
low-code adoption threaten the business should be brought to Internal audit should therefore return to independently map all digital projects
management’s attention so that it can take the basics and assess whether any low- throughout the business and check
Workforce fatigue and cultural erosion urgent strategic action. code app development and usage follows that this matches the IT function’s own
the company’s established standards and mapping of current activities. In the
Pandemic response: organisational Turning to the development that is already protocols, including reviews, testing and broadest sense, the third line should check
and strategic resilience underway, the third line can assess staged deployment. IT functions will need that digital projects, big and small, uphold
whether core risk management principles to ensure they know exactly what low-code the same standards expected of more
Financial risk and the looming are being embedded into projects. Of projects are in development and apply traditional projects directly managed by
insolvency wave
particular concern is the widespread appropriate permissions controls so that the IT function, and confirm that there is
Rising inflation and the global uptake of low-code tools. The greater the critical data is not lost or misappropriated. appropriate oversight from the information
tax clampdown adoption of these tools among non-IT What is more, it may be impossible to security team.
personnel, the higher the risk. know exactly what is happening under the
bonnet of these platforms and whether
While this may appear to be uncharted they are inadvertently introducing security
Supply chain strains and territory, low-code and no-code flaws to the organisation. Given that the
the race to flexibility development is a continuation of a theme majority of low-code platforms have third-
that internal audit should already be party integrations, it is possible that, even
familiar with. End-user development has if the platform supplier releases security
Appendix
PAGE 21 OF 42
Contents
Introduction: ACCELERATED DIGITALISATION
Methodology

Questions for internal audit “The risk I see is the

• Is the IT function fully aware of all digitalisation IT infrastructure
projects and sub-projects underway across itself. We do a lot of
Rising sustainability regulations the organisation? internal development
• Is the organisation allowing citizen/ today because we
Accelerated digitalisation and end-user development? If so, are access
low-code adoption
don't want to be
rights and version roll-outs managed to avoid
unintentional errors?
too dependent on a
• Does current digitalisation activity match the
vendor. We have an
organisation’s risk appetite? From a back-to- innovation team that
basics perspective, does this digitalisation is not part of IT, it's
meet the established standards adopted by the in a grey zone. You
Financial risk and the looming organisation? Are the standards themselves fit have risks that are
insolvency wave for purpose?
created because of
• How much oversight do digitalisation projects
Rising inflation and the global developments not
tax clampdown have from the IT and IT security functions?
being sufficiently
• Are agile methods delivering practical
results at the expense of risk management? tested, documented
For example, are new applications being or formalised because
Supply chain strains and sufficiently security tested? the business wants to
• Is there a programme in place for use agile methods.”
Health and safety amid the automatically patching any low-code apps that
CAE, France, private bank
continued COVID-19 threat are in use?
Appendix
PAGE 22 OF 42
Contents
Introduction:
WORKFORCE FATIGUE AND CULTURAL EROSION
Methodology
The research data
Human capital, diversity and talent management is cited by 40% of CAEs as being among their top five risks (#4, up one place from
Data breakdown: the survey results last year), up from 35% in 2021 and 27% in 2020, a clear uptrend. Meanwhile, 27% view Organisational culture as a top five risk (#10,
up one place from last year), a notable year-on-year increase of seven percentage points. As businesses weigh up what working
models to embed post-pandemic, the risks to culture, morale and staff cohesion should not be underestimated.
The atomisation of organisations in the Businesses may also be overlooking All of this could have negative downstream
Rising sustainability regulations homeworking environment has delivered risks that are less simple to measure. consequences. Culture and closer co-
some unexpected benefits. In Europe, 82% Interviews with CAEs for this year’s Risk working is inextricably linked to factors as
Accelerated digitalisation and of senior executives have reported that in Focus elicited opinions not only on diverse as innovation and conduct. Without
low-code adoption productivity levels either held steady or talent management and skills shortages, open sharing of ideas, the business may not
increased as people migrated to remote but the impact that remote working and be able to as effectively develop products
Workforce fatigue and cultural erosion work and, over half believe that some hybrid models might be having on culture, or new ways of better serving customers.
degree of remote working is here to stay irrespective of any productivity benefits.
Pandemic response: organisational and that it will play a powerful role in If people feel less connected to their
and strategic resilience The lack of social interaction between teammates and are unable to clearly see
retaining top talent.13
colleagues may be eroding team cohesion how their work contributes to the greater
insolvency wave However, it’s not all upside. Recent and culture. Staff may be losing their good of the company and its purpose, they
research has shown that 47% of UK sense of belonging or becoming fatigued could begin to stray. Disengagement has
Rising inflation and the global employees are less career focused because and disengaged with their work. As the potential to increase fraud and other
tax clampdown
of the pandemic and 40% are concerned effective as online collaboration tools and misconduct as workers lose their sense of
Climate change and sustainability about work-related burnout14, suggesting videoconferencing software have been in loyalty and put their own interests before
is now a principal risk an extended period of staff churn could be keeping the wheels turning and people the interests of their colleagues and the
ahead. Separately, it has been found that connected virtually, there is no substitute company. This may be compounded by
Supply chain strains and globally as much as 46% of workers are for in-person interaction and small talk for limited oversight from management, which
considering leaving their employer because fostering creativity, problem-solving and can result in the weakening of the soft
Health and safety amid the they are now able to work remotely.15 keeping the organisation’s culture alive. controls environment and poorer internal
continued COVID-19 threat communications and reporting, increasing
the likelihood of undesirable behaviour.
Appendix
13 Flexible ways of working are here to stay, finds new European 14 Building resilience for the new realities of work
research – with leaders focused on maintaining culture and innovation 15 Microsoft Work Trend Index
PAGE 23 OF 42
Contents
Introduction: WORKFORCE FATIGUE AND CULTURAL EROSION
Methodology
It may be too early for internal audit to conduct
Data breakdown: the survey results formal assessments of how effectively behavioural Questions for internal audit
and cultural risk is being managed, given the
• What sense is there that the
fluidity of the present situation. However, the third
IT security: response and recovery culture has eroded and integrity
line can get a “feel” for any weakening of staff
has weakened, and is there an “What hasn’t necessarily
morale and motivation and the overall cultural
Rising sustainability regulations health of the company . This can be achieved by
awareness of this within HR, been dissected enough
middle management and
engaging with people on the ground and flagging is what the impact of
senior management?
Accelerated digitalisation and any concerns with the board or audit committee. new working models
low-code adoption • Are efforts being made to promote
the organisation’s core values
will be. There is a big
If companies aim to permanently move
Workforce fatigue and cultural erosion towards hybrid working models, they will and mission? risk that it’s eroding
need to understand what impact this is having • What steps is the organisation taking culture. How do you
Pandemic response: organisational on productivity, innovation and the risk and to check in with staff? Is middle keep the culture alive
and strategic resilience control environment. Once the strategy has management sufficiently attentive when everything’s
been formalised and embedded, internal audit to business teams? Is there anything
Financial risk and the looming remote or hybrid
can begin to think about how to address this. quantifiable to support this?
insolvency wave
One approach would be directly auditing the
and when you’re not
• Is reduced in-person interaction
Rising inflation and the global culture; another would be to assess what HR having a detrimental impact on
interacting in-person?”
tax clampdown and the second line are doing to understand and either productivity (less likely) or CAE, Ireland, travel
address any cultural erosion that’s occurring, innovation (more likely)? How is this operator listed on
is now a principal risk such as conducting staff surveys and employing manifesting and being measured? Euronext Dublin
behavioural science techniques to determine
• Is staff turnover increasing? How
Supply chain strains and whether workplace incivility and disengagement
the race to flexibility long does it take to fill vacant
is becoming a growing threat to the organisation’s
positions? Is talent management
Health and safety amid the success. Steps will then need to be taken to
to continuously attract and retain
continued COVID-19 threat remedy this and re-establish a sound and
employees working?
healthy culture.
Appendix
PAGE 24 OF 42
Contents
Introduction:
PANDEMIC RESPONSE: ORGANISATIONAL
Methodology
AND STRATEGIC RESILIENCE
The research data
38% of CAEs consider Business continuity, crisis management and disasters response to be a top five risk (#5), a small gain on last
IT security: response and recovery year (34%). Companies that have succeeded during the crisis period have not only met the short-term challenge of maintaining
continuity, but have responded to the unexpected shocks of the pandemic by developing resilience and refining their strategies.
The events of 2020 caught even the most

