A group of workers interacting with one another.

Risk Trends in 2023 and Beyond: Navigating the complexities of Canada’s new normal

October 13, 2022

Risk Trends in 2023 and Beyond: Navigating the complexities of Canada’s new normal

Synopsis
15 Minute Read

After two full years of COVID-19 dominating the global risk cycle, Canadian organizations finally started to see a light at the end of the tunnel in 2022. But the celebratory atmosphere has been short-lived, with several new and ongoing challenges casting a shadow over those silver linings. We surveyed 14 practice leaders across our firm about the risks and opportunities they’re most concerned about heading into 2023 — and specifically what internal audit should focus on.

Among the top priorities were:
• Impacts of looming environmental, social, and governance (ESG) reporting standards,
• Omnipresent cyber security threats, and the growing challenge of third-party risk
• Issues with realizing the value of digital transformation and how to keep pace with the accelerating speed of innovation

Other trends of note include continued workforce disruptions and supply chain uncertainty, and how organizations can ensure they’re prepared for the next big business interruption — whether that’s another globally defining event or a more localized crisis.

Partner, National Leader - Internal Audit
National Enterprise Risk Services Leader and Post-Secondary Education Lead

Contents:

  1. Introduction
  2. Methodology
  3. Part 1: Post-pandemic uncertainty
  4. Part 2: Digital acceleration and disruption
  5. Part 3: Cyber and privacy risk
  6. Part 4: Environmental, social and governance (ESG)
  7. Part 5: Operational resilience and agility

Far from business as usual

After two full years of COVID-19 dominating the global risk cycle, Canadian organizations finally started to see a light at the end of the tunnel in 2022. Consumer habits began a steady return to pre-pandemic levels and many team members started coming back to the office as public safety measures eased through the spring. But the celebratory atmosphere has been short-lived, with several new and ongoing challenges casting a shadow over those silver linings.

The most significant issue this year has been Russia’s invasion of Ukraine and the conflict’s effects on already fragile supply chains, energy and agriculture sectors. Inflation spiked to 40-year highs, with increased demand pressures from the war, sanctions, and economies re-opening — forcing central banks to raise interest rates to the highest levels since before the 2008 financial crisis.

Canada’s new commitment to achieve net zero by 2050 and the release of proposed sustainability reporting standards have stepped up the pressure on environmental, social and governance (ESG) efforts. And even with fears of a looming economic downturn, organizations continue to struggle with the tightest labour market in a generation — not to mention adapting to a hybrid workforce model.

The risk landscape heading into 2023 certainly feels different. But the perils and opportunities remain as significant as ever. As internal audit teams begin planning for the year ahead, they will be wise to keep the following 19 risk trends front of mind.

Methodology

MNP surveyed subject matter experts from our firm’s service and industry practice groups about the risk trends and challenges they’re most concerned about in 2023.

We have ordered their responses into five categories and rated each risk on a 10-point scale, reflecting both its short-term priority and long-term forecast.

Measures of uncertainty (which can be high, medium, or low) consider the number of unanswered questions surrounding the risk. Risks with high uncertainty may have a greater or lesser impact than anticipated — or be more relevant to some regions and industries than others.

Trend (which can be increasing, decreasing, or unchanged) refers to how the risk compares to previous years, and how our experts anticipate it will evolve in the years to come.

Note the information contained in this report is for informational purposes only and does not constitute professional advice. For more information about these risks, our methodology, and MNP’s Enterprise Risk Service, contact Richard Arthurs, National Leader, Internal Audit, at [email protected].

""

Downstream impacts of COVID-19 will continue to unfold long after the World Health Organization officially declares the pandemic over. While many aspects of life continue to return to normal, questions remain about what the future will look like when the dust finally settles.

Retention and recruitment of critical talent

The COVID-19 pandemic led to one of the most acute and widespread labour crises in recent memory. Organizations have felt the pinch at both ends — with baby boomers retiring in massive numbers and numerous young workers also departing for new opportunities. A talent shortage has also emerged, especially for highly specialized roles.


Short-term priority
8/10

Short-term trend
Increasing

Uncertainty
Medium

Long-term risk forecast
7/10


What the experts are saying

The departure of senior talent is revealing holes in many organizations’ succession plans. Few could have predicted the significant mindset shift that took place between 2020 and 2022 and the impact it would have across all demographics.

With the impacts of the Great Resignation being felt straight down the hierarchy, many firms have shifted their focus to filling operational vacancies in the near-term, rather than addressing the challenges of attracting, retaining, and growing the next generation of leaders.

