Permacrisis: Why Traditional Risk Management is Obsolete for Internal Audit
The concept of 'permacrisis' highlights a continuous state of global instability, rendering traditional, episodic risk management approaches ineffective. Internal audit and assurance professionals must recognize this fundamental shift, moving beyond predictable models to embrace resilience, integration, and adaptability in their risk frameworks. This article argues that the interconnected and compounding nature of modern risks demands a complete reinvention of how organizations, and by extension internal audit, approach governance, risk, and compliance.
The End of Predictable Risk: Welcome to Permacrisis
The author argues that the 2020s have ushered in an era of "permacrisis," characterized by continuous, interconnected, and compounding global instabilities. This environment, marked by events like pandemics, economic upheaval, and geopolitical conflicts, fundamentally challenges the core assumptions of traditional risk management. Historically, organizations operated under the belief that crises were episodic, followed by a return to a predictable baseline. However, this assumption no longer holds true, as risks are now constant, intertwined, and amplify each other across various domains.
Traditional risk management frameworks, built on principles of predictability, cyclicality, and separation, are ill-equipped for this new reality. Predictability is undermined because historical data is no longer a reliable indicator for novel and unprecedented risk combinations. Cyclicality, with its reliance on periodic reviews, fails in an environment where risks evolve in real-time. Furthermore, the separation of risks into silos (financial, operational, strategic) is obsolete, as permacrisis demonstrates how risks cascade across domains, creating complex chain reactions.
Reinventing Risk Management: Resilience, Integration, and Adaptability
To navigate the permacrisis, organizations must adopt a new paradigm centered on resilience, integration, and adaptability. Resilience, rather than mere prevention, becomes the primary objective, focusing on an organization's capacity to absorb shocks, adapt to changing conditions, and recover swiftly. This requires a holistic re-evaluation of everything from supply chains to workforce strategies. Integration is crucial for achieving an enterprise-wide view of risk, moving beyond siloed management to a connected approach where risk intelligence flows seamlessly across functions. Finally, adaptability must be embedded in the organizational DNA, necessitating faster decision-making, agile governance, and the use of scenario planning and stress testing to prepare for multiple simultaneous crises.
Implications for Governance, Risk, and Compliance (GRC)
The permacrisis has profound implications for GRC. Governance must evolve from an anchor in stability to a dynamic function focused on resilience and agility, with boards and executive teams actively engaging with risk as a strategic imperative. Risk management must transform from a control-oriented function to a strategic enabler of resilience, shifting from backward-looking assessments to forward-looking insights and integrated perspectives. Compliance, too, must become proactive and intelligence-driven, aligning closely with risk management and business strategy, as failures can quickly escalate into broader organizational crises. The author concludes that the traditional boundaries between governance, risk, and compliance are dissolving, necessitating a more integrated and strategic approach to managing uncertainty. Organizations that embrace this reinvention will be better positioned to thrive in the new normal of permacrisis.
Read more