By Matt Kelly
Learn how to have the most productive conversations with the CEO and board while addressing the risk management process that keeps you up at night.
Risk assurance executives—whether they work in compliance, internal audit, risk management, IT security, or any other related function—ultimately worry about three things as they do their jobs.
Is everything functioning normally? Do I understand how to address anything not functioning normally? Am I working effectively with everyone else in the organization who helps fulfill my goals?
Those three questions, for example, invoke all five elements of the COSO internal control framework: risk assessment, the control environment, and monitoring (the first question); control activities (the second question); and communication (the third question). Those questions seek to understand what is normal and abnormal, and whether you can respond to events properly as the need arises. In one way or another, we all ask ourselves these questions every day.
Compliance and audit professionals want to have productive conversations with the CEO and the board along those same lines. After all, senior leadership is just as crucial to the GRC function as you are. James Lam, one of the godfathers of modern corporate risk management, describes the CEO and board as hovering above the risk assurance team in the famed Three Lines of Defense structure: the CEO in the Second Line above compliance, legal, HR, and the rest; the board in the Third Line, above internal audit.
They want the same useful conversations about governance, risk, and compliance that you have horizontally with other parts of the organization; the conversation simply flows vertically, between middle executives and senior. So how should that happen?
Read more here
