As part of its 2023 “Global Risks in Focus” report, the Internal Audit Foundation asked internal audit leaders across the world to identify some of the greatest risks organizations must address in the coming years.
Among North American companies, the top three risks were:
- Cybersecurity, cited by 85% of respondents
- Human capital, cited by 65%
- Regulatory changes, cited by 43%
Here, we’ll look at these risks and identify ways to manage them.
1. Cybersecurity and data privacy
Cyberattacks have become an expected part of business. According to Splunk’s 2023 “CISO Report,” 90% of chief information security officers (CISOs) have reported a disruptive incident in the past year. To illustrate the impact of these attacks, 83% reported paying cybercriminals after a ransomware attack. More than half paid over $100,000, using cyber insurance or negotiation.
Artificial intelligence (AI) is only intensifying these risks. Although 70% of CISOs believe AI gives cybercriminals an advantage, 35% report using AI in their own cyber defenses, such as malware analysis. And 93% have incorporated it into their automated processes, either extensively or moderately.
Basic cybersecurity includes backing up your data, requiring employees to change passwords regularly, and reinforcing smart online behavior through education. To reduce the risk of a ransomware attack specifically, the Cybersecurity and Infrastructure Security Agency recommends taking these additional steps:
Store your backups on a separate drive that can be disconnected from the main network. That way, if your primary network is compromised, you have a noninfected resource you can use.
Install and regularly update antivirus software, firewalls and email filters.
Check employees’ cybersecurity awareness by sending an email that simulates a real-world phishing email. If an employee clicks on the link, they receive a reminder message about the importance of diligence.
Regularly update all applications and operating systems. Install patches and security updates immediately.
Check web addresses and emails before clicking on links. Many malware criminals use addresses that are almost identical to legitimate sites and email addresses, sometimes changing out only the .com for a .net. Be particularly cautious of zip file attachments.
If you suspect a ransomware infection, follow the Ransomware Response Checklist on page 11 of the CISA-MS-ISAC Joint Ransomware Guide.
2. Human capital
The shortage of skilled labor persists. Employers face risks from having too few qualified employees, hiring workers who need substantial training, and not hiring or firing workers who are not a good fit. The use of AI in job announcements and digital scanning of applicants is another employment practices risk. While AI promises efficiency, it can make you vulnerable to discrimination claims.
The demand for flexible hours and remote work complicates risk management as well. For example, you may no longer have a single work location, consistent scheduling or even the same technology in use across your organization. This makes it hard to manage people, processes and systems. It also complicates your insurance coverage.
To manage your risks from qualified-labor shortages, you may have to budget for extended employee training. This can help new workers develop the skills you demand, thereby reducing your risk of injuries, errors, omissions and employee complaints of wrongful workplace practices. You may also have to change your recruitment methods to avoid claims that your job postings or online application filters discriminate against protected classes of workers. Consult an employment attorney to make sure you don’t run afoul of current or upcoming regulations in this area.
Treating your employees well is one of the greatest risk reduction strategies you can implement. Studies consistently show that employees are more likely to care about and stay with a company that:
- Requests, listens to and responds to their input
- Communicates expectations, the purposes of tasks and organizational developments clearly and in promptly
- Provides meaningful work and career growth opportunities
- Offers adaptable work models, including paid time off, flexible work hours, and remote or hybrid work
Lastly, having a clear and comprehensive employee handbook is extremely valuable as a risk management tool. At a minimum, your handbook should cover:
- Remote and flexible work arrangements
- Tracking and reporting of work hours
- Rules for the use of company and personal equipment
- Injury reporting and emergency response plans
- Training requirements and performance expectations
- Substance use detection and penalties
3. Regulatory changes
Most regulatory changes, whether at the federal, state or local level, create a financial impact for businesses as well as an additional risk of loss. To stay ahead of regulatory changes, participate in association committees that work with government agencies and influence legislation. You may even need a designated employee or hired counsel to keep you abreast of regulatory action.
You can minimize employee and customer frustration by communicating regulation details ahead of implementation. Develop employee and customer materials that address specific concerns about the pending change. If the rules require changes to personal protective equipment, employee behavior or work processes, train your employees and managers on implementation and ongoing compliance. Keep detailed records of your communications and trainings in case you are accused of a violation.
Key takeaways
Although cybersecurity, human capital and regulatory changes represent some of the primary risks you must address this year, they aren’t the only risks. You may have other significant challenges specific to your industry, location or work processes. For example:
- Work-related fatalities are increasing, especially in transportation, cargo and construction.
- The rate of workplace violence is increasing, according to the Bureau of Labor Statistics.
- The Equal Employment Opportunity Commission (EEOC) brought 50% more lawsuits against alleged discriminators in fiscal year 2023 than in 2022. It’s also incorporating new rules regarding AI bias and giving priority attention to the Pregnant Workers Fairness Act and long COVID.
You can reduce your risk of loss by taking a proactive approach and involving your insurance professional. They can help you with risk management and quality insurance.