Reputational risk is a severe threat to all companies. What are board members and internal auditors doing to combat such operational risks?
This article was published by www.accountingweb.com
Corporate board members now rank reputational risk an even bigger overall concern than they have in the past three years, according to the sixth annual Concerns About Risks Confronting Boards survey from CPA firm EisnerAmper LLP.
But board members – the strategy-setters for organizations – often take little action to manage various types of risk, and 71 percent of public company directors say they rely on internal audit to identify risks, the survey reveals. The traditional use of internal audit, however, is evolving into “operational audit” to monitor overall risks rather than just “the books.”
While risk management may fall to daily operations, “there seems to be little happening at the board level to encourage addressing the risks in a more comprehensive fashion,” the survey states.
“Reputational risk is a severe threat to all companies, yet responses from board members indicate that reputational risk is so broad in scope – highly impacted by other risks like financial, product, cyber, and more – that it is difficult to sufficiently address and prepare for the many types of reputational threats,” Steven Kreit, an audit partner at EisnerAmper who leads the survey project, said in a prepared statement.
Further, only 6 percent of board members think they have a handle on social media risk, yet social media and cybersecurity are directly tied to company reputations, and boards should consider both among the most important risks to monitor, said EisnerAmper CEO Charly Weinstein.
However, a majority (70 percent) of respondents on public company boards do recognize cybersecurity as a key specific risk.
''It is becoming increasingly evident how connected reputation, cybersecurity, and social media are in relation to risk,” Weinstein said.
So, where does internal audit enter the picture?
Naturally, the majority of public company board members indicated they have an internal audit function, though 22 percent said they didn’t. But almost half of private and not-for-profit organizations said they didn’t have an internal audit function.
Many respondents associate “audit” with the more traditional financial audit and not with company operations. Yet, it’s operational internal audit that can cover far more company risks than financial audit, the survey states.
“While financial regulation may have dominated many companies’ audit concerns for the past decade or two, stemming from headline news like Enron and Madoff, growing operational risk should evolve boardroom discussions to consider the scope of their organizational audits and the need to review operations,” the survey states. “The new generation of crises may impact financials, but they will likely not originate in ‘the books.’”