Part two of our series, Building the Modern Corporate Risk Assurance Function
Office politics and turf wars are a fact of corporate life.
They are also among the most dangerous forces an organization can face, because they pit employees against each other and lead individuals to put their own or their departments' interests ahead of the business as a whole. The risk management and risk oversight functions are no strangers to battles for territory and control. Unclear lines of responsibility, siloed thinking, and guarding of information are common among departments and business units responsible for managing risk. For that reason, they are also the perfect starting point to explore how compliance, audit, and other corporate governance functions should work together to achieve better risk assurance.
Consider where "office politics" would fall as something to be managed in the COSO internal control framework. An organization riven by office politics has more difficulty operating effectively and meeting its financial goals; the business does not operate with integrity, because the very definition of turf wars is to divide one group into competing factions. That is true regardless of specific internal controls the company has, or the communications that come from the board or senior leaders, or the risk assessments the company conducts to understand the threats it has.
In other words, office politics is a problem of the control environment.
The implications of that fact are crucial as Second and Third Line of Defense functions organize themselves to provide effective risk assurance. The functions within those two lines are as vulnerable as any other to turf wars and politics. At the same time, they also all work toward the same goal of building and operating effective systems of internal control and risk management. Some of how that goal gets achieved is practical: building feedback loops to test and improve risk controls, and the like; we will address those points later in this paper.
The start, however, should always be for the compliance, audit, and other risk management functions to consider how they should allocate responsibilities among themselves to create the most stable control environment possible—that is, how to insulate themselves as much as possible from office politics and turf wars, to preserve an effective control environment. Because if that element of internal control doesn't work well, none of the rest do either.
The View from Above
The next question, then, is what a healthy control environment looks like to other stakeholders—the board, the CEO, business operating units, external auditors, investors, regulators—that rely on a strong risk assurance function. What are the qualities of a good control environment, which you (the "collective you" of compliance, audit, and risk management) should strive to deliver?
Clearly one quality is independence. Every stakeholder group in the company (with the possible exception of business operating units) wants to know that the risk assurance team can provide objective assessments of how well the company is working to manage financial reporting, compliance, and risk management objectives. They also want to know that the risk assurance team can root out ethical misconduct impartially.
A second, less discussed quality is competence. Other parts of the organization need to see, and trust, that the risk assurance team knows what it's doing. The ideal is the frequent refrain that compliance or audit "knows the business"—but even if individuals within compliance or audit don't know the business, they must at least know how to work with the business to create effective risk and assurance systems.
Both qualities are embedded in the COSO principles that support the control environment, and that speaks to why this element is so crucial to success. It's the atmosphere within which the other elements of the COSO framework move and breathe. While the other elements of effective internal control can help dictate what the risk assurance functions do, an effective control environment drives how they work together.
Yes, specific questions about which function does what, or who reports to whom, can be driven by a host of practical concerns. All NYSE-listed companies, for example, must have a dedicated internal audit function. Many companies working under a regulator's consent decree must have an independent compliance officer. Perhaps your CEO insists that the chief compliance officer also be the general counsel, or that internal audit oversee operational compliance in one consolidated function.
But even the most clearly delineated compliance and audit teams can be ineffective if they don't agree on basic principles of what the risk assurance functions want to achieve. A strong control environment demonstrates that those basic principles are in place. Hence the control environment merits so much thought in your own organization, and here in this paper.
Putting the Pieces in Place
One thesis from the previous paper in this series was that companies must set objectives clearly enough to understand the risks they face while trying to achieve those objectives. Let's assume in this paper that your company has done that. The risk assurance functions must still confirm that as the company goes about its course of business, it stays within risk tolerances—that is, compliance and audit need a way to ensure that employees stay on the correct path (which may be wide or narrow, depending on how tight your controls are) as they move toward business objectives on the horizon.
In other words, you need a feedback loop.
This is where the other elements of the COSO framework (risk assessment, control activities, monitoring, communication) enter the picture. They are the mechanisms that establish a feedback loop, and generate the data you need to determine how well your risk assurance efforts are working.
Some components of a feedback loop—and ultimately you will want multiple loops, for the multiple risks that you monitor—are more suited to one risk assurance function than another. For example, assessing the risk to be monitored in the first place (that is, Step 1 in the loop) is often better assigned to internal audit, since internal audit already conducts an annual enterprise risk assessment. Perhaps for compliance risks specifically, internal audit can work in close consultation with the compliance officer, just as internal audit would work with any other business unit—but the team assigned to assessing a risk should be the one most skilled at risk assessments.
Likewise, monitoring might be best assigned to the HR department (for, say, risks of whistleblower retaliation) or the IT department (for surveillance of employee communications to police against insider trading). Should a concern arise that merits formal investigation, leadership there should fall to the compliance or legal department since they have expertise (and attorney-client privilege) to handle the matter properly.
The fundamental flow of the feedback loop, however, can be explained by borrowing a metaphor from military strategy: the "OODA loop"—first developed for fighter pilots—directs people to observe, orient, decide, and act. As much as possible, your strategy should be to create risk assurance mechanisms that follow the OODA loop—mechanisms that observe the risk; apply some controls to it; generate data to tell you how well the control effort is working; and let you decide whether to add more controls, change policy, launch in investigation, and so forth.
Establishing these feedback loops requires lots of cooperation among many parts of your enterprise. Support and cooperation from business units in the First Line of Defense will be crucial, since their operations are what generates the data you need for decision-making. You need trust and communication among Second and Third Lines of Defense to make those good decisions, and have consensus on how to act. Thus the importance of a good control environment, before you even start turning through an OODA loop to manage your risks.
The reality is that your company has unique needs that only you, your board and CEO, and your fellow risk assurance leaders know how to handle. GRC software applications, reporting structures, audit procedures, template contracts, reports generated—they are all the gears and levers to run your feedback loop, and no "standard" loop exists that can be fitted to all companies. You will need to answer that question yourself.
The parting lessons of this paper can be summed up as:
- Every company has unique needs and constraints that will dictate exactly how your audit, compliance, and other risk management functions are built. For truly effective risk assurance, think more about broad principles of cooperation across the business.
- For a strong control environment, that truly demonstrates a commitment to risk management and compliance, the most important qualities are independence and competence.
- The art of risk assurance day after day hinges on building feedback loops: policies and control activities that generate the data you need to determine whether your risk management is improving or failing, and why.
This is the second paper in a series of four that examines how to build the modern corporate risk assurance function. The first part is: Rethinking Basic Principles of Risk Oversight.
Matt Kelly is an independent compliance consultant who lives in Boston. The views expressed here are his own. He can be reached at firstname.lastname@example.org.