Many risk and audit professionals are intimidated by continuous risk monitoring. In surveys, at conferences, and in casual conversation, the majority of internal auditors and risk managers will admit the truth: They feel like they don’t know how to do it, or even where to start. This uncertainty and lack of confidence leave them inclined to keep their heads down, avoid the topic — and miss critical opportunities for monitoring and responding to risk.
This is no time to keep our heads down. Risks are emerging and changing with ever greater velocity and volatility. Gone are the days of annual or quarterly risk assessments being adequate to keep up. Companies need to develop new methods that continuously monitor risk, enabling more timely alerts and responses to potential threats.
There is no prescribed approach for how companies should continuously monitor risks. Continuous monitoring — to the extent it’s actually being practiced — largely relies on homegrown systems. But in reality, it’s not widely practiced. Many companies who claim to be doing it are simply performing assessments every few months. That’s not continuous, and that’s not what’s needed. Fortunately, continuous monitoring is more achievable than most people think. There are several proven strategies you can use to get started, and countless internal and external resources hiding in plain sight to support your efforts.
Current State: Monitoring That Doesn’t Look Far Enough
Let’s begin with what companies are already doing. AuditBoard’s latest Focus on the Future report found that internal audit leaders’ most favored risk monitoring method, cited by 86% of respondents, was collaboration with other functions that also manage risk. A majority also reported consulting with business management (74%) and/or functional management (69%).
These are powerful methods. They enable internal auditors to tap into multiple perspectives across the organization to monitor the shifting speed and direction of risk. But approaches based primarily on the ideas and opinions of others don’t go far enough in helping internal auditors to achieve appropriate levels of independence, skepticism, and scrutiny.
We must use more of the continuous monitoring methods at our disposal, both internally and externally. That includes not only monitoring key risk indicators (KRIs), a method used by just over 50% of respondents, but also engaging with internal auditors from other organizations, reviewing relevant third-party surveys and reports, and monitoring macroeconomic and geopolitical developments and trends — all methods used by less than half of respondents. Below are principles and tactics you can use to support these methods and more.
I lecture frequently on the topic of continuous risk monitoring, and I find audit and risk professionals are thirsty for knowledge about effective strategies and techniques. When coaching students in my Audit Trail Academy seminars on continuous risk monitoring, I share both principles and proven strategies for success.
Principles of Continuous Monitoring
Continuous monitoring entails understanding not only the risks you’re facing now and those visible on the horizon, but also the risks beyond the horizon. This requires recognizing risk velocity, acknowledging risk volatility, and developing and deploying a mechanism by which you can periodically check in on, and be alerted to, key risks.
The key is to think differently, and to use your 360° view of your organization to develop strategies that help you simultaneously plan and execute in coordination and ongoing communication with first- and second-line roles. The continuous monitoring strategy that’s right for your business is likely to combine a number of the following methods.
External and Internal Emerging Risk Indicators for a Multifaceted Perspective
For a more comprehensive view on the ebb and flow of risk, you’ll need to look beyond — and deeper into — your organization. There’s no shortage of places to look. Allocate responsibilities within your team to continuously monitor risk indicators through external resources such as:
- Third-party research and reports assessing key risks from different perspectives.
- Economic forecasts, target-rich for identifying emerging risks.
- Media headlines heralding emerging risks.
- Geopolitical and political risks where you’re operating, expanding, or investing.
- Legislative and regulatory outlook, since today’s legislative headlines are tomorrow’s compliance risks.
- Industry conferences, publications, and trends,helping you understand the disruptive threats facing your industry and how competitors are responding/performing.
- Customer feedback, both favorable and unfavorable.
Internal resources to monitor include:
- Your organization’s strategic business risks as reflected in strategic plans, goals, and success factors. Focus first on the organization’s objectives, which give rise to its risks.
- Planned corporate initiatives, which all have risks associated with them.
- Changes to corporate culture, such as new leaders defining success differently.
- Employee feedback.
- Data, metrics, and AI from technologies your company is leveraging.
“Shoe Leather” Assessment and Relationship Mapping for Improved Coverage
As mentioned, most companies already favor the “shoe leather” assessment strategy of walking around and talking with other risk professionals and members of business and functional management. But it’s only valid as continuous monitoring if it’s done with discipline, regularity, and a broad reach. Increase your reach by allocating key relationships across your team, using a relationship map to formalize a coverage plan. Establish a regular cadence for interactions, and set the expectation that conversations can be informal.
KRIs for Proactive Risk Detection and Measurement
KRIs are crucial for continuous monitoring, helping companies be more proactive in identifying potential impacts. KRIs are selected and designed by analyzing risk-related events that may affect the organization’s ability to achieve its objectives. Typically, by looking at risk events that have impacted the organization (in the past or currently), it’s possible to work backward to pinpoint the root-cause or intermediate events that led to them.
KRIs must be measurable, predictive, comparable, and informative, tracking quantifiable metrics and trends over time to detect early warning signals and measure the status of risks and controls. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) offers guidance on using KRIs to strengthen enterprise risk management. There’s also a growing pool of third-party guidance and best practices for developing KRIs. Technology can support efficient and effective monitoring of KRIs.
“Connect the Dots” to Better Leverage Internal Audit’s Work
Internal audit creates a massive body of work that can itself be an excellent indicator of risk. We tend to be quite granular in our work, but it’s possible to step back and consider the separate audits as a series of dots we can connect to create a bigger picture. What insights can you glean from any systemic issues or trends (e.g., cost or expense overruns due to changing macroeconomic conditions, violations of new regulations) identified in your audits?
Continuous Monitoring Is Within Reach
Too often, when I ask internal auditors and risk managers what they’re doing to identify and monitor risk, they get that deer-in-headlights look. It’s time to banish that look from your repertoire, because there are innumerable ways you can begin improving your organization’s continuous monitoring capabilities.
I’ve long said that risk assessment is as much art as it is science. Fortunately, armed with logic, consistency, business and risk acumen, relationships across the organization, and a willingness to think differently, you are already equipped for success. I look forward to hearing your ideas and success stories.