From surviving to thriving
prepared businesses off guard. Unlike the
Accelerated digitalisation and physical events that businesses commonly
low-code adoption plan for (extreme weather, power outages, However, recent lessons have had far Companies have had to strike a balance
cyber-attacks etc), the pandemic has deeper, lasting implications. It is said that between coping with recent immediate
in every crisis lies opportunity and the disruptions and planning to thrive against
Workforce fatigue and cultural erosion been pervasive, simultaneously impacting
pandemic has been a catalyst for what in the backdrop of reshaped demand and
employees, suppliers and customers many cases has been positive change. As changing consumption patterns as
Pandemic response: organisational across the globe and for a duration part of their crisis response, businesses are economies reopen. Those who have failed
and strategic resilience previously not considered a possibility. addressing strategic risks that have been to adapt to the change in circumstances by
It goes without saying that organisations lingering for years. making necessary course corrections could
Financial risk and the looming be exposing themselves to longer-term
insolvency wave should be updating their business Analysis has shown that around half of
existential risks as their business models
continuity plans (BCPs). This will require senior executives in Europe report that
quickly lose relevance.
Rising inflation and the global careful examination of how effective crisis the crisis exposed weaknesses in their
tax clampdown
responses have been and BCPs should now companies’ ‘strategic resilience’, i.e. the The flip side to this is that strategic and
extent to which an organisation’s business operational adjustments and adaptations
Climate change and sustainability include a pandemic scenario, incorporating
model and competitive position prove carry not only potential rewards but their
is now a principal risk lessons learned to better respond to resistant to disruption. What is more, own risks too. In the pursuit of securing
similar future crises. These will need to business-model innovation was by far the future of the business, any rapid and
Supply chain strains and include staff safety, supply chain and cyber the most important differentiator in fundamental changes made during the
the race to flexibility addressing the crisis.16 pandemic period may create a domino
risk mitigation measures. Greater resilience
can be achieved by covering these basics, effect, informing future strategic decisions
and changes to the business.
continued COVID-19 threat putting the organisation on a stronger
footing should another pandemic or other
Appendix crisis event occur.
16 Strategic resilience during the COVID-19 crisis
PAGE 25 OF 42
Contents
Introduction:
PANDEMIC RESPONSE: ORGANISATIONAL
Methodology
CAEs should already have a sense of how audit to opine on any pivots or changes “I will be looking at how the
well their organisations coped with the of course. But the third line should keep
IT security: response and recovery business has bridged any
crisis and whether any shortcomings are its nose to the ground to identify any
well understood by the first and second meaningful changes that could have risk
gaps identified in protecting
Rising sustainability regulations lines. The third line can assess whether implications, develop a view on whether people. I will also look at
lessons are being incorporated into they are working as expected and flag any incident response and how
Accelerated digitalisation and updated BCPs, which should now include concerns with the board and management. we responded through our
low-code adoption future pandemics as possible future This can involve gauging the level of staff
BCP, including whether VPN
scenarios. The ability to anticipate and awareness regarding these changes and
Workforce fatigue and cultural erosion plan for future crises is how organisational whether the strategy is taking root. From
connections for such a wide
resilience is achieved. an upside perspective, internal audit may range of people working
Pandemic response: organisational be able to identify opportunities for further remotely is included in our
and strategic resilience Any sweeping operational pandemic change, such as efficiency improvements plans for other scenarios.”
responses, such as cost-cutting or cost- or operational restructuring.
conserving programmes, should be CAE, Greece, insurer listed on
insolvency wave
followed up by the first line to determine The main point is whether the business Athens Stock Exchange
Rising inflation and the global whether they are delivering positive has the awareness, processes and
tax clampdown outcomes or need to be reassessed. accountability in place to monitor whether
Internal audit may support this activity any big changes are delivering their
is now a principal risk with reviews of its own, independently expected benefits. If there is no follow-up
providing evidence of how effective these in the first line then the organisation could
Supply chain strains and changes have been. be setting itself in a direction without a
clear view of where it is heading or whether
It is ultimately for the CEO and the rest it needs to rethink its business model or
continued COVID-19 threat of senior management to define and strategy to more effectively compete in the
set the strategy and it is not for internal changing business environment.
Appendix
PAGE 26 OF 42
Contents
Introduction:
PANDEMIC RESPONSE:
Methodology
ORGANISATIONAL
Questions for internal audit
• Has the organisation updated its BCP, incorporating any lessons
learned from the recent pandemic response and taking into
low-code adoption
account future crises as possible scenarios?
• What are the lasting impacts of the pandemic on the organisation
Workforce fatigue and cultural erosion likely to be and are these well understood by the leadership?
• Is the organisation capable of strategically adapting to gain
Pandemic response: organisational competitive advantage?
• What strategic pivots and operational adaptations have been
Financial risk and the looming made and are these required for the long term or are they short-
insolvency wave term measures?
• Have any major changes to the business model affected the risk-
tax clampdown control environment and who is addressing this?
• Are the impacts of any big decisions being monitored and
followed up on? For example, does senior management have a
clear understanding of whether any changes to the strategy are
Supply chain strains and delivering the expected benefits?
the race to flexibility • Were any big decisions based on accurate data and sound
information? Has the data and the business context shifted since
continued COVID-19 threat then, potentially requiring the business to pivot back or in a new
direction again?
Appendix
PAGE 27 OF 42
Contents
Introduction:
FINANCIAL RISK AND THE LOOMING
Methodology
INSOLVENCY WAVE
The research data
33% of European CAEs view Financial, liquidity and insolvency risk as among their top five risks (#6, down two places), a significant
fall on the 42% who said the same a year ago. However, 10% of the sample consider this to be the single biggest risk to their
organisation, ahead of every other risk type other than Cybersecurity and data security.
Rising sustainability regulations Unprecedented government stimulus It has been estimated that global financial risks of partner firms’ weakened
has been a godsend for employers and insolvency rates will increase by 13% balance sheets.
Accelerated digitalisation and employees. Furlough schemes and in 2021 compared with 2019 and by as
low-code adoption state-backed bank loans minimised much as 27% in 2022.18 This activity will This should compel businesses to monitor
unemployment and provided companies be concentrated in high-risk sectors their cash flow management, assess
Workforce fatigue and cultural erosion with the working capital necessary to which have been through an extended the creditworthiness of critical business
continue their operations. The effects of hibernation period with cash flows partners, invest in payment monitoring and
Pandemic response: organisational these emergency measures have been slowing to a trickle. Once policy support is recovery capabilities, identify customers
and strategic resilience overwhelmingly positive: administrations eventually exhausted, it will inevitably have that may be at risk of failing to make good
in the UK, for example, fell to historic lows knock-on effects for the banking sector. If on their payments, reduce liabilities and
during the first year of the pandemic.17 loan defaults rise materially then lenders ensure that any credit insurance policies
insolvency wave
will have to contend with high credit risk are up to date. To understand their
Rising inflation and the global Unfortunately this financial support and weaker profitability. financial strength, businesses should also
tax clampdown cannot last forever. With Europe having be frequently stress testing and planning
coped with successive waves of infections, This contagion can also spread through for worst-case scenarios.
with the potential for more to follow, value chains. Companies may have
financial risk within a number of sectors exercised leniency towards customers for
Supply chain strains and remains at elevated levels. Services, as long as possible. With the pandemic
the race to flexibility leisure, hospitality and travel sectors are having worn on for an extended period,
at the mercy of government policy and, there will be less incentive to offer trade
continued COVID-19 threat approaching two years into the pandemic, credit and payment deferrals. This could
the future of businesses in these industries lead to the insolvency of key suppliers
Appendix is still in question. and clients, exposing businesses to the
17 Administrations fall to historic lows

