Talking to Leaders About Risk
This week I attended the annual user conference for AuditBoard, maker of software for internal audit and risk management teams. I wandered into one session about how those teams should talk to enterprise leaders about IT risks, and wanted to pass along my notes. After all, IT risks are going nowhere but up these days.
Moreover, even though the discussion focused on IT risks, corporate ethics and compliance officers should pay attention here too, because the insights could just as easily apply to the corruption risks that fill your wheelhouse. The issue here is really about how risk assurance teams — those people charged with telling the business to think and proceed carefully before plunging ahead with some new idea — can have those conversations with senior management and operations teams in an engaging, fruitful manner.
So what advice did I hear?
Of course the conversation started with the obligatory, “Know the business,” because everyone starts with that line when we talk about this subject. I was delighted, however, when one panelist put that vague phrase into more concrete terms. First, he said, “Think about the money.”
That is, think about how your organization makes money, sure; but also think about how it handles money, since not all organizations handle money in the same way. For example, a business wants to make more money, so it’s looking for strategies to grow. A government agency, on the other hand, wants to be a careful steward of the money it has, because it only receives a limited amount of taxpayer dollars each year. The agency doesn’t need to grow; it only needs to fulfill its mission, which is not the same thing.
From Money to Real Risk Conversations
OK, cool cool — but why does an appreciation for money matter? Because it helps you better reply to another vague piece of advice: that compliance (or internal audit, or cybersecurity, or risk management) must be “an enabler for the business.”
You can’t be an enabler for your organization if you don’t have a keen appreciation for what it wants to do and how it shepherds its resources (read: money) toward those goals. Only then, with that understanding, can you explain why paying attention to compliance or IT risks is important.
Think about it: most of the time, at most companies, there is no readily visible payoff for strong IT risk management — or an anti-bribery compliance program, for that matter. You might sometimes get lucky with one specific example in the news of a bad outcome, in a “Wow, did you see the nasty thing that happened to that company down the street?” sort of way, but such opportunities are rare. Seizing on someone else’s negative experience is not nearly as effective as demonstrating why your own team can drive a positive experience for your organization
The good news for compliance and risk professionals, in a roundabout way, is that companies do live in a highly regulated, highly risky business landscape. There are many ways that plunging forward with some new idea can backfire, either through regulatory enforcement or an operational failure that costs a fortune to fix and makes management look like idiots.
So your task, really, is to explain how a well-resourced compliance or assurance team can help management tiptoe through the modern minefields of regulatory and operational risk; to explain how your well-resourced team can enable (there’s that word again!) a more skillful advance on your organization’s objectives.
The more precise your examples can be, the better. And knowing things like how your organization makes money, how it handles money, how other parts of the business help senior management with those money goals — that’s what gives you the precise examples you want to bring to the conversation.
A Word on IT Risks
This last point applies more specifically to CISOs and internal auditors worried about cybersecurity risks, since it was the one issue where I somewhat disagreed with the panelists.
The panelists all stressed the importance of talking with First Line operations leaders about security risks, and winning those folks over to your message of strong cybersecurity policies, procedures, and controls.
I get that, but if we’re talking specifically about cybersecurity risks, then isn’t the relationship between the CISO and the IT leader even more important?
After all, technology is the apparatus that makes a corporation run. It provides the pathways through which a business process flows. Yes, First Line operations teams use the technology, but the IT department develops and manages that technology. So if we’re talking about IT risks (including cybersecurity, and more than a few compliance risks related to cyber), then the CISO or internal audit team needs to focus their energies there.
For example, the EU AI Act puts a heavy emphasis on “security by design” for AI systems. Well, who is designing those AI systems? Not the First Line folks, that’s for sure. The IT team is either (1) developing the AI itself, or (2) evaluating some other AI product you want to purchase and use. Either way, they’re the ones making critical decisions about the technology that the rest of the enterprise will use. So you, the risk management or compliance team, need to work closely with IT to be sure they make those decisions in a thoughtful, risk-aware manner.
Yes, you also need to have those conversations with First Line leaders (who might be buying technology directly) and senior management too, but let’s always remember that your relationship with the CIO or IT leader is always the first among equals. It’s a fine point, but an important one.