Main Menu

Top Risks Organizations Face in 2021


On Thursday, January 21, internal audit and risk management subject matter experts Ron Steinkamp, Partner, Advisory Services, and Bianca Sarrach, Principal, Advisory Services, hosted the webinar “Top Risks Organizations Face in 2021.”

During the webinar, Ron and Bianca delved into a recent report from The Institute of Internal Auditors (IIA), “OnRisk 2021: A Guide to Understanding, Aligning, and Optimizing Risk.” The report, based on interviews with board members, management and chief audit executives, outlined COVID-19’s impact on risk management, identified the key risks facing organizations in 2021 and provided guidance on how organizations can mitigate those risks in the year ahead.

COVID-19 and Risk Management

The COVID-19 pandemic majorly shifted organizations’ approach to risk management. Companies had to pivot from planning long-term strategy to planning for the immediate future, and many had to change the very framework of their operations practically overnight. Offices had to shift to virtual meetings, redefine customer experience and push for an accelerated adoption of new technologies. Agility and flexibility became a key focus for organizations’ survival.

In 2020, many organizations zeroed in on merely getting through the pandemic. However, as COVID-19 and its effects continue to linger, organizations will have to continue to adjust their expectations for the year ahead. Companies will have to put their control processes under a microscope and determine whether those processes are still sustainable. Leaders will need to continually re-examine their risk management practices as they forage into an uncertain future.

Key Risks Organizations May Face in 2021

The “OnRisk 2021” report identified key risks facing organizations in 2021 and presented recommended actions based on the Three Lines of Defense Model, a model that designates roles and actions to three primary groups involved in effective risk management: management, governing body and internal audit. The Three Lines of Defense Model aims to ensure that there are no gaps in the risk management process; rather, each group follows its own specific duties to effectively and efficiently manage risk.

According to the “OnRisk 2021” report, the top-rated risks that are poised to affect organizations in 2021 are business continuity, crisis management and cybersecurity.

Business continuity and crisis management

For business continuity and crisis management, the central issue is the significant existential challenges that organizations may find themselves grappling with, from cyber breaches and pandemics to reputational scandals and succession planning. When examining their current strategy for business continuity and crisis management, organizations should ask themselves, “How are we able to prepare, react, respond and recover from a crisis?” The collective recommended action for management, the governing body and the internal audit team is to leverage experiences of the global pandemic to identify organizational strengths and opportunities for improvement and work collaboratively to implement improvements where necessary.


Cybersecurity also promises to be a critical issue in the year ahead. The growing sophistication and variety of cyberattacks continue to wreak havoc on organizations’ brands and reputations, resulting in financial impacts. The report suggests that, when it comes to cyberattacks, organizations should ask themselves the central question, “Are we sufficiently prepared to manage cyber threats that could cause disruption and reputational harm?”

For management, the recommended action is to dedicate necessary resources to evaluate emerging cyber threats, get perspective on current status and provide updates to the board. The governing body should be tasked with ensuring that the appropriate time is allocated in meeting agendas to educating the board on emerging cyber threats, organizational efforts and existing vulnerabilities. The internal audit team’s driving action should be to identify opportunities to educate management and the board on emerging cyber risks and perform routine evaluations of all risk management functions related to cybersecurity.

The “OnRisk 2021” report scrutinized nine other top risks as well: third party, board information, sustainability, disruptive innovation, economic and political volatility, organizational governance, data governance, talent management and culture. However, as Ron and Bianca emphasized in the webinar, every organization is different and must look inward to identify its own top risks.

Evaluating and Managing Risk

Ultimately, organizations need to determine how they will evaluate and manage risk moving forward. Brown Smith Wallace recommends implementing COSO’s Enterprise Risk Management (ERM) framework in order to do so. When implementing ERM, the first step is to set the structure of your ERM program and define ERM governance to set your risk environment. Once an organization has set its top risks, an important next step is to determine the risk mitigation strategy and develop key risk indicators. Finally, implementing continuous monitoring and ensuring ongoing communication to all stakeholders is a vital step for the successful implementation of ERM.

No matter what objectives your organization is pursuing in the year ahead, there will always be some level of risk. Learning how to properly identify, manage and monitor those risks will mitigate anxiety as your organization navigates the turbulent year ahead. Ultimately, the goal of risk management is to be ingrained in an organization and not be separate from it.  

If you’re interested in hearing more about this topic and were unable to attend the live webinar, click here to access the recording.

If you have questions or need assistance, please feel free to reach out to Ron at 314.983.1238 ( or Bianca at 314.983.1365 (



Back to Page