One member’s “risk radar” facilitates explaining evolving risks to audit committees.
Corporate risk is no easy concept to convey, especially when risks are numerous and shifting in intensity over time. Equally challenging is explaining a risk’s evolving urgency to board members, who must concurrently digest reams of information.
- Responding to a query about how peers justify urgent audit-plan changes to audit committees, a member of NeuGroup’s Internal Auditors’ Peer Group described the “risk radar” he presents quarterly to illustrate dynamically the comparative urgency of his company’s top 20 risks and mitigation efforts.
- His description received raves from peers, with one quipping, “That’s very comprehensive. It makes the rest of us feel inadequate.”
Red, yellow, green. Split into four quadrants—strategic, compliance, financial and operational—the graphic’s red center (see chart below) signifies the most urgent issues and is surrounded by yellow and then green halos for less urgent matters.
- The closer the stars representing the company’s risk issues—such as cybersecurity, sales growth and trade compliance—are positioned to the center of the round radar screen, the greater the risk urgency.
- The stars change position quarterly, displaying not just each category’s inherent risk but the company’s evolving risk-mitigation efforts.
- Built through the member’s enterprise risk management (ERM) process, the radar incorporates feedback from management. “So the board gets a very real perspective on risk, and it has all the context for why risks are moving closer to or away from the center,” the member said.
Customer impact. The executive noted Europe’s changing regulatory environment and privacy rules, including the July Schrems II ruling relating to transatlantic personal data flows, could dramatically change his company’s compliance requirements.
- The risk is that uncertainty could unnerve potential clients concerned about ending up on the wrong side of the regulation. From the start of the year, the uncertainty has moved the regulatory star close to the radar’s center.
- “But it’s not the end of the world,” the member told the group, because it opens the door for management to explain its road map to deal with the risk going forward. “We can say, ‘Given all the good work we’ve done, we’ve mitigated this risk.’”
- He added, “The audit committee has what we consider a very frequent, very fresh review of all the risks associated with everything we do from a value chain perspective.”
Beneath the graphic. The committee can now visualize internal audit’s risk assessment, including the impact likelihood, the velocity of onset and management’s risk tolerance. And it can explore the five categories used to assess each risk and its overall priority.
- Judgment plays an important role, but the audit committee can review the appendix to understand precisely how his team arrived at its conclusions.
- And top management, he said, from the chief legal officer to the CFO and heads of engineering and data security, have “all bought off on the stars.”
- The risk radar prioritizes the company’s 20 most significant risks, and while the board may be concerned with the top three, “from management’s perspective the top 20 is fantastic.”
The proof? “Our head of human resources has built her own risk radar for HR, our CFO now has his own risk radar for finance, and the head of engineering is talking about creating his own risk radar,” the member said.