What internal audit should ask

  • What are the succession plans for high-impact positions?
  • What roles and capabilities will be critical for success in the next one to five years?
  • What strategies are in place to nurture, develop, and grow existing talent? Are these strategies informed by leading human resources practices?
  • What do younger generations want, and how are their expectations changing (e.g., compensation, work-life balance, culture, purpose-driven work)?

Inflation and looming recession risk

COVID-19 was the first in a long line of dominoes that ultimately led inflation rates to hit near 40-year highs in 2022. Interest rates are one of the most powerful tools at the disposal of central banks to curb skyrocketing prices. However, while the goal is to cool demand, thereby reducing prices, that comes with the very real risk of pushing the economy into a recession. Even if Canada avoids recession and the U.S. does not, our economy will still feel the impact from our neighbours in the south.


Short-term priority
9/10

Short-term trend
Increasing

Uncertainty
High

Long-term risk forecast
5/10


What the experts are saying

Many consumers exited the pandemic in a better financial position than when they entered it, largely due to savings from restrictions related to the restaurant, retail, and travel sectors — as well as historically-low interest rates, and government supports.

Inflation has been triggered, among other things, by a sudden uptick in spending as businesses re-opened, and the inability of supply chains to keep up. However, that spike is likely to drop off now that the cost of goods and the cost of debt have soared to generational highs.

Businesses need to consider how demand is going to shift through the end of 2022 and into 2023 and how that will impact their access to capital if the economy slips into a full-on recession.

What internal audit should ask

  • What lines of business are most likely to be impacted by an economic downturn or a recession and what can be done to better manage the impact?
  • What cost-saving measures are available to offset higher costs and/or lower revenues?
  • How reliant is the organization on debt financing and what impact do higher carrying costs have on the financial results?
  • How will a recession or economic downturn impact employment forecasts, as well as recruitment and retention efforts?
  • Will any third parties be unable to deliver goods, services, or maintain quality because of an economic downturn?
  • What impact will an increase in corporate or personal insolvencies have on the business and what is being done to minimize the impact?
There was no precedent for 2020, but everyone faced very similar challenges and uncertainties… Customers and employees likely won’t be as patient with organizations that are resistant to new ways of working or delivering value.

Global supply chain uncertainty

While the COVID-19 pandemic undoubtedly triggered the current global supply chain crisis, it’s increasingly apparent it wasn’t the sole cause. Many issues remain over two years later, and it seems it could be several more years before all the backlogs are completely cleared.


Short-term priority
8/10

Short-term trend
Increasing

Uncertainty
Medium

Long-term risk forecast
6/10


What the experts are saying

The global supply chain crisis isn’t an event unto itself; rather it’s several crises that came to head at the height of the pandemic — and that complexity makes it a difficult challenge to resolve.

Much of the backlog due to business closures, employees with COVID unable to work, quarantined warehouses, and climate impact is getting cleared. However, it will take much longer to build the roads, ports, and rail lines needed to solve the multi-billion-dollar infrastructure deficit. Logistics firms are also struggling like all areas of the economy to attract and retain delivery drivers.

Then there are the looming issues around greening the supply chain and balancing onshore versus offshore production. And impacts of the war in Ukraine will complicate matters even further the longer the conflict continues. World trade has suddenly become extremely complicated.

What internal audit should ask

  • How will continued supply chain issues impact the organization’s ability to do business? Is there a plan B for all critical goods and services?
  • Do existing business models make sense if the current supply chain issues become the status quo?
  • Has the organization factored potential increases in extreme weather into shipping forecasts and/or scrutiny on supply chain sustainability into its planning and sourcing practices?
  • Is the organization managing customer expectations in the event of severe product and service delivery issues?
  • What strategies are in place to deal with workforce interruption?

A future-proof business model

Disruption was one of the most buzzworthy business terms in the years leading up to the pandemic — almost to the point of being cliched. But it’s taken on a whole new meaning in the past two years, and it will continue to be a legitimate concern in the decade to come.


Short-term priority
9/10

Short-term trend
Increasing

Uncertainty
High

Long-term risk forecast
9/10


What the experts are saying

The world may be returning to normal, but there’s no putting the COVID genie back in the bottle. Digital collaboration tools, hybrid work arrangements, and demands for seamless online/offline customer experiences are here to stay — and they’re going to keep evolving,

Many organizations will find that adapting to the challenges of the pandemic was easy compared to the disruptions on the horizon. There was no precedent for 2020, but everyone faced very similar challenges and uncertainties. The possibilities will expand considerably as organizations break from the confines of planning for survival, and now the standard has been set for innovation, adaptability, and responsiveness to external demands.