18 Covid-19: how to protect yourself against rising insolvency risk
PAGE 28 OF 42
Contents
Introduction:
FINANCIAL RISK AND THE LOOMING
Methodology
INSOLVENCY WAVE
Last year’s Risk in Focus showed that line should therefore confirm that
CAEs were firmly concentrating on the monitoring of high-value business
financial resilience and liquidity of their partners is in place to minimise the • What is the business’s liquidity risk
organisations, by checking that the likelihood of any unexpected shocks and exposure? Does it have enough cash
Rising sustainability regulations business was doing everything in its that the business’s insurance sufficiently on its balance sheet to withstand
powers to secure payments owed and covers any credit risk. This may also any continued lack of demand and is
Accelerated digitalisation and minimise outgoings. require an independent assurance that there an up-to-date and effective cash
low-code adoption
the business is acting appropriately and management strategy?
Having faced off these short-term within the bounds of its contractual • Are key business partners still being
Workforce fatigue and cultural erosion liquidity constraints, the business obligations, either in negotiating its own monitored and is credit insurance in
may be confident that the worst is costs or chasing up payments. place to cover the potential failure
Pandemic response: organisational over. But financial risks remain high.
and strategic resilience of customers?
Boards and audit committees may seek For businesses that are cash poor,
• Does the treasury or finance function
Financial risk and the looming independent assurance that cash flow internal audit’s attention may be
have clear visibility on what the cash
insolvency wave management remains a priority and is directed at the treasury or finance
needs of the business will be and a
under control, and that efforts are being function to determine the strength of
Rising inflation and the global firm grip on cash management?
made to monitor the situation outside decision-making processes and that
tax clampdown • Is the company making the most
of the business itself. This may require a financing or refinancing facilities have
confirmation from internal audit that the been put in place to optimise the capital of borrower-friendly financing
is now a principal risk business is using all available internal structure and see the business through. conditions, e.g. by refinancing existing
and external data to assess the situation As the earnings distortion caused by the debts that may fall due soon or
Supply chain strains and securing lower rates? Is a borrowing
as it evolves. pandemic normalises, the third line can
assess whether cash flow forecasting is strategy in place?
Health and safety amid the If insolvencies rise in correlation with proving to be accurate again so that the • Does the business have access to
continued COVID-19 threat the withdrawal of government support, business fully understands its liquidity working capital to be able to scale
businesses could find that customers risk exposure as growth returns. operations back up as growth returns?
Appendix are no longer able to pay. The third
PAGE 29 OF 42
Contents
Introduction:
RISING INFLATION AND
Methodology
THE GLOBAL TAX CLAMPDOWN
The research data
32% of CAEs say that Macroeconomic and geopolitical uncertainty broadly defined is among their top five risks (#7, maintaining last
IT security: response and recovery year’s position), while 10% say it is their top risk (#3). Inflation has spiked with the economic restart and the governments
of the world’s leading economies are training their crosshairs on global corporation tax rates.
Rising sustainability regulations Economies roared back to life in 2021 prices. They hold that this is a temporary Companies will therefore need to keep
following the deepest global recession phenomenon caused by the whiplash effect a close eye on their cost of production
Accelerated digitalisation and since the second world war. This is of the pandemic, as the demand for goods and revenue management to determine
low-code adoption undeniably positive news. However, the and services imploded before resurging in whether recent developments are merely
sharp return of demand is causing prices 2021. By this logic, recent inflation will be a blip, or spell a more fundamental and
Workforce fatigue and cultural erosion to soar, in some cases at rates not seen transitory, normalising as the pandemic lasting macroeconomic pressure.
for over a decade. Annual consumer price abates.
Pandemic response: organisational growth across the eurozone reached
and strategic resilience 1.9% in the year through June 2021, Not everyone agrees. Stimulus has reached Annual consumer price growth
nearly triple the rate a year prior. In epic proportions and the longer-term view across the eurozone reached
Financial risk and the looming is that by printing money at a rate never
the US, the effect has been even more
insolvency wave
acute, inflation increasing by as much seen before, currencies will devalue while
Rising inflation and the global as 5.4% over the same period. Around fiscal stimulus will create demand beyond
tax clampdown

