Risk doesn’t often stay isolated in silos. Changes in one area of the business can create risk in another and still require support from another. Risk management is a team sport, requiring business leaders to work together with many different functions to achieve success.
A connected risk approach aims to address the gap between rising risk management demands and limited resources by dismantling silos, fostering alignment across teams, enhancing collaboration and information sharing, unifying data, and automating essential processes. Organizations can strengthen business resilience in a dynamic risk environment by empowering internal audit, InfoSec, risk management, and compliance leaders to advance connected risk across the business while enabling leadership to make better risk-informed decisions.
In this article, we break down the crucial first steps to get started with connected risk, including:
- a vision for compliance management leaders who step forward to advocate for connected risk across the enterprise
- foundational projects to tackle first
- connected quick wins compliance is well-suited to initiate
- key partners to reach out to along the way.
Our aim is to offer best practices and projects that will position you to successfully spearhead a connected risk approach in your organization.
Check out the other articles in our Connected Risk Quick Start Guide series for fellow key roles in information security, risk management, and internal audit and controls — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.
Snapshot: The Forward-Thinking Compliance Leader
The modern, progressive compliance leader is responsible for ensuring that the organization meets its compliance requirements, which vary by industry and may include ESG and cybersecurity disclosure requirements, to support achieving strategic business goals. This leader ensures everyone in the organization is aware of and fulfills their compliance obligations. A great compliance leader is seen by the organization as a coach and advisor who partners with other departments to proactively eliminate any concerns a regulator may have.
The compliance leader maintains their integrity even in difficult situations when remaining compliant may seem at odds with achieving business goals. They are advocates and users of connected risk technology that enables them to break down silos, improve communication, and improve visibility — all of which enhance a culture of compliance.
Foundational Compliance Projects to Tackle Before Connected Risk
Identify all the areas in the organization that touch or are affected by regulatory compliance. This requires mapping all day-to-day activities in the organization that fall under the scope of compliance with required regulations, as well as the people in the organization responsible for complying with regulations.
Optimize efficiency by reducing duplicative activities. Identify the activities the compliance team performs that other groups — e.g., internal audit, ERM, IT, InfoSec, HR, etc. — may already be performing and find a way to partner to cover more ground together.
Identify 1-2 departmental compliance liaisons to the business. These point person(s) will drive foundational projects, e.g., automating and centralizing work, and redirecting questions to the right people who can answer them.
Connected Risk Quick Wins for Compliance
Win 1: Shared Controls Under a Centralized Control Taxonomy. If policies, obligations/regulations, or controls are added or updated, these changes are automatically updated in a central controls library, and notification is provided to:
- Control owners and asset owners so they can create action plans to achieve compliance with the new requirements.
- Internal audit so they can update any planned or in-progress assessments to reflect the updated requirements.
- Risk teams so they can map the new requirements to risks in the risk register.
- TPRM so requirements can be communicated to third parties and assessment templates can be updated appropriately.
Win 2: Visibility Into Other Teams’ Risk Assessment Results to Inform Treatment of Risk in the Organization. Visibility into different risk scores from audit and ERM — as well as issues tagged to a risk by those teams— ensures that regulatory compliance can understand those different perspectives on a risk before aggregating and prioritizing them into one decision on how to treat the risk.
Win 3: A Clear Assurance Trail That Demonstrates Preparedness for Regulatory Assessments By Internal and External Audit. Before an assessment is started, information about in-scope assets and controls should be gathered to avoid unnecessary effort from control owners and asset owners, including:
- Existing issues and action plans initiated by other teams (internal audit, ITRM, TPRM)
- Recent control evidence collected by other teams (internal audit, ITRM, TPRM)
- If suspected incomplete, asset inventory is collected from IT and possibly compared with risk, internal audit, and TRPM inventories.
Take Action: Identify Partners Across the Organization
Who else in the organization has documented controls? Who else is conducting risk assessments? Who else is performing audits (2nd or 3rd line teams)? Who else in the organization has existing issues and action plans? Who else in the organization evidences the performance of controls?
These are the partners with whom you will create a common control taxonomy and share risk assessment results to ensure everyone is aligned. These partners — who may include Environmental Health & Safety, finance, and IT — can also help you better understand the current coverage of the organization and the severity of issues you’ve identified and their associated risks. Moreover, these partners may be performing duplicative compliance activities that you can streamline to reduce control owner fatigue.
Consider sharing the other articles in our Connected Risk Quick Start Guide series with your fellow risk stakeholders in information security, risk management, and internal audit and controls — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.