Customers and employees likely won’t be as patient with organizations that are resistant to new ways of working or delivering value.

What internal audit should ask

  • What do consumers and stakeholders expect from your organization? How can it deliver while staying true to its mission, purpose and values?
  • What technologies, data, and capabilities are disrupting your industry? How can you pivot your business model to leverage these effectively?
  • What are the workforce, financial, and logistical barriers to change and how can these be overcome?
  • Who is disrupting your industry and what can you learn from them?
  • Are you a trusted business partner who is continuously looking to the future to spot trends and changes in demand?
Person typing on a laptop.

Technology has become a double-edged sword for organizations looking to cut costs, streamline operations, and build a competitive advantage. While many are rightfully focused on what’s next, there’s also danger in overcommitting to innovation — especially without the right foundations in place to support it.

Digital transformation leapfrogging organizational readiness

Digital enablement was a major success factor as organizations pivoted to a predominantly remote work environment in the early stages of the COVID-19 pandemic. However, resourcing and change management challenges mean many initiatives are not delivering on their promise.


Short-term priority
10/10

Short-term trend
No Change

Uncertainty
High

Long-term risk forecast
7/10


What the experts are saying

Organizations cannot expect to reap the benefits of new tools and approaches to doing business if they’re not also investing in effective onboarding, training, support personnel, systems integration, and overall change management. A great system is virtually worthless if employees don’t know how, or are unwilling, to use it.

Businesses that made significant investments in technology over the past two years would benefit from assessing how those systems are being utilized and whether they’re delivering the expected return on investment. Failing to address those issues now could prove an even bigger barrier to continued transformation efforts.

What internal audit should ask

  • What are the benchmarks for a successful digital transformation initiative and how do recent projects measure up?
  • What are the risks of not using digital technologies as intended and how can these be overcome?
  • What are the barriers to change and how can employees be incented to embrace new technology?
  • Which transformation initiatives have the potential to deliver the greatest return on investment? And which initiatives should be sunset because they are not delivering value?
  • Is the current organizational culture supporting strategic and technological change or creating a barrier?

Sustaining integrity and ensuring value from the use of artificial intelligence

The quality of analytic and AI-driven decisions can only ever be as good as the data behind them and the assumptions when modelling decision bias. But as organizations rush to adopt and make use of these technologies, many are failing to put the right controls in place to ensure inputs and outputs retain integrity over time.


Short-term priority
8/10

Short-term trend
No Change

Uncertainty
Medium

Long-term risk forecast
7/10


What the experts are saying

Critical errors can arise from any number of inconsistencies in the way data is collected, entered, or formatted — cyber breaches, especially those that go undetected, can also impact a system’s validity and functionality. To make matters worse, there is an added risk that errors will compound as AI, decision bias, or analytic tools rely on past erroneous data to make further predictions.

Step one is to ensure data and decision bias integrity from day one. But organizations also need to have controls in place to assess and ensure system integrity, data integrity and decision bias on an ongoing basis.

Another factor to consider is the speed of error detection, as identifying erroneous data quickly will become even more critical as systems become more interconnected and interdependent.

What internal audit should ask

  • What controls are in place to continuously monitor data integrity and flag quality control issues?
  • Are decision bias assumptions well understood and acceptable?
  • Who is responsible for data governance in the organization?
  • What procedures are in place to test the validity of automation processes and predictive algorithms?
  • Where are the connection points between data governance, data security, and those responsible for building and evolving algorithms?

 

While many organizations are rightfully focused on what’s next, there’s also danger in overcommitting to innovation — especially without the right foundations in place to support it.

Keeping up with the speed of digital innovation

As technology continues to evolve at a faster pace, the window to realize the benefits is shrinking. Where early adopters could once build a years-long competitive advantage from the latest digital tools, the speed of innovation is now measured in weeks.


Short-term priority
7/10

Short-term trend
Increasing

Uncertainty
High

Long-term risk forecast
9/10


What the experts are saying

Many digital products that are commonplace today did not exist five to ten years ago. And many of those same technologies may not exist five years from now. Timing is everything as there are costs to waiting too long to innovate — and forging headlong into the wrong initiatives.

One of the most obvious challenges is there will be more opportunities to pursue than time, resources, or brainpower to reap the advantages. Transformations will be instrumental to success, but not every transformation will be a worthwhile investment.