one-third of interviewees including CAEs,
ACCs and CEOs expressed concerns over
economies’ production potential, risking
an episode of persistent inflation not seen
since the 1970s.19
1.9%
in the year
is now a principal risk macroeconomic uncertainty despite the
ongoing recovery, with some singling out through June 2021
Supply chain strains and To the extent that businesses are unable to
rising prices as an area to watch.
the race to flexibility pass these costs along, earnings margins
Central banks have sought to allay fears will come under pressure. As goods rise
Health and safety amid the nearly triple the rate
that they will adjust their ultra low-rate in price with the consumer-led rebound,
policy in the near term to curb rising employees are likely to seek higher wages a year prior.
to meet their own increasing living costs.
Appendix
19 Deutsche Bank warns of global ‘time-bomb’ coming due to rising inflation

PAGE 30 OF 42
Contents
Introduction:
Methodology
years to formalise and embed. However,
Data breakdown: the survey results G7 tax efforts what is clear is that governments are
highly indebted as a consequence of
At the same time that companies are the pandemic and are under renewed
facing the prospect of absorbing higher pressure to close public deficits and reduce
costs, the world’s most wealthy nations sovereign debts. A new global tax would be
Rising sustainability regulations are coordinating to introduce a new a further dent to profits at the same time
global corporation tax. The aim is to tax that inflation has the potential to increase
Accelerated digitalisation and multinationals in each country in which overheads and squeeze margins.
low-code adoption they operate, preventing them from profit
shifting to low-tax havens.
Workforce fatigue and cultural erosion “The post-pandemic impact
Two key proposals are on the table:
is probably the most important
Pandemic response: organisational allowing governments to impose levies
and strategic resilience on 20% of the profits companies make in
unknown. I expect default
their country if their margins are greater risk to go up. Inflation risk
insolvency wave
than 10%; and a tax at 15% of profits is going up and that will
in each country where the company affect businesses.”
Rising inflation and the global operates, regardless of their earnings
tax clampdown margins. It is difficult to know exactly how
CAE, Switzerland,
much more tax companies would pay if insurer and constituent
Climate change and sustainability of the Swiss Market Index
is now a principal risk this global clampdown goes ahead since
companies do not uniformly report their
Supply chain strains and accounts on a country-by-country basis.
The proposals may also take months if not
Appendix
PAGE 31 OF 42
Contents
Introduction:
Methodology
An internal audit perspective Questions for internal audit
Inflation risk depends on the company company data and benchmarking • Is the business in an industry that is
in question. Companies with strong it against the competition. Treasury especially exposed to inflation, e.g.
intellectual property are better able to functions may be expected to lock in consumer goods, food retail, transport?
raise their prices to cover the costs of currently low financing rates while they are
• Is senior management having
Rising sustainability regulations everything from raw materials to labour. still available, refinancing any floating-rate
discussions about the potential for
Those with weak value propositions will loans with fixed-rate bonds. Since internal
long-term inflation and what it means
Accelerated digitalisation and be more exposed and may have to absorb audit has a holistic, company-wide view
low-code adoption
for the business? If not, does internal
higher costs. Another consideration is what it is uniquely positioned to determine
audit need to flag this as a potential
will happen to interest rates. If inflation whether disparate functions are taking
area of concern that requires attention?
persists as the pandemic recedes, central appropriate measures and are
• To what extent are procurement
banks may be forced to tighten monetary effectively coordinating.
Pandemic response: organisational functions factoring rising costs into
policy. This means that, having borrowed
and strategic resilience Global tax risk, meanwhile, is longer term their buying decisions? What actions
through the pandemic to raise cash and
in nature. Companies will not be able to are being taken?
Financial risk and the looming improve liquidity, businesses carrying
insolvency wave large debts could struggle. respond until wealthy nations decide on • Are treasury functions taking full
the next steps to take and governments advantage of borrower-friendly
Rising inflation and the global If in its independent risk assessment take coordinated actions to prevent profit financing conditions to secure low
tax clampdown the third line deems the business to shifting. Boards and senior management borrowing rates?
Climate change and sustainability be exposed, it can assess how well will already be discussing this looming • Is the revenue management function
is now a principal risk understood this inflation risk is and what threat and so CAEs should monitor the assessing any price increases that
the business is doing to combat it. For situation, raising the topic in relevant need to be made in order to maintain
Supply chain strains and instance, procurement functions may seek committees and meetings if it is being and grow profitability without putting
competitive sources of supplies and in overlooked. A formal audit programme can turnover at risk?
Health and safety amid the locations closer to the site of production, be developed once it is understood what
• How sensitive will the company be
continued COVID-19 threat thereby reducing freight costs. Revenue changes the company will need to make to
to proposed global corporation tax
managers may have to make product be tax compliant.
changes? Is this being planned for?
Appendix pricing adjustment decisions, analysing
PAGE 32 OF 42
Contents
Introduction:
CLIMATE CHANGE AND SUSTAINABILITY
Methodology
IS NOW A PRINCIPAL RISK
The research data
Climate change and environmental sustainability is seen as a top five risk by as many as 31% of CAEs (#8, up by as many as five places
IT security: response and recovery from last year’s survey), representing an increase of more than 40% on last year’s survey when 22% of CAEs said the same. In the
space of two years this topic has gone from a talking point to a principal item on risk maps and corporate risk registers.
Slashing emissions, adopting green This would not be such an issue if
Accelerated digitalisation and energy sources, moving to more socially companies fully understood their Climate change and
low-code adoption sustainable manufacturing practices and environmental impacts. However, in environmental sustainability
aligning goods and services with society’s many cases businesses have a limited is now seen as a top five risk
Workforce fatigue and cultural erosion values is now a commercial imperative. understanding of the repercussions of by as many as
Businesses are under pressure from a their activities. One CAE confided that
Pandemic response: organisational broad range of stakeholders to make major their company does not understand what
urgent adjustments to their strategies and environmental harms may be caused
Financial risk and the looming business models in the transition to a by the synthetic materials used in its
insolvency wave

