“An efficient framework for seeing the whole risk picture Over the past decade, as financial, operational, strategic, cyber, reputational, and other risks have proliferated, organizations have been working on effective responses. Boards have placed risk oversight at the top of their agendas. Senior executives have upgraded the risk management infrastructure. Businesses and IT functions have adopted tools and solutions. Compliance, risk management, and chief audit executives have enhanced their functions’ capabilities.
Yet many management teams, audit committees, and boards still lack a clear, accurate, and comprehensive picture of the truly greatest risks to their organization and of the risk management programs that protect the organization. Ultimately, the purpose of risk frameworks and assurance activities is to strengthen an organization’s controls to preserve shareholder value. From board directors to line managers, everyone occasionally loses sight of why these valuable governance mechanisms exist, relegating them to bureaucratic check-the-box exercises.
The main barriers to creating a comprehensive risk picture are neither technological nor financial but rather organizational, particularly when it comes to risk assurance. The traditional ways in which assurance activities and reporting are organized limit an organization’s visibility into risks and into the effectiveness of its risk management, while creating unnecessary costs and exposures.
Defining the problem
Organizations have typically adopted new approaches to risk oversight and management in response to the most recent high-profile risk event in their organization or reported on the news, or in
response to regulatory mandates. This has often resulted in risk reporting that’s best characterized as narrowly focused and diffused, redundant and costly, intrusive to the businesses and functions, and, least pleasant of