Building a risk-based compliance program can seem daunting, but we discovered several best practices as we integrated our Corporate Audit and IT Risk and Compliance processes during our AuditBoard implementation. We found great success by aligning the risk language used in our teams, structuring the different risk assessments as both top-down and bottom-up, and encouraging open communication with stakeholders related to risk. This article details each of these best practices so you can learn from our experiences and avoid some of the pitfalls we faced.
Common Risk Language
Adopting a common risk language is the first step to success in building a connected, risk-based program. In our case, we had two separate teams using AuditBoard, and we had different perspectives on risks. In Corporate Audit, we generally looked at risk from the enterprise level to understand the global impact of risks. The IT Risk and Compliance team took a more granular approach to understanding risks and implementing controls.
To work together, we aligned the terminology related to risks, controls, mitigating actions, and action plans to see the entire risk landscape, including the micro and macro-level risk details. At first, we thought of these areas as separate, each with unique terminology, but we quickly realized this would hinder our ability to see a connected risk perspective. Using technology like AuditBoard enforces consistent language and terminology visible on connected dashboards that aggregate the risk information. Now, when we have risk-based conversations, we start the conversation without needing to begin with education on risk management – everyone already knows the basics because we are sharing information.
Multidirectional Risk Assessments
Another best practice we implemented is a multidirectional risk assessment approach that captures a top-down assessment of enterprise risks and a bottom-up view that incorporates the granular understanding. We often start with the high-level view from the top and then use that to facilitate consistent conversations with management. Risk should be part of the conversation regardless of who you meet with. Ultimately, we drive a risk-aware culture that helps leaders consider risk to the organization when making decisions. Having an open dialogue about granular risks allows you to determine what that risk landscape looks like across the organization to ensure you always address the most critical risks. The multidirectional approach keeps you in touch with the front-line managers and the executive level. Capturing this information enables risks and ideas to flow across the organization because you cannot be everywhere.
Fostering Open Communication on Change
A risk assessment reflects a point in time. Since risks are constantly evolving in your compliance program, we must stay current with the company’s expectations related to risk appetite for any given concern. Having the risk information available and building a risk-aware culture, people are more willing to speak openly about changing priorities. For example, our risk assessment shows a change in risk rating related to artificial intelligence (AI). Over the past three years, we have grown more conservative and raised the level of associated risk as the impact of AI has changed over time. When you have a solution that brings everything together and facilitates conversation, the team can focus on the actual risk and have meaningful discussions on risk response and prioritization.
Leveraging Technology for Risk-Based Compliance
In our case, implementing new technology was the catalyst for changing our processes and coming together to address risks in a unified manner. We modified our approaches and terminology to take advantage of the built-in capabilities of AuditBoard to capture the enterprise risk assessment and the granular risk details in a single view through connected fields.
Ultimately, coming together through risk technology has brought our functions closer with a consolidated perspective on risk and opened communication lines that may not have existed otherwise. At the same time, we are holding people accountable to ensure they do their job to mitigate those risks.
Rachelle has over 21 years in the information technology field. Starting her career back in the computer repair days in a customer service role, Rachelle learned she loved the fast-paced environment and ever-changing IT field. Rachelle spent most of her career working in the SMB market in a consulting role focusing on managed services. She helped companies prioritize their budgets based on their business model to ensure they had the right infrastructure, hardware, and processes in the ever-changing technology environment. Seeking a new challenge, Rachelle began with Boeing about 3 years ago, within Information Security in the IT governance risk and compliance space. Currently, Rachelle leads the Information Technology Risk & Compliance Management program and works with the enterprise risk management boards as well as managing their IT risks across the company.
Adam is a Director of Internal Audit at The Boeing Company. He oversees Data Analytics and Audit Operations, including all the supporting technology for the department. Prior to Boeing, Adam was a Senior Manager at Fiserv where he developed the analytics function in addition to managing IT, finance, and operational engagements. Adam started his career at PwC in Chicago working on asset management clients. He earned his Master’s and Bachelor’s in Accounting from the University of Wisconsin – Madison.