low-carbon and more socially equitable
world. These pressures can increase
core products.
Companies that fail to act—by mapping

31%of CAEs
business costs, damage asset values as
tax clampdown their activities, products and by-products,
investor capital moves out of carbon-
Climate change and sustainability intensive assets towards cleaner strategising and innovating—may soon lose
is now a principal risk businesses, and can undermine the long- the unwritten social contract that allowed
term viability of existing products and them to operate in the first place. Those
Supply chain strains and that lead the charge on environmental
services. This change carries significant
risks and opportunities and more than sustainability will quickly claim market
Health and safety amid the half of Risk in Focus interviewees raised share, pushing laggards into obsolescence.
continued COVID-19 threat environmental and sustainability as a core Expect the pace and scale of adaptation
risk topic that has firmly come to the fore to accelerate.
Appendix over the past 12-18 months.
PAGE 33 OF 42
Contents
Introduction:
Methodology
Businesses that drag their feet on These goals may include minimising Internal audit’s value also lies in its
sustainability are jeopardising their environmental impacts such as consultative supporting role. Climate
futures. The third line therefore has an deforestation, chemical waste, greenhouse change and sustainability risks need to
Rising sustainability regulations opportunity to cement its standing and gas emissions and water consumption; become a central theme in corporate
demonstrate its value by “joining the dots” ensuring human rights and the promotion decision-making and CAEs should seek a
Accelerated digitalisation and on this risk. Internal audit can assess what of economic inclusion through the supply seat at the table in strategy development
low-code adoption exactly it is that the company is doing chain; and developing products and meetings. When big decisions are being
to ensure its longevity by aligning its services that do not harm people or made about large capital projects, the
Workforce fatigue and cultural erosion mission, values and strategy with the rising the planet. development of new products or supply
sustainability agenda, then flag any gaps chain management, CAEs should raise
Pandemic response: organisational between the company’s ambitions and Internal audit may choose to carry out their hand if they believe climate and
and strategic resilience its formal audit work through an ESG
what it is doing in practice to fulfil sustainability risks are being overlooked,
those ambitions. lens, scoring auditees using sustainability where possible using hard data or other
insolvency wave metrics to show how well various functions tangible, objective information to make
At a top level, this should start with and business units perform against the their case.
Rising inflation and the global reviewing what strategic actions are company’s stated sustainability goals. This
tax clampdown being taken by the business, such as may include reviewing risk governance in
Climate change and sustainability establishing clearly defined and actionable the first and second lines, namely seeing
is now a principal risk sustainability goals that are aligned with how clearly defined roles, responsibilities
existing frameworks and guidance such and ownership of the chosen goals and
Supply chain strains and as ISO 26000 and the UN’s Sustainability related risks are.
Development Goals (SDGs). This is
Health and safety amid the the company’s roadmap and provides
continued COVID-19 threat something tangible to audit against.
Appendix
PAGE 34 OF 42
Contents
Introduction:
Methodology
“Climate impact risk
• Is climate change and sustainability central to the is becoming much
company’s values, mission and strategic goals?
more important. The
• Has the business established sustainability goals and
Accelerated digitalisation and semiconductor industry
low-code adoption are these aligned with the UN’s 17 SDGs?20
actually uses quite a lot of
• Is the business at risk of becoming obsolete or facing
Workforce fatigue and cultural erosion reputational backlash for its activities?
energy, not only directly
• Is the business taking climate change and
but throughout the value
Pandemic response: organisational sustainability seriously, for example by investing chain. How much CO2 are
and strategic resilience in projects that will future proof its products the machines we produce
Financial risk and the looming and services? going to use and what
insolvency wave • Is scenario planning being employed to prepare can we do about that?
the business for any climate-related physical and
Rising inflation and the global This will become
political risks that may jeopardise its future?
tax clampdown increasingly important.”
• How valid are the data on which the organisation
Climate change and sustainability models its environmental impacts? ACC, the Netherlands,
is now a principal risk technology company
• What initiatives are there to reduce the organisation’s
Supply chain strains and greenhouse emissions and move away from harmful traded on Euronext
the race to flexibility or unsustainable manufacturing processes or Amsterdam
materials? What progress is being made on these?
Appendix
20 United Nations: 17 Sustainable Development Goals