Organizations require governance capabilities that define when it’s time to adopt new digital capabilities, and how to bring those online as efficiently as possible. Those that understand which to pursue, as well as when, how, and why to pursue them — and how to mitigate the related risk — will be dominant in the years ahead.

What internal audit should ask

  • Does the organization have a governance program to oversee information technology innovation and related risk?
  • Are you in a highly competitive industry that could benefit from self-disrupting itself with innovation to provide greater value to customers?
  • What are the barriers to new technology adoption?
  • How is the organization ensuring digital transformations deliver a sustainable return on investment?
  • What talent and resources are required for the organization to maximize the value of new technology adoption?
Wires with lights on them running in different directions.

Cyber and privacy risks are perennial concerns for organizations of all sizes and industries — and that ubiquity is what makes them so dangerous. Just as the fish doesn’t know it’s surrounded by a sea of water, how do leaders avoid becoming habituated to the threats all around?

Shifting attention to insider risk

Cyber risk is commonly thought of as something that comes from outside of the organization, which can lead organizations to ignore the very real threats that exist within their perimeter defences. However, insider threats can often do far more damage with a fraction of the effort.


Short-term priority
9/10

Short-term trend
Increasing

Uncertainty
Medium

Long-term risk forecast
6/10


What the experts are saying

Insider risks include intentional or unintentional behaviours such as an individual responding to a phishing attack, poor cyber defences within an external cloud or network-connected software or device, or malicious actions by an employee or external contractor.

Organizations should pay close attention to any employees, contractors, devices, or systems that have access to key IT infrastructure and information. Almost every organization has increased their reliance on third parties over the past five years. This has significantly increased the number of insiders, and therefore the number of opportunities for a breach to occur.

What internal audit should ask

  • What assurances have third-party vendors provided on the efficacy of their cyber security policies and practices?
  • What steps has the organization taken to minimize third-party risk (i.e., risk assessment, background checks, vendor agreements with risk mitigation terms, segmented networks, etc.)?
  • Who has access to critical systems and data and how often does the organization review privileges?
  • Does the organization conduct background checks on individuals and third parties before granting access to critical systems?
  • Does the organization independently audit new software and physical systems for physical and cyber security vulnerabilities? How are access rights assigned and removed for employees and contractors?
  • What training is available on cyber risks and how to report suspicious behaviour?

The evolving shape of cybercrime and managing the risks of self-disruption

Cybercriminals are constantly evolving their tactics and exploiting new opportunities. This risk is amplified by the number of digital, structural, and operational changes most organizations have undertaken in recent years — and it might increase as even more organizations experience the great resignation and retirement trend.

Boards and leaders need to recognize they will always be on the back foot — especially as attackers continue to find new and innovative ways to be successful with ransomware and other tactics of choice. But there are steps they can take to avoid falling too far behind.


Short-term priority
10/10

Short-term trend
No Change

Uncertainty
High

Long-term risk forecast
10/10


What the experts are saying

Complacency is the most dangerous mindset organizations can have when it comes to cyber security. Resilience is not a “set it and forget it” kind of thing. Even well-established types of attacks are constantly appearing in new and unexpected ways — often with surprising levels of success. Sometimes it might even be an insider leading it.

New IT infrastructure, remote versus in-office work, and excessive employee turnover can further impact preparedness and increase the likelihood that a cyber attack will both succeed and go undetected. And there may already be a large volume of information about the organization’s vulnerabilities and login credentials circulating on the dark web.

Training, threat assessments, and penetration testing need to be ongoing. These need to factor in the latest available thinking about how the organization and cyber threats are evolving — and how threats could infect the network and impact the organization at large.

Utilizing new advanced services such as Dark Web Scanning may reveal what the hackers are saying about a company and what vulnerabilities might exist.

What internal audit should ask

  • Is cyber resilience monitored at the board level and is security a regular agenda topic in board discussions?
  • Are there formal policies for ongoing employee cyber security training and regularly updating modules to include emerging breach tactics?
  • Does the organization have a formal policy about how to report suspicious activity (e.g., phishing emails) or a cyber incident (e.g., clicking on a suspicious link)?
  • Does the organization have an incident response plan? How often is this plan practiced? How often does this plan get updated?
  • Has the organization established a cyber security program that adequately mitigates both current and evolving cybersecurity threats?
  • How have new technologies, practices, and business models changed the organization’s overall cyber risk exposure?
  • Have you ever utilized Dark Web Scanning to learn what the hackers are saying about your organization?
Resilience is not a “set it and forget it” kind of thing. Even well-established types of attacks are constantly appearing in new and unexpected ways — often with surprising levels of success.

