5 Ways CAEs Can Effect Organizational Success
July 16, 2024When Internal Auditors Discover Fraud: Don’t Trample the Evidence
August 6, 2024During a recent internal audit conference, I found myself surrounded by a group of chief audit executives from financial services organizations who were concerned that I had just spoken about the need for greater collaboration across the three lines. As one of them pointedly said: “My regulator expects us to be independent and would not react well to the idea that we are collaborating with anyone else in the bank.” I was taken aback. It was as if the word “collaborating” was being equated to the word “conspiring.”
As I have told anyone who would listen over the past two years, the age of siloed risk management must fade into history! In the 2020s, the convergence of risk velocity and volatility have yielded nothing short of risk management chaos. As I have frequently observed, we are living in an era of permacrisis. It must be “all hands on deck” to help our organizations navigate the perils ahead.
As I will be advocating at AuditBoard’s upcoming Audit and Beyond Conference, we must transition from a “three lines” to a “threelignment” approach to risk management. We must recognize that while 1st line (management), the 2nd line (monitoring and oversight) functions, and 3rd line (internal audit) each have a unique purpose, we share a common goal: To help our organizations achieve their strategic objectives and create value for their stakeholders/shareholders. We must emerge from our proverbial caves and collaborate (in some instances for the very survival of our organizations).
The practice of collaboration across the three lines has yielded a new term – connected risk. Connected risk is borne of the fact that risks are interrelated and interconnected, and that a fragmented and often disconnected approach to risk management is ineffective in the era of permacrisis that is the 2020s. Connected risk emphasizes:
- Interconnectedness: Risks are not standalone but interconnected. A risk event in one area can have cascading effects on other areas. For instance, a data breach might affect both operational efficiency and regulatory compliance.
- Holistic Approach: Managing connected risk requires a comprehensive view of risk across the organization. This approach integrates risk management processes (typically via technology) to address the interactions between different types of risks and their potential cumulative impacts.
- Integrated Risk Management: Effective connected risk management involves integrating risk data and insights across various functions and departments to provide a unified view of risk. This integration helps in identifying potential risk interactions and dependencies.
- Strategic Alignment: Connected risk management supports aligning risk management strategies with organizational goals and strategies, ensuring that risks are managed in a way that supports overall business objectives.
Without collaboration, there is no connected risk. At the end of the conversation with the bank CAEs, I encouraged them to take a look at The IIA’s new Global Internal Audit Standards. Not only do the standards use the dreaded word “collaborate,” they explicitly encourage it in some instances. As I reviewed Standard 9.5 Coordination and Reliance in detail when it was first released, I began thinking of it as the “connected risk” standard, given the many parallels of the standard’s language with the more collaborative risk management approach I am recommending.
The “Requirements” section of 9.5 provides the directive while highlighting the benefits (emphasis added):
The chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. Coordination of services minimizes duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers.
If unable to achieve an appropriate level of coordination, the chief audit executive must raise any concerns with senior management and, if necessary, the board.
Notably, The IIA uses the safer term “coordination” in this section. But 9.5’s “Considerations for Implementation” section provides a list of “examples of coordination” that could just as accurately be labeled “examples of collaboration”:
- Synchronizing the nature, extent, and timing of planned work
- Establishing a common understanding of assurance techniques, methods, and terminology
- Providing access to one another’s work programs and reports
- Using management’s risk management information to provide joint risk assessments
- Creating a shared risk register or list of risks
- Combining results for joint reporting
Standard 9.5’s “Considerations for Implementation” further states (emphasis added):
The chief audit executive considers the organization’s confidentiality requirements before meeting with the various providers to gather the information necessary to coordinate services. Frequently, the providers share the objectives, scope, and timing of upcoming engagements and the results of prior engagements. The providers also discuss the potential for relying on one another’s work.
The Standard also states (emphasis added):
The chief audit executive may choose to rely on the work of other providers for various reasons, such as to assess specialty areas outside the internal audit function’s expertise, to decrease the amount of testing needed to complete an engagement, and to enhance risk coverage beyond the resources of the internal audit function.
Beyond Standard 9.5, there are others in the new Global Internal Audit Standards that reflect this increased emphasis on coordination and collaboration—several of which don’t shy away from using the term “collaboration” outright.
Standard 10.3 Technological Resources “Considerations for Implementation” recommends that—“to evaluate whether the internal audit function has technological resources to perform its responsibilities”—the CAE should “collaborate with other departments on shared governance, risk, and control management systems.”
Standard 3.1 Competency “Considerations for Implementation” suggests that internal auditors should develop competencies related to “communication and collaboration.”
While I interpret The IIA’s Standards as green lighting the dreaded “C” word, I am confident that some internal auditors will recoil at the very idea. Accordingly, some organizations may need different terminology to become comfortable moving forward. Consider the language that makes the most sense for your organization, be it collaboration, coordination, alignment, connection, or what have you. Indeed, all of these terms are at the very heart of the sustained value connected risk provides to organizations. You should feel welcome to choose the term that works for you.
I welcome your comments via LinkedIn or Twitter (@rfchambers).