Not only do managers have to cope with more change than ever, the change is happening faster and faster too. Employees once had two or three years to settle into a role, to understand it and, in some cases, to over perform and prepare for the next promotion or job move.
Now an employee’s goals, who they are asked to collaborate with, and the information and resources they need to do that can change multiple times a year.
For example, 7-in-10 employees experienced an increase in the pace, impact, and number of workplace changes over the past three years, mainly because a similar proportion (70%) of senior managers say they feel pressure to make big changes to their operations to meet larger and different targets (see charts 1 and 2).
Chart 1: Employees’ experience of change over the past three years Percentage of respondents; n=6,206 Source: CEB Control Owner Survey
Chart 2: Business leader expectations over the next 12 months Percentage of respondents; n=1,938 Source: CEB 2014 Q4 Business Barometer
This amount of change has made the jobs of internal auditors (and enterprise risk management professionals) much harder. “Providing assurance through change means conducting a lot of non-standard audits in new and unfamiliar areas,” the chief audit executive (CAE) at one telecoms firm in CEB’s client networks said. “This requires my staff to become more comfortable with ambiguity, as we are no longer just auditing against pre-defined standards.”
Modern firms are complex and interdependent, and are only going to get more so. For instance, growth means that companies will operate in more – and more diverse – markets, and this means they will be subject to a greater range of regulation than ever before and have to try to enforce compliance with that regulation and internal policies in more and more locations. On top of that, the increased use of offshoring, outsourcing, and shared service arrangements has reduced managers’ direct control over many risks.
As one CAE explained: “The business needs us to provide assurance that supports the achievement of their strategic objectives … but it is very hard to keep abreast of their changing strategy.” Chart 3 shows how these challenges make the audit process harder.
Chart 3: The effect of constant change on the auditing process Source: CEB analysis
Change Hits Control Owners the Hardest
In audit and risk management jargon, “control owners” are those responsible for the processes that prevent a risk to the business or at least mitigate that risk. This can be an HR manager that is responsible for the policies to do with fair hiring practices or a manufacturing manager responsible for health and safety processes in a factory.
And it is these control owners that that are most exposed to, and hardest hit by, all this organizational change. They are typically management-level individuals across HR, IT, Finance, and Operations. And when corporate change strikes, the effectiveness of these controls suffer.
Audit’s Response: Understandable but Incomplete
Because all of this upheaval is making audit professionals jobs harder, the natural impulse for CAEs is to change their function. Most Audit departments have made both processes and working practices more agile, according to CEB data.
Teams have invested in ways to improve the speed and flexibility of audit processes (i.e. rolling audit plans, data analytics), and are trying to make the audit team more adaptable to change (i.e. increasing business acumen, flexible staffing arrangements). There’s certainly nothing wrong with doing this but these efforts aren’t enough to help the company manage risk in such a changeable world.
In fact, in depth analysis of the data found no correlation between the effectiveness of internal auditors’ work and greater investment in making the audit function more agile.
Help the Company Become More Agile
But analysis of the data and conversations with more than 200 CAEs about their most significant change-related challenges, did show that the best way to help the business manage and respond to risks is to both improve the agility of Internal Audit and help improve the agility of the whole business.
It takes a long time for the business to recover from changes — and the result is often disruption of risk management processes. Change can create a lot of competing priorities, and that can paralyze decision making. Continuous change can also mean that control owners, and their ability to control risk, never have a chance to recover.
Preventive medicine is called for. This means helping the business anticipate threats so that it doesn’t experience such steep risk management declines after a change event. It also means equipping the business to bounce back faster if a decline occurs.