PAGE 35 OF 42
Contents
Introduction:
SUPPLY CHAIN STRAINS AND
Methodology
THE RACE TO FLEXIBILITY
The research data
The pandemic stress-tested supply chains and many companies may feel like they have come through the worst. As demand
IT security: response and recovery recovers, however, supply chains are coming under immense strain. Just under a third (30%) of CAEs put Supply chains, outsourcing
and ‘nth’ party risk among their top five risks (#9, down one place from last year albeit with a slightly higher share of the vote).
Two-fifths of CAEs we interviewed raised acute in the semiconductor industry, where a balancing act. Double ordering today to
Accelerated digitalisation and the issue of supply chain risks, from the shortages have had a cascade effect that stockpile and prevent future shortages may
low-code adoption
simple ability to secure parts and products has hamstrung as many as 169 sectors in cause substantial overshoots, increasing
today through to more forward-looking some way21, from consumer electronics inventory costs.
considerations, like developing flexibility to car manufacturing. This shortfall
and co-locating suppliers at the site of is expected to last through 2021 and Senior management and the board will
Pandemic response: organisational need to be confident that inventory
production in the context of a pandemic- potentially into 2022.
constrained world to reduce transport costs management risks have proper oversight,
Financial risk and the looming and improve supply chain certainty. The V-shaped recovery in demand is that supply chain data and technology is
insolvency wave currently contributing to new inflationary being employed to best effect and that
One thing that recent events have shown pressures (see page 29), but a bigger risk short-term and long-term contingency
is how supply issues can take months to than rising costs is short supplies of critical measures are being weighed up to ensure
tax clampdown
emerge. Many companies reduced their components causing production delays greater supply chain security and flexibility.
Climate change and sustainability production in 2020 in the face of weakened and lost revenues. If a business is unable This will require a change in mindset, from
is now a principal risk demand, leading their suppliers to dial to secure vital supplies, then it cannot sell prioritising the lowest price for goods
down their own output. Demand jolted its products. Complicating matters is the towards greater certainty and resilience.
back in 2021 as economies recovered unpredictability and unevenness of the
creating supply bottlenecks and preventing economic recovery, which is likely to make
Health and safety amid the companies from fully benefiting from the demand forecasting a persistent challenge
continued COVID-19 threat restart. This effect has been particularly for every link in the supply chain. This is
Appendix
21 The Semiconductor Shortage of 2021

PAGE 36 OF 42
Contents
Introduction:
SUPPLY CHAIN STRAINS AND
Methodology
economics, technology, and military
Data breakdown: the survey results Playing politics security. Far from being a temporary
concern, trade wars and the impact of
Geopolitics continue to play into this trend. geopolitics on supply chains will have
In May 2021, the European Commission to be carefully considered for the
unveiled plans to cut dependency on foreseeable future.
Rising sustainability regulations Chinese and other foreign suppliers in six
strategic areas including raw materials,
Accelerated digitalisation and batteries, pharmaceutical ingredients,
“There are supply chain
low-code adoption
hydrogen, semiconductors, and cloud and issues to think about and the
edge technologies, freezing a long-awaited flexibility to scale up and down
Workforce fatigue and cultural erosion trade and investment agreement. depending on the pandemic
Pandemic response: organisational The power struggle between the US and
and demand. There will be
and strategic resilience China also continues virtually unabated. an increase in sourcing from
Not only are most of the elevated tariffs nearby countries to reduce
insolvency wave imposed at the height of the trade war supply risk. For companies
instigated by the Trump administration with components coming from
Rising inflation and the global still in place, affecting over half of all trade
tax clampdown
flows between the two countries22, the
different parts of the world,
Climate change and sustainability current administration is stepping up its they are reviewing their supply
is now a principal risk own efforts. The Strategic Competition chains to see how to structure
Act of 2021, which has support from both them for the future, even if the
Democrats and Republicans, defines China pandemic soon passes.”
as a competitor in multiple areas, including
ACC, Sweden,
continued COVID-19 threat food retail group listed on the
Stockholm Stock Exchange
Appendix
22 US companies are bearing the brunt of Trump’s China tariffs

PAGE 37 OF 42
Contents
Introduction: SUPPLY CHAIN STRAINS AND
Methodology

Supply chain risks will typically be a far higher priority
for internal audit functions in businesses that deal Questions for internal audit
in physical goods rather than services, the latter
• How well is the company currently
benefitting from scalability. Senior management should
coping with supply/demand shocks? Were
Rising sustainability regulations be working closely with procurement and supply chain
these foreseen?
management functions to determine how exposed they
• Is there evidence of concentration risks,
Accelerated digitalisation and are and what actions need to be taken to secure vital
low-code adoption with supplies coming from a small number
supplies during any potential bottleneck phases.
of vendors or from a single country?
Workforce fatigue and cultural erosion The third line may seek evidence of scenario and • How well coordinated are procurement
contingency planning that will enable the company and supply chain management functions?
Pandemic response: organisational to access new sources of critical supplies. The more • Is the business reviewing its supply chain
and strategic resilience complex, diverse and outsourced the supply chain, the strategy, for example moving away from
greater the risk. The company should be identifying the Just-In-Time inventory management?
highest-risk suppliers to focus on in the first instance
insolvency wave • Is the supply chain sufficiently flexible
and internal audit can help to validate the means by
such that the business can dial up/down
Rising inflation and the global which key suppliers are risk-categorised
production and source new suppliers
tax clampdown
when necessary?
As supply and demand reach closer equilibrium as the
Climate change and sustainability • Are the procurement function’s planning
recovery progresses, a longer-term view is required. The
most operationally resilient businesses will have built and forecasting modelling efforts effective?
Supply chain strains and flexibility into their supply chains, allowing them to Have any necessary adjustments been
the race to flexibility toggle between vendors as required, and reviewed their made and are these based on sound data
forecasting and inventory management strategies to and analysis?
continued COVID-19 threat add any necessary slack to account for possible future
chain disruptions.
Appendix
PAGE 38 OF 42
Contents
Introduction: HEALTH AND SAFETY AMID THE
CONTINUED COVID-19 THREAT
Methodology
The research data

22% of CAEs put Health, safety and security among their top five risks (#12, up two
places from last year). The events of 2020 set a new precedent, the pandemic being
far more widespread and persistent than any health crisis anyone has experienced in
their lifetimes. This has brought the safety and wellbeing of people to the fore—and
Rising sustainability regulations remains a concern as the trajectory of the pandemic is still uncertain.