Minimizing your privacy risk amid changing regulation

Jurisdictions across the globe are strengthening regulations around how organizations can collect and use personal identifiable information — and how they must dispose of it. The increased scrutiny and regulatory complexity come with steeper fines and penalties for non-compliance, along with severe penalties in the event of a breach.


Short-term priority
7/10

Short-term trend
Increasing

Uncertainty
High

Long-term risk forecast
10/10


What the experts are saying

The trend is moving toward greater transparency and greater control on behalf of those who own the data. Organizations will therefore need to balance the immense competitive advantages of all the data they could potentially collect against the legal and ethical consequences of improperly gathering, mishandling, or misusing that data.

The more geographical regions an organization operates in, the more frameworks it will need to comply with — and the more legal, financial, and reputational risks it will ultimately face. For example, several Canadian provinces have either passed or are proposing legislation which differs from that at the federal level.

What internal audit should ask

  • Who is responsible for privacy in the organization and what authority do they have to ensure required compliance within the existing practices and procedures for the collection and use of data?
  • How do existing privacy policies and practices align with regulations in jurisdictions where the organization operates?
  • How will the planned changes in regulations, technologies, and organizational strategies impact the organization’s compliance with relevant privacy frameworks?
  • What processes are in place to educate relevant stakeholders on evolving privacy legislation and the impacts on organizational policies, procedures, and data management practices?
  • Has the organization evaluated the need for the data it collects in an effort to (1) minimize the data, and storage locations it must protect and (2) enable customer self-service strategies for maintaining that data?
A hand holding a hologram of the earth with linear connections around it.

Goodbye greenwashing (making it look better than reality) and greenwishing (hoping things improve) — 2023 will begin a new era of transparency, policy, and sustainability accounting. New standards and expectations will present opportunities for some, and significant challenges for many.

Building a strategic roadmap by knowing your current and optimal future state

Rapidly evolving stakeholder expectations around ESG are increasing the pressure on organizations to react. Many will find it difficult to attract financing and customers in the years to come if they cannot produce a clear understanding of their current state, a vision for where they need to go, or how they will get there.


Short-term priority
9/10

Short-term trend
No Change

Uncertainty
High

Long-term risk forecast
9/10


What the experts are saying

The conversation around ESG progressed considerably over the past two years, and some organizations have made it more of a priority than others. However, the pace of change will continue to accelerate — advantaging those organizations that understand what steps they must take to quantify the ESG factors that have a material impact on their business, and how to improve on them.

At the very minimum, organizations should conduct an environmental scan and use this information to prioritize initiatives that will take them toward a future state desired by investors, customers, employees, and business leaders.

The largest emitters are realizing how complex, costly, and time-consuming reaching net zero will be, and there will be discoveries along the way that create both opportunity and risk. Reversing what took decades to invent and build may take decades to implement sustainable change.

What internal audit should ask

  • How does ESG fit into the organization’s strategic priorities?
  • What steps has the organization taken to understand and assess its current ESG priorities and associated metrics that are material to the business?
  • Who are the organization’s key ESG stakeholders and what are their expectations around reporting and the organization’s roadmap to improving ESG adoption?
  • What risks does the organization face by not prioritizing compliance with ESG and associated disclosure standards?
  • What ESG-specific assurance services are going to be required to meet the needs of stakeholders?

Meeting ESG standards for design, implementation, reporting, and assurance

Organizations must grapple with increased ESG costs and the complexity of new sustainability reporting standards over the next two years. It’s increasingly clear that high-emitting businesses will struggle to advance at the pace investors and stakeholders expect. And those that have not made ESG a priority will face an uphill climb in building a robust program that stands up to the scrutiny that will come with new regulations and disclosure standards.


Short-term priority
10/10

Short-term trend
Decreasing

Uncertainty
Medium

Long-term risk forecast
7/10


What the experts are saying

Carbon-intensive businesses are right to be worried. The future of ESG will be similar to that of financial reporting and assurance: Organizations will need to produce an accurate and independently verified accounting of how their business activities impact people and the environment.

The paradigm shift that must take place over the next five to 10 years will not come easy. In many cases, it will require investing significant resources to collect, understand, and report on key data throughout the business and supply chain — as well as managing projects associated with decarbonizing elements of the business to advance on ESG maturity goals.

