Sometimes you have to assign risk to reluctant BU leaders to get their attention.
Complying with internal audit’s requests isn’t always front and center in terms of business leader priorities. But prompting them to accept responsibility for identified risks can change that.
In a lengthy discussion at a recent meeting of NeuGroup’s Internal Auditors’ Peer Group, members discussed the inadequate funding internal audit (IA) often receives to perform its function as well as the sometimes-low priority business leaders can give to complying with IA’s requests. The discussion was kicked off by one member noting that his company’s risk-committee chairman had challenged management to inform the board about the risks they’ll be accepting in the business.
A plan is hatched. Recognizing an effective approach, the chief information security officer (CISO) sent an email to the COO, who had provided less funding than requested, to tell him he would have to accept responsibility for the ensuing risk. “Within a week the CISO received the funding,” the IAPG member said.
- The tactic can be effective across risk functions. The member said the board’s risk-committee chairman took a similar approach, requesting the heads of business units to present the risks they see to the committee. “It’s changing the conversation,” the member said.
Multipurpose use. Another participant noted that the approach can be used for a variety of situations, including IA’s perpetual challenge of seeking final closure from managers on audits that were completed quarters ago. By letting that time pass, the business leader is essentially telling audit that he or she is accepting the risk.
- “It boils down to the question: Are you taking an inordinate amount of risk or not, and if you’re accepting that risk, then explain to the risk committee why you’re comfortable with it,” he said.
Of course, the business leader may respond that the identified issue is no longer a risk or question audit’s expertise on the matter and argue that it doesn’t pose a significant risk. Those are common challenges faced by IA, to which the member said that it is incumbent upon IA to help management understand the priority of issues—whether it’s a “drop everything and fix it now,” or a “do this when you have some time.”
Making it transparent. The first member added that his company typically gives the business the option to say by what date, from a priority standpoint, it will “mitigate” the issue. “This transparency goes up to the audit committee, which can then say, ‘The business says it will take two years,'” and management then has to defend that time frame.
He added that regulators are raising questions about companies’ vulnerabilities, but corporate culture often passes the buck on taking on who is responsible in correcting or mitigating those weaknesses.
- “There needs to be that type of discussion about who has responsibility for these risks, and the audit committee needs to be in the firing line for these types of things,” the member said.