“SARS-CoV-2 is not going away,” the CEO and suppliers at the same time as
low-code adoption
of vaccine manufacturer Moderna said maximising productivity and minimising
earlier this year. While vaccine rollouts in business interruptions. This was a
the developed world are progressing, no- dominant theme in this year’s interviews,
one knows for certain how the pandemic nearly half of participants raising concerns
will play out. In an op-ed authored by six over ongoing uncertainty surrounding the
epidemiologists, physicians and advisers, pandemic and the need to prioritise the
Financial risk and the looming governments were called upon to face an health of workers.
insolvency wave “inconvenient truth”: the fight against the
“remarkably resilient virus” will be long The larger and more geographically diverse
and slow.23 an organisation is, the more complicated
tax clampdown
and higher risk this is. Vaccine distribution
Climate change and sustainability The spread of coronavirus has impacted has skewed towards developed countries
is now a principal risk all manner of risks—from supply chain and it is estimated that low-income nations
stability to financial strength, cybersecurity may not receive enough doses to vaccinate
resilience to macroeconomic factors. From all adults until well into 2022, possibly
a pure health and safety perspective, the later, as demand outstrips supply24, though
Health and safety amid the challenge is in ensuring that appropriate the decision by the G7 to donate shots
continued COVID-19 threat steps are taken to safeguard the physical could accelerate this.
and mental wellbeing of staff, customers
Appendix
23 The Forever Virus: A Strategy for the Long Fight Against COVID-19
24 Coronavirus vaccines: expect delays
PAGE 39 OF 42
Contents
Introduction: HEALTH AND SAFETY AMID THE
CONTINUED COVID THREAT
Methodology
Further, new variants such as the “Delta Plus” strain raise more “Health and safety for our
Data breakdown: the survey results questions. It is not clear if future variants will prove to be more
transmissible, more harmful or more resistant to vaccines. What is
business was always of
clear is that SARS-CoV2 will continue to mutate, therefore ongoing paramount importance
access to mitigative medicines will have a fundamental influence because a lot of things
on countries’ ability to cope. can happen in the
This could have serious disruptive effects, especially for
customer journey. The
Accelerated digitalisation and businesses with global footprints and with extensive outsourcing important thing now
low-code adoption to the worst-affected regions in the world and where vaccine in the context of the
access is limited. pandemic is how to ramp
up. We need to make sure
As lockdowns ease in developed countries and businesses
Pandemic response: organisational determine how to move forward—whether by maintaining that the customers’ trust
and strategic resilience remote working, returning on-site or balancing the two with a is still with us and they
hybrid approach—human resources functions, health and safety believe that we are doing
officers and senior management will need to remain vigilant. This the utmost to manage
insolvency wave
will require tracking the course of the pandemic and following
this as the business
Rising inflation and the global government guidance or mandates in response to any possible
tax clampdown further waves of infection across relevant geographies. It also picks up again. It is too early to
means being attentive to the needs and psychological wellbeing audit now because plans are
is now a principal risk of staff. Organisations have a legal obligation to protect their constantly changing. But this is
employees and others from harm, so health and safety will remain on my list for sure.”
Supply chain strains and a prominent risk, even as the pandemic is gradually contained.
the race to flexibility CAE, Germany,
FTSE 100 travel operator
Appendix
PAGE 40 OF 42
Contents
Introduction:
HEALTH AND SAFETY AMID THE
Methodology
Companies responded swiftly to protect typically relied on external health and There is also the psychological dimension
their workforces and customers in 2020. safety auditors for this work and so to consider. HR functions should be raising
The almost seamless transition to contact- internal audit may feel that it is in awareness with staff about how to protect
Rising sustainability regulations free working may have developed a false unfamiliar territory. their mental health. Internal audit may
sense of security. As lockdown measures consider it appropriate to perform a formal
Accelerated digitalisation and are eased and more of the workforce But the third line must now step up to the audit of staff wellbeing for example via
low-code adoption returns on-site, health risks will increase plate. In small organisations this should be an independent survey, although simply
as more people occupy shared physical a relatively simple exercise involving spot checking that HR is sufficiently assessing
Workforce fatigue and cultural erosion spaces. There are simple practical steps checks and assessing staff awareness and and attending to workers’ needs may
that organisations can take like increasing behaviour. For multinational organisations, be enough. The psychological health of
Pandemic response: organisational social distancing, staggering shifts, the third line may seek evidence that personnel may also be something that
and strategic resilience regularly cleaning communal areas, safeguarding measures are being reviewed the third line “picks up” from soft human
improving ventilation, and providing on a risk-based, country-by-country basis. cues as it moves around the organisation
hand-sanitising facilities, and these basics Going deeper, internal audit can form conducting more technical controls- and
insolvency wave
should already be well covered. If not, the an opinion on how effectively staff and process-oriented audits, in the same way
Rising inflation and the global third line should be raising the flag. customer safety is being risk assessed on that it can check the temperature of the
tax clampdown an ongoing basis, in the context of the organisation’s culture.
While health and safety is a long- business’s various activities and taking into
is now a principal risk established risk, outside of heavy and account the potential for further waves
extractive industries such as industrial of COVID-19 infections.
Supply chain strains and manufacturing and mining it is not
the race to flexibility something that internal audit has
Health and safety amid the commonly looked at. Companies have
Appendix
PAGE 41 OF 42
Contents
Introduction:
HEALTH AND SAFETY AMID THE
Methodology
IT security: response and recovery Questions for internal audit “Health will continue
• Is the health and safety of customers being to be a major risk for
Rising sustainability regulations sufficiently prioritised and what measures the next year at least.
need to be embedded and monitored with the Despite the vaccine no
Accelerated digitalisation and recovery of business activity?
low-code adoption
one really knows for
• What evidence is there that the HR function sure exactly how long
is prioritising the health and safety of staff in
Workforce fatigue and cultural erosion this is going to help
the context of a return to the workplace? Is a
health and safety strategy in place? and it doesn’t offer
and strategic resilience • Has there been an increase in staff, 100% protection. There
customer or supplier complaints regarding are a lot of discussions
insolvency wave
their treatment or concerns over how the about how to keep
business is handling their physical safety and social distancing at
Rising inflation and the global psychological wellbeing?
tax clampdown
the offices. At the end
• Has the organisation already demonstrated
of the day, health
that it can effectively manage this moving
risk? Is it ready to manage this as business continues to be a
activity returns? real concern and
• Is a risk-based approach being applied to the there’s risk of
various geographies in which the organisation more contagion.”
Health and safety amid the is present? Are health and safety measures
ACC, Spain, property
appropriate to the level of risk in that country?
development company
Appendix
PAGE 42 OF 42
Contents
Introduction:
Methodology

