Full Court Press: An Auditor’s Guide to Closing the Risk Gap

iia 2020 onrisk report
November 7, 2019

The best basketball teams operate like a machine, with parts working interdependently toward a singular goal. Your point guard leads the break, bounce-passes it to the center, who passes it back out to an open forward, who nails a jumper. Two points on the board. Wash, rinse, repeat.

Ideally, the risk and compliance function of your organization should work the same way. The three lines of defense should cohesively pitch in to reliably achieve objectives, address uncertainty, and act with integrity—the explicit, stated goal of GRC.

But the key word there is "ideally." As in, that doesn't always happen, as a recent report finds.

Misalignment at the helm

According to a recently released report from the Institute of Internal Auditors (IIA), "OnRisk 2020," there are drastically differing opinions on risk perception. More troubling, these opinions are held by the people at the helm of your organization—members of the C-suite and the board—effectively creating a risk gap.

While some misalignment is expected between these two parties, dramatically differing views are unacceptable, as the report states, and companies are increasingly blasé to the threat it presents.

"'Acceptable misalignment' on risk is a prevalent and dangerous mindset," the report states. "While misalignment around individual knowledge of a risk may be acceptable based on varying roles, misalignment on the perception of the organization’s capability to manage a risk is a serious concern."

For each of the 11 key risks surveyed, board members rated their organizations’ capability for managing the risk higher than executive management.

This finding, according to the report, suggests that boards may be failing to question information supplied by executive management, or that executive management may "not be fully transparent with the board about risks and their own reservations about their organizations’ ability to manage them."

Time and again, the report notes transparency as an underlying cause between these asymmetries. While the way boards respond may not be in your control, you can increase transparency between the two camps by providing the most accurate, complete, and insightful data to start the conversation. After all, you are a critical part of the team, and you have the influence to close this risk gap.

The four-point play to increasing transparency and communication

1. Kick off the discussion

If you see something, say something. Schedule time with your management team and board members and ask for their opinions on where alignment exists and where it doesn't.

Easier yet, create a short assessment stakeholders can fill out on their own time. Using an online survey tool, ask for their opinions on the organization's ability to manage risk in key areas, such as cybersecurity, regulatory change, and others. Then, compare the two groups, and bring the results to your next committee meeting with recommended actions in tow.

2. Focus on the largest positive impact

With that list of misaligned risks in hand, pick the most sizable gap—the area with the most white space between the C-suite and the board—and laser-focus on improving it.

For the sake of discussion, let's say you choose cybersecurity. Over the next 3–6 months, make it a priority to rework each aspect of cybersecurity risk, down to the studs—who's involved, what they're responsible for, what vendors or pieces of software may be vulnerable, why they raise red flags, and so on.

In the interim, report back to your board and C-suite with occasional updates: what you've been working on and why. After all, emboldening them to be transparent requires transparency on your part, too.

3. Dig deeper into the board/audit committee report creation process

While you're concentrating on revamping that solitary risk, you may notice the processes that support the creation of your board and audit committee decks aren't quite ironclad. (More like wrapped in athletic tape, maybe. A short-term fix for a greater pain underneath.)

When creating those critical presentations, take detailed notes on where you and your team are spending the majority of your time.

  • Are you focusing on high-value tasks—like root-cause analysis—or are you mired in data entry and compiling spreadsheets?
  • Do you copy and paste data from a variety of different sources?
  • Can you see the status and results of your audits at any time? Are they up to date?
  • Is the data you're looking for entombed in a ton of disparate spreadsheets?
  • What are the key data sources that feed your recurring reports?
  • Is your process repeatable month-to-month and quarter-to-quarter, or is your team starting from scratch each time?

4. Evaluate how you conduct risk assessments

You've already orchestrated an initial survey with your management team and board members to learn where weak spots exist. Similarly, once you've nailed down those risk areas, it's a good idea to survey your own team on how they assess risk. In doing so, you'll uncover ways to help your own team.

Use these questions as a starting point:

  • How do you collect and organize a single view of risk across the enterprise?
  • What tools and methodologies are in place? What works and what doesn't?
  • How much face-to-face time do you spend with stakeholders?
  • How prepared are business stakeholders in providing input?
  • How would you increase stakeholder engagement?
  • What do you want your stakeholders to know about your control environment?
  • What steps have you made toward addressing risk on a more frequent basis (e.g., mid-year or quarterly check-ins)?

Closing

In truth, playing on a basketball team is no different than the internal audit function on the whole: defense is hugely important, and communication between teammates is the determining factor for winning (perhaps even more than outright talent).

“Communication does not always occur naturally, even among a tight-knit group of individuals," said famed Duke basketball coach Mike Krzyzewski. "Communication must be taught and practiced in order to bring everyone together as one.”

Same goes for internal audit. Be intentional about your communication, and conduct quality work in an efficient, effective manner, and you'll earn your spot on the All Star team.

Ernest Anunciacion

About the author

Ernest Anunciacion, Director of Product Marketing, brings over 15 years of experience in internal audit, risk management, and business advisory consulting to Workiva. Ernest is a Certified Internal Auditor and Six Sigma Black Belt. He holds an undergraduate degree and an executive MBA from the Carlson School of Business at the University of Minnesota.