“How do you protect and enhance organizational value?” Richard Chambers, past president of The Institute of Internal Auditors (IIA) and current Senior Internal Audit Advisor at AuditBoard, asked this first. I quote him often — challenging my team to do more for our organization.
I oversee three controls and compliance systems for my organization. One of those systems supports our enterprise risk management (ERM) program, as well as our fraud and financial risk assessment processes. That makes me and the system the common denominator tying together risk efforts across functions.
I consider myself a serial transformer. At my organization, I jumped at the opportunity to bring the right people together, identify clear ownership and better coordination, and initiate a new system design. Because — to answer Chambers’ question — one crucial strategy for protecting and enhancing organizational value centers on building a more united front against risk. The lessons I’ve learned can help you get your own organization on the right track.
Leading Practices to Reduce Siloed Risk Management
The overarching goals are breaking down silos, connecting processes, and improving communication between owners of related risks. Too often, risk management is disaggregated across functions, leading to duplication of effort, lower-quality analysis, and inadequate coverage.
Internal audit and systems professionals can play a central role in creating these connections. Be the fulcrum that helps your organization share risk assessment results across owners whose risks connect and impact one another. Create a culture in which risk is managed, not just assessed. Here’s how.
1. Identify Risk Assessments and Owners
Determine which risk assessments are being done and by whom. At my organization, I targeted three separate assessments being performed by three different functions. Two of those were changing owners. Our design project needed to begin with identifying who would own the assessments going forward.
2. Map the “Family” Risk Hierarchy
Understand how risks are related. All risks are either enterprise risks or “parented” by them.
- Enterprise risks — “mom and dad” — are more generic than “child” risks.
- Child risks should always map to parent risks. If you can’t find an appropriate parent, you may need to establish a new enterprise risk. This bidirectional checkpoint helps ensure coverage.
- In a comprehensive system, enterprise risk owners can see results from all child risk assessments, enabling more thorough analysis and reducing duplication of efforts.
3. Connect Stakeholders With Communication Channels
Align stakeholders with secure communication channels that enable appropriate sharing of relevant assessment results. For example, a financial statement risk owner should be able to see assessment results for relevant fraud risks (e.g., cookie jar reserves), but not the entire fraud risk assessment.
Collaborate with assessment owners and representative(s) from stakeholder functions on planning which risks to assess and how to score them. That way, everybody using assessment results in their analyses understands and agrees on inputs.
4. Use Global Frameworks for Long-Term Stability
When functions employ varying risk categories and language, resulting data sets won’t support year-by-year comparisons or alignment with other structures in your risk universe. Instead, adopt globally accepted terminology to create a common language for defining and categorizing risk. For example, using COSO Framework risk categories (e.g., operational, strategic, compliance, etc.) can help you stabilize data while offering a valuable lens for examining coverage.
Set boundaries supporting consistent definition of global risk characteristics, for example, drop-downs offering limited response options. Still, be flexible when needed – keep in mind that accountability for results from risk assessments lives with each owner.
5. Identify and Track Key Risk Indicators (KRIs)
Use KRIs to alert owners to rising risks or provide comfort around mitigation. Ideally, KRIs should be objective measures you can update and track over time. Some KRIs, however, will be subjective. For example, if your cybersecurity software logs attempted attacks, you might graph attempts and assess whether trends correlate to business activities (e.g., press releases).
The AuditBoard dashboard enables an at-a-glance view of KRIs. Our key parent risks have about 20 associated KRIs displaying red, yellow, or green depending on how they’re performing. Since KRIs are coded to owners, the “Get an Update” button lets me request new scores without interviews.
6. Identify and Track Risk Mitigation Plans
Many organizations too often “assess and forget,” failing to act. KRIs and mitigation plans help you manage risk, not just assess it.
Work with risk owners to agree upon, activate, and track mitigation plans for risks currently lacking the right mitigating controls. Designate single owners, committed implementation dates, and protocols for follow-up. Keep mitigation plans separate from audit issues.
The owner view helps risk owners quickly gauge the status of mitigation plans (e.g., closed, pending remediation) alongside risk categories, owners, KRIs, references (e.g., parent vs. child), and more.
These efforts won’t necessarily be easy. As I’ve learned, tenacity and creativity are required. But the work — gathering information about dispersed risk assessments, aligning risks under an ERM umbrella, establishing better and clearer communication and coordination between owners and stakeholders, and using KRIs and mitigation plans to manage risk — is essential. After all, integrated, forward-looking coverage only becomes more important as the risk landscape expands (e.g., ESG, geopolitical, supply chain, fraud, cybersecurity).
Remember, our job is not simply to protect value. It’s also to enhance it. Be the fulcrum that helps your organization make the most of its risk program.