Insights from a compelling panel discussion on adaptive governance featuring industry leaders
The New Reality: Welcome to the Polycrisis Era
The world has fundamentally changed. We're no longer dealing with isolated risks that can be managed in silos—we're facing what experts call a "polycrisis," where multiple, interconnected challenges hit organisations simultaneously. Climate shocks, geopolitical conflicts, AI disruption, cybersecurity threats, and supply chain vulnerabilities are all colliding in ways that traditional governance models struggle to address.
As governance, risk and assurance professionals, we find ourselves at the center of this storm, tasked with helping our organisations not just survive, but thrive in this new reality. At this week's ACIIA (Asia-Pacific Confederation of Institutes of Internal Auditors) conference panel led by Philip Satish Rao featuring Dr. Kalanithin Nesaretnam (an experienced board member and climate governance advocate), Evelyn Foong (Head of Audit for Zurich ANZ and IIA-AU Board member), and Dusk Lim (governance technology solutions provider) and provided crucial insights into how we must evolve our approach.
The Speed of Change is Accelerating
Evelyn Foong shared a striking perspective on how rapidly our world is transforming: "In the 1920s, radio took 38 years to reach 50 million users. TV in the 1950s took 13 years. The internet in the 1990s took four years. Facebook took 3.5 years. Mobile apps in 2010 took just months." Her message was clear: "Auditors, risk professionals, governance professionals—you must unlearn to learn. The rulebook we have no longer cuts it."
This acceleration means that the skills and knowledge that served us well for decades may become obsolete in years or even months. As Foong emphasised, "The ability to spot, assess and respond to risk—or not—will determine whether we become dinosaurs."
Real-World Lessons from the Insurance Industry
Foong's insights from the insurance sector during COVID-19 perfectly illustrate how polycrises play out in practice. The pandemic created a cascade of interconnected impacts: lockdowns reduced vehicle usage, leading to fewer accidents and insurance claims. This seemed positive initially, but organisations that didn't anticipate the full cycle were caught off-guard.
"Post-COVID, when the world opened up, people returned to offices, more vehicles hit the roads, accidents increased, and repair demand surged," Foong explained. "Supply chains couldn't keep up with pent-up demand, and the claims staff that had been let go were no longer available." The result? Organisations that had relied on historical data and siloed thinking found themselves unprepared for the interconnected nature of the recovery.
The lesson for internal auditors is profound: we must challenge our organisations to think beyond traditional models and consider how risks connect across functions, geographies, and time horizons.
The Board Challenge: From Experience to Agility
One of the most striking observations came from the discussion about board composition and capabilities. Dr. Nesaretnam noted that many boards still prioritise past experience over adaptive skills: "Boards are not just about past experience anymore. We always want board members with past experience, the older generation. Don't think so much of experience on boards—it's now about smarter skills and proper succession planning."
Dusk Lim highlighted a critical governance weakness: the disconnect between technical teams and board understanding. His research revealed that while cybersecurity consistently ranks as a top-three risk, it's only discussed in two out of ten board meetings. The reason? "Board directors don't know what to ask. They don't know what to discuss."
The Internal Auditor's Unique Position
This is where internal auditors have a tremendous opportunity. As Lim pointed out, "You are in a very unique position to help board directors bridge these gaps. You're one of the few functions that truly cuts across all different business units and departments."
Foong reinforced this point with practical advice: "As third-line governance professionals, it is our role to make sure that whatever we report to the board is simple and connected. When you write a report, don't tell me about three highs and two mediums—so what? You must explain the 'so what' in your report messaging. How does it align to the north star of the organisation?"
Practical Steps for Adaptive Governance
The panelists offered several concrete recommendations for internal auditors:
1. Make Your Audit Plan Dynamic
Foong stressed that audit plans should be flexible: "Your audit plan should be dynamic—not set and forget once a year. You should have a mechanism with the board and senior management to be really dynamic in how you respond to support the board."
2. Focus on Connection, Not Just Compliance
Rather than getting lost in technical details, focus on business impact. As Lim advised, board members "don't necessarily have to become AI or cybersecurity practitioners overnight. They just need to know enough to govern it—focus on the risks, challenges, and business impacts."
3. Build Relationships Across the Organisation
Foong emphasized the importance of emotional intelligence: "Don't send a team message or email to your stakeholder. Have coffee with them, go for a run, be part of the conversation. The board and senior management will appreciate it when you're able to connect the dots."
4. Challenge Traditional Risk Assessments
Don't just audit the high-risk areas. As the moderator noted, "Make sure you audit the green risks—the ones rated very low. Those are the ones the organisation has said is low risk, but you never know until you test it out."
The Technology Imperative
The discussion revealed that AI and digital transformation aren't just changing what we audit—they're changing how we audit. Foong noted that "the use of AI for internal audit actually doubled in 12 months, from 15% to over 40%."
However, the panelists cautioned against both extremes: burying our heads in the sand or rushing headlong into adoption without understanding the implications. The key is to embrace technology as an enabler while maintaining focus on governance and risk management fundamentals.
Looking Forward: The Conscience and Compass Role
Dr. Nesaretnam concluded with a powerful reminder of our profession's purpose, echoing the words of the IIA president: "Internal auditors are the conscience and the compass of the organisation." To fulfill this role in a polycrisis world, we must be willing to continuously learn, adapt, and challenge both ourselves and our organisations.
The message is clear: the old playbook isn't sufficient for the challenges ahead. We must become more agile, more connected, and more strategic in our approach. The organisations that will thrive in this polycrisis era are those with governance professionals who can see the big picture, connect the dots, and help leadership navigate unprecedented complexity.
As we face an uncertain future filled with interconnected risks and rapid change, our role as internal auditors has never been more critical—or more exciting. The question isn't whether we'll face more polycrises, but whether we'll be ready to help our organisations adapt and thrive when they arrive.
The time for adaptive governance is now. Are you ready to evolve?