The biggest test will come in 2024 when federally regulated financial institutions become subject to mandatory ESG reporting — which will have a downstream impact on their customers’ ability to access and deploy capital. However, stakeholders may be expecting progress to come much earlier, as many jurisdictions have already committed to net-zero targets (including Canada), and sustainability reporting standards will begin coming online in 2023.

What internal audit should ask

  • Who is accountable for ESG program design and rollout of related communications, accounting, and validation?
  • How does ESG connect to the organization’s strategy?
  • What steps has the organization taken to understand and comply with upcoming ESG reporting standards?
  • How will mandatory reporting requirements impact the organization’s ability to access and deploy capital?
  • Does the organization have the resources and expertise on staff to achieve compliance?
  • What are the near and long-term costs of ESG? What are the financial, reputational, and regulatory costs of inaction?
Many organizations will find it difficult to attract financing and customers if they cannot produce a clear understanding of their current [ESG] state, a vision for where they need to go, or how they will get there.

Ensuring culture complements strategy and ESG metrics

It’s one thing to set ambitious ESG goals. However, it will be extremely challenging — if not impossible to make progress without buy-in from team members throughout the hierarchy. Organizations need to understand the cultural practices that are driving inaction and the steps required to effect measurable and lasting ESG-related changes.


Short-term priority
9/10

Short-term trend
Decreasing

Uncertainty
Medium

Long-term risk forecast
7/10


What the experts are saying

People are inherently resistant to change. Even more so if the practices and behaviours in question are deeply rooted or seen as being integral to the business or their identity. Organizations must set a clear tone from the top about why ESG-related initiatives are necessary and connect them to existing values and beliefs. This includes engaging internal stakeholders and ensuring they have a forum to voice their concerns.

ESG adoption will be even more difficult for industries that are particularly impacted by new imperatives that support this adoption, as it may require considerable sacrifices in the near term. Leaders must be transparent about how costs will be shared throughout the organization and communicate a clear vision for how team members and all stakeholders will benefit in the long term.

What internal audit should ask

  • What cultural practices and mindsets will create the most resistance to ESG-related initiatives?
  • What tools and resources do the board, executive, and operational leaders require to roll out cultural change effectively and garner support for ESG?
  • What are the costs of a poorly executed change initiative, both for the overall culture of the organization and for its progress on ESG metrics?

Addressing the risk related to planning aggressive greenhouse gas reduction targets and timelines

It’s increasingly clear that many organizations will struggle with the costs and complexity of advancing greenhouse gas (GHG) reductions at the pace investors, consumers, and regulators may expect. Many heavy-emitting businesses want to become more sustainable, but questions remain about how much progress toward net zero can be achieved in the near term. It’s also unlikely that consumers will respond favourably to the resulting, and largely unavoidable, disruptions to the supply chain.


Short-term priority
9/10

Short-term trend
Increasing

Uncertainty
High

Long-term risk forecast
10/10


What the experts are saying

Carbon-intensive businesses are right to be worried about what an increased focus on GHG reduction and aggressive net zero targets will mean for their organization. The paradigm shifts that must take place over the next five to 10 years will not come easy for industries that don’t traditionally align with the core tenets of sustainability.

Moreover, any progress that businesses do make will impact the delivery of goods and services and may complicate existing supply pressures. The financial and opportunity costs of transitioning away from traditional business models will be massive and could take decades to achieve.

ESG also presents hidden costs that will only become apparent once organizations begin developing programs and transition strategies in earnest. These include collecting data and reporting on ESG metrics and hiring external auditors to annually validate ESG compliance — as well as managing projects associated with decarbonizing elements of the business to advance on ESG maturity goals.

In some cases, the cost and risk related to the change may exceed the risk appetite of the organization, especially if the implementation timeline is too aggressive. There will need to be a significant amount of discussion on risk mitigation strategies as these changes are being implemented.

What internal audit should ask

  • What are the costs and risks related to changes needed to achieve ESG timelines (especially GHG reduction and net zero targets)?
  • As changes are made to reach net-zero or GHG reduction targets, has the organization assessed impacts on the supply chain and established risk mitigation plans?
  • What is a realistic timeline for the organization to meet sustainability targets?
  • What are the side effects of moving too fast or slow?
  • How does your organization compare to its peers in terms of being a leader or follower with regard to GHG and/or net zero targets? Could this impact demand for your products or services?
  • How can carbon-intensive organizations manage consumer, investor, and regulatory expectations on sustainability?
  • Are sufficient risk mitigation strategies in place over the timeline of planned ESG-related change?
MNP mug

Many organizations found themselves caught off guard by the magnitude of business disruptions and interruptions over the past two years. Thankfully, recovering from one disaster can prove to be a valuable lesson in how to prepare for the next one.