APPENDIX
Rising sustainability regulations [1] Ransomware Attack Vectors Shift [9] The ‘low-code’ imperative [17] Administrations fall to historic lows
as New Software Vulnerability
Accelerated digitalisation and Exploits Abound [10] Magic Quadrant for Enterprise [18] Covid-19: how to protect yourself
low-code adoption Low-Code Application Platforms against rising insolvency risk
[2] Phishing Statistics You Need To
Workforce fatigue and cultural erosion Know To Protect Your Organisation [11] Gartner 2020 Magic Quadrant [19] Deutsche Bank warns of global
for Enterprise Low Code ‘time-bomb’ coming due to
[3] 134 Cybersecurity Statistics and Application Platforms rising inflation
Trends for 2021
[12] Surge in Remote Development [20] United Nations: 17 Sustainable
Financial risk and the looming [4] Ransomware Attacks Soared Boosted Low-Code Adoption Despite Development Goals
insolvency wave 150% in 2020 Ongoing Cost Optimization Efforts
[21] The Semiconductor Shortage
Rising inflation and the global [5] Key Recommendations from the [13] Flexible ways of working are here to of 2021
tax clampdown Ransomware Task Force stay, finds new European research
– with leaders focused on [22] US companies are bearing the brunt
Climate change and sustainability [6] The state of ransomware 2020 maintaining culture and innovation of Trump’s China tariffs
[7] McKinsey Global Private Markets [14] Building resilience for the new [23] The Forever Virus: A Strategy for the
Review 2021 realities of work Long Fight Against COVID-19
Health and safety amid the [8] Sustainable Finance and EU [15] Microsoft Work Trend Index [24] Coronavirus vaccines: expect delays
continued COVID-19 threat Taxonomy: Commission takes
further steps to channel money [16] Strategic resilience during the
Appendix
towards sustainable activities COVID-19 crisis
About Risk in Focus
For the past six years, Risk in Focus has sought to highlight key
risk areas to help internal auditors prepare independent risk
assessment work, annual planning and audit scoping. It helps
Chief Audit Executives (CAEs) to understand how their peers view
today’s risk landscape as they prepare their forthcoming audit
plans for the year ahead.
This year, Risk in Focus 2022 involved a collaboration between

12 Institutes of Internal Auditors; in Austria, Belgium, France,
Germany, Greece, Italy, Luxembourg, the Netherlands, Spain,
Sweden, Switzerland and the UK & Ireland.
The survey elicited 738 responses from CAEs across Europe, an

all-time high for this research project. Simultaneously, a sample
of 35 Chief Audit Executives (CAEs), 12 Audit Committee Chairs
(ACCs) and 3 CEOs from across these countries were interviewed
to provide deeper insights into how these risks are manifesting
and developing.

FINAL Risk in Focus 2022 V11

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FINAL Risk in Focus 2022 V11

Uploaded by

Copyright:

Available Formats

2022 RISK IN

6 Data breakdown: the survey results

13 IT security: response and recovery

16 Rising sustainability regulations

19 Accelerated digitalisation and low-code adoption

22 Workforce fatigue and cultural erosion

24 Pandemic response: organisational and strategic resilience

27 Financial risk and the looming insolvency wave

29 Rising inflation and the global tax clampdown

32 Climate change and sustainability is now a principal risk

35 Supply chain strains and the race to flexibility

38 Health and safety amid the continued COVID-19 threat

Sustainability regulations have already been rising

Supply chain strains and The world has changed.

In the first half of 2021 a quantitative survey was distributed

Simultaneously, a sample of 35 Chief Audit Executives (CAEs),

The following topics in this report were determined by the

Contents Data breakdown:

Data breakdown: the survey results

Accelerated digitalisation and

Percentage of CAEs who cited the risk

among their top 5

Contents Looking ahead

Data breakdown: the survey results

Accelerated digitalisation and

Supply chain strains and Health, safety and security

the race to flexibility Mergers and acquisitions

Contents Risk priorities vs.

Data breakdown: the survey results

Accelerated digitalisation and

Financial risk and the looming Macroeconomic and geopolitical uncertainty

the race to flexibility Mergers and acquisitions

the most time and effort addressing 3 years from now?

Financial risk and the looming Cybersecurity and data security

Supply chain strains and Digital disruption, new technology and AI

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

IT security: response and recovery

Health and safety amid the

4 Ransomware Attacks Soared 150% in 2020

7 McKinsey Global Private Markets Review 2021

Supply chain strains and

Health and safety amid the

An internal audit perspective

Questions for internal audit “The risk I see is the

The events of 2020 caught even the most

17 Administrations fall to historic lows

Climate change and sustainability

19 Deutsche Bank warns of global ‘time-bomb’ coming due to rising inflation

Rising inflation and the global

Companies that fail to act—by mapping

20 United Nations: 17 Sustainable Development Goals

21 The Semiconductor Shortage of 2021

22 US companies are bearing the brunt of Trump’s China tariffs

An internal audit perspective

The research data

Accelerated digitalisation and

Data breakdown: the survey results

IT security: response and recovery

This year, Risk in Focus 2022 involved a collaboration between

The survey elicited 738 responses from CAEs across Europe, an

You might also like