#takeaways Risk Round Table: How to enhance organizational preparedness to mitigate emerging risks

How to enhance organizational preparedness to mitigate emerging risks

On October 10, TriFinance experts Annemie Pelgrims and Steve van der Steen hosted a round table on "How to Enhance Organizational Preparedness to Mitigate Emerging Risks".

Chief Audit Executives from various companies representing a diversity of industries discussed ways to improve the capabilities of internal audit and risk management. Key topics included methodologies for identifying and assessing emerging risks from both enterprise risk management and internal audit perspectives, as well as leveraging the latest advancements in analytics for comprehensive risk assessments.

Building a cohesive risk landscape: from risk-based Internal Audit plans to ERM

We began the roundtable dinner by asking participants about their involvement in risk management - a foundational question that set the stage for the evening’s discussions. From our perspective as TriFinance Risk professionals, we believe that advanced internal audit functions are most effective when they take on a dual role. This includes executing a rolling risk assessment to develop a risk-based audit plan, while also supporting the development and implementation of Enterprise Risk Management (ERM). Ideally, both exercises should start from the same risk universe, promoting alignment and ensuring a cohesive view of the organization’s risk landscape.

In response, participants shared their roles and responsibilities in risk management. Half of the attendees focus primarily on conducting rolling risk assessments to create risk-based audit plans, while another 30% are also involved in ERM development and implementation. 

One participant highlighted an evolution in their approach, moving from simply executing risk assessments to taking a more active role in ERM—a shift that strengthens the alignment between internal audit and ERM within a unified risk universe. One organization, without a dedicated enterprise risk management function, has established a compliance steering committee together with the Head of Internal Audit. This committee is responsible for documenting procedures, including those related to the Corporate Sustainability Reporting Directive (CSRD). Composed of representatives from Internal Audit, Legal, Finance, Quality, and Sustainability, this group ensures a coordinated, cross-functional approach to risk management and compliance.

An inspiring metaphor that emerged during the discussion described internal auditors as “Gardeners of Governance,” a concept introduced by Dr. Rainer Lenz. This analogy envisions the internal auditor as a dedicated steward who nurtures an environment for sustainable growth. Like gardeners, internal auditors “sow seeds, fertilize, water, and nurture,” constantly monitoring and adapting to external conditions to cultivate a resilient risk management landscape. Though indirect, their impact is profound, fostering organizational resilience with patience, adaptability, and a results-oriented focus.

Holistic Internal Audit risk assessment: integrating internal insights and external intelligence

At our roundtable, participants emphasized that identifying top risks requires a well-rounded approach combining internal insights and external intelligence. Internally, organizations draw on internal audit observations noted during prior Internal Audits, historical health, safety and fraud incidents and business concerns highlighted by management and executives teams. These processes enable a nuanced understanding of potential vulnerabilities grounded in both past experiences and executive perspectives. 

Externally, they leverage insights from industry publications, the appointed external auditor and professional bodies such as the Institute of Internal Auditors (IIA) and the World Economic Forum (WEF), which provide valuable context on industry norms and evolving risks. Benchmarking against sector peers (competitors, customers and suppliers) also emerged as a crucial strategy, helping organizations to align their risk outlook with broader industry trends.

Our TriFinance risk experts then invited participants to share their top five current risks, revealing a range of pressing and common concerns. Key risks included cybersecurity threats, talent acquisition and management challenges, raw material shortages (alongside the need for alternative materials), digital transformation, and compliance requirements.

Participants also highlighted the impact of geopolitical instability—particularly in Russia, Ukraine, and Lebanon—as well as hyperinflation in Argentina, all of which are disrupting local operations and influencing the management of fixed assets. In response, many organizations are intensifying third-party screening for political exposure to sanctions, while banks increasingly scrutinize outgoing payments to high-risk regions. To further support these efforts, TriFinance Risk professionals highlighted the potential of continuous control monitoring techniques for the ongoing review of outgoing payments, extending coverage to sensitive regions and tax havens alike.

Comprehensive Enterprise Risk Management: strengthening residual risk profiling

To deepen enterprise-wide understanding of risk management, we recommend evaluating risks on a residual level, using the same risk universe as internal audit. This approach centers on three key parameters: the likelihood of risk occurrence, its potential impact, and the maturity of existing internal controls. Such a structured evaluation enables organizations to accurately identify vulnerabilities and create action plans that strengthen control maturity.

We explored whether participants felt their assurance providers—such as external audit, internal audit, quality departments, and management—are proactively addressing the top risks with high likelihood and impact, alongside low internal control maturity. Most agreed that while management assumes responsibility for risk mitigation, Internal Audit and Enterprise Risk Management responsibles often face accountability challenges. Participants emphasized the importance of clear roles and collaboration across the second and third lines of defense to effectively manage critical risks.

Additionally, when asked about tools used for risk assessment, most participants noted reliance on Excel. There was broad interest in a European-focused audit & risk management system, with a preference for in-house or integrated solutions over outsourcing. Participants stressed that such systems should serve business needs, rather than requiring the business to adapt to the tool.

In conclusion, as organizations face an increasingly complex risk landscape, aligning internal audit and enterprise risk management efforts through a shared risk universe is essential for a comprehensive view of risks. A combined risk identification approach—blending internal insights, external intelligence, and residual risk profiling—enables the detection of internal control weaknesses and the development of effective action plans. Clear roles, responsibilities, and collaboration across assurance providers are key to managing top risks effectively. As businesses confront rising challenges like cybersecurity threats and geopolitical instability, adopting proactive, technology-driven risk management strategies is crucial.