Outsourcing and growing reliance on third parties

The more organizations outsource, the more their business becomes dependent on the responsiveness and resiliency of people and systems beyond their direct control. There are numerous benefits to working with third-party systems and service providers, but organizations need to understand the risks involved and have contingency plans in the event of an interruption.


Short-term priority
9/10

Short-term trend
Decreasing

Uncertainty
Medium

Long-term risk forecast
6/10


What the experts are saying

For every business challenge a third-party solves, organizations need to understand the potential consequences in relation to those third-party providers in the event something goes wrong. For example, cloud service providers can cut IT costs drastically and enable anytime-anywhere collaboration. But what if they face a cyber-attack or their servers are taken offline?

Outsourcing does not mean an organization can abdicate responsibility for the function that is being outsourced. It’s imperative that organizations clearly outline in contracts what risks they will be responsible for in an outsourcing relationship, and which the vendor will take on. Organizations should also be monitoring each vendor’s reliability, and have continuity plans in place for operationally-critical areas.

What internal audit should ask

  • When did the organization last review its vendor management risk assessment and contract development process? Who is shouldering the costs and risks of unreliability?
  • What is the process for identifying key vendor dependencies, ensuring quality is being delivered by the third party and identifying product / service-related risks and risk management strategies?
  • How does the organization monitor and evaluate the ability of third parties to deliver the expected level of reliability and confidence? Are there provisions in place to terminate the relationship for poor performance?
  • What third-party vendors and service providers are critical to the continuity of business operations? Has the organization obtained a Service Organization Controls Report to provide assurance over the goods/services provided? Does a business have a continuity plan if those products or services become unavailable?
  • Has the organization audited the business continuity policies and practices of critical third-party vendors and service providers?

A renewed focus on health, safety, and security post-COVID

Many long-forgotten risks are re-emerging as organizations welcome team members back to the office. Some firms necessarily shelved various health, safety, and wellness programs during the pandemic. However, being slow to revive those practices comes with increased liability and potentially puts people in harm’s way.


Short-term priority
10/10

Short-term trend
Decreasing

Uncertainty
Medium

Long-term risk forecast
4/10


What the experts are saying

The pandemic has conditioned organizations to associate health and safety with masks, hand sanitizer and plexiglass barriers. For many organizations, it’s been two and a half to three years since they last ran a fire drill, reviewed security procedures, restocked first aid supplies, performed an ergonomic review, or updated workplace health and safety policies.

Given the amount of time that has passed, and the impacts of the Great Resignation, it’s also fair to assume many new employees have not learned reporting procedures in the event of an incident or near miss.

Organizations will be wise to perform an environmental scan to understand the physical and mental hazards in their workplace — how those have evolved, and how they impact team members who work in the office, remotely, or in a hybrid setup.

What internal audit should ask

  • When was the last time the organization reviewed workplace health, safety and security policies and procedures?
  • Has the organization incorporated health and safety communications and training as part of its return to office plans?
  • How have remote and hybrid work arrangements altered existing plans for workplace health, safety, and security?
  • What is the organization doing to adequately support employees’ emotional and psychological well-being?
  • Does the organizational culture support health, safety, and physical security policy?

Organizations will be wise to perform an environmental scan to understand the physical and mental hazards in their workplace — as well as how those have evolved, and how they impact team members who work in the office, remotely, or in a hybrid setup.

Fraud, bribery and the criminal exploitation of disruption

Corporate fraud risk increased sharply in the early months of the pandemic and continues to evolve as many organizations evolve to hybrid work arrangements. Organizations need to understand how the rationale and opportunities for fraud have shifted over the past two years — and create long-term plans to monitor and discourage unethical practices.


Short-term priority
9/10

Short-term trend
Decreasing

Uncertainty
Medium

Long-term risk forecast
6/10


What the experts are saying

Whistleblower tips are one of the most effective tools organizations have to detect instances of fraud, while personal financial difficulties are one of the most common reasons employees engage in fraud schemes.

In both respects, employers are seeing a very similar situation now as in early 2020: hybrid work arrangements provide opportunities for individuals to engage in fraud without being seen by supervisors or co-workers. Inflation at 40-year highs and rapidly rising interest rates are also ramping up the financial pressures on many households.

Another major risk factor that some organizations haven’t considered is the considerable turnover they may be experiencing due to the Great Resignation. New employees may feel emboldened to engage in fraud schemes because they have not received training on the code of conduct and understand that the culture does not condone unethical behaviour.

