Member question: “Has anyone, recently or in the past, conducted broad wide-scale open-ended (i.e., not scripted Q&A) risk interviews of top management and leaders as the primary means to collect risk-identification inputs?
- “I am looking to share thoughts and experiences regarding the effectiveness, as well as methods to summarize, quantify and present the key findings.
- “I have interviewed board members, executive staff, management VPs+, totaling in the range of 75-100 one-on-one discussions. I am seeking recommendations on the process.”
Peer answer 1: “Yes, I use this process. Two years ago, we implemented an ‘integrated’ risk discussion process where the chief audit executive (CAE), chief compliance officer (CCO) and chief information security officer (CISO) jointly meet with leaders across the org.
- “We aggregate our key takeaways in a PowerPoint deck and organize them by main themes (for example Covid-19 was a main risk theme last year).
- “Prior to me joining audit, they used a survey for a period of time and had difficulty getting responses and/or the quality of information was not as good as that obtained through face-to -face meetings.”
Peer answer 2: “We do an annual assessment in which we ask leaders to select from a 22-risk framework and have the leaders provide narrative responses. Not individual interviews, however.”
Peer answer 3: “We are in the midst of this process right now, so we’re very much in learning mode. Our interviews will be complete in mid-July, and we’ll be summarizing the inputs and presenting in September. Happy to share our experiences and ideas.”