What internal audit should ask

  • What steps has the organization taken to adapt antifraud controls to suit a hybrid workplace?
  • Has the organization taken adequate steps to train new employees on fraud, ethics, and whistleblower policies in the code of conduct?
  • What areas of the business are most susceptible to fraud and how does remote work impact these risks?
  • When was the last time the organization conducted an independent assessment of fraud risks and vulnerabilities?

Business continuity, crisis, and disaster response

With the worst of COVID-19 apparently over, organizations must review business continuity plans and apply key learnings to improve their resilience to future crises. With many disruptions yet to resolve, and the pace of change accelerating, the likelihood of another significant disruption is extremely high. Now is the time to get ready.


Short-term priority
9/10

Short-term trend
Decreasing

Uncertainty
High

Long-term risk forecast
7/10


What the experts are saying

The pandemic was undoubtedly unexpected by most of the world, but it was far from the only crisis organizations have had to contend with. Disruptions to the global supply chain, skyrocketing inflation, the war in Ukraine, and the Great Resignation have all posed unique challenges to business continuity.

With so much social, economic, and environmental uncertainty heading into 2023, it’s nearly impossible to predict what will happen next. However, boards and leaders need to understand where they’re vulnerable and how their organizations can thrive in a state of constant change.

What internal audit should ask

  • How has COVID-19 changed the organization’s approach to crisis and continuity planning?
  • How will a changing and unpredictable climate impact the organization and its ability to operate? What disaster recovery plans are in place in the event of a fire, flood, or severe weather event?
  • How does the organization’s reliance on third parties / international supply chains affect its ability to operate and respond to a crisis?
  • Has the organization simulated the impacts of likely crises to test business continuity plans and understand its resilience?
  • Does the organization clearly understand individual roles and responsibilities in the event of a crisis, and has it developed the necessary training and communications plans?

Time to revisit your resilience?

Back to the office doesn’t necessarily mean back to normal. MNP’s Business Resilience team offers a wide range of services to help you assess your emergency planning and preparedness. Learn more about what we do, and how we can deliver the agility and confidence you need in an uncertain world.

Contributors

Richard Arthurs, FCPA, FCMA, MBA, CFE, CIA, CRMA, QIAL
National Leader, Internal Audit
587.702.5978
[email protected]

Ashish Bhandari, CISSP, CISA, CCSK, CIPP/US, PMP
Partner, Enterprise Risk Services 403.263.3385
[email protected]

Mariesa Carbone, CPA, CA, ABCP, CRMA
National Enterprise Risk Services Leader
780.453.5377
[email protected]

Gord Chalk, MBA, CMC
Consulting Leader, Energy and Utilities
403.648.4123
[email protected]

Adrianna Gliga, CISSP, CIPM, PCIP
Privacy Leader, MNP Digital
647.480.8489
[email protected]

Mary Larson, ICD.d
Leader, Organization Renewal
514.228.7905
[email protected]

Chris Law 
Partner, MNP Digital
604.817.4852
[email protected]

Jason Lee 
Partner, MNP Digital
416.462.4200
[email protected]

Lisa Majeau Gordon , FCPA, FCA, CA•IFA, CFE, CFF
National Leader, Forensics and Litigation Support
780.453.5375
[email protected]

Sean Murphy, FCMC, CPA, CMA, PMP
Regional Managing Partner, Consulting, Ontario and Quebec
613.691.8503
[email protected]

Len Nanjad 
Partner, Consulting 
587.441.5480
[email protected]

Edward Olson 
Partner, ESG Leader
866.934.9091
[email protected]

Hash Qureshi, CPA, CMA, CRISC, CISA, CISSP, CRMA, P.Eng, MSc,
Partner, Consulting
613.691.8501
[email protected]

Cliff Trollope, CBCP, CRM, CAS
National Leader, Business Resilience Services
416.515.3851
[email protected]

Insights

  • Confidence

    November 28, 2022

    What you need to know about the CRA’s self-assessment tax audit process

    How do you prepare when the CRA requests an audit of specific expenses or deductions you’ve made?

  • Performance

    November 28, 2022

    Managing your farm’s living and dynamic budget

    Consider your farm’s budget as more than just a limit on your spending. When done properly, budgeting on your farm can be liberating, not limiting.

  • Performance

    November 25, 2022

    Managing your farm in an era of rising interest rates

    Rising interest rates present new challenges to farmers, but using the right strategies allows you to stay in control and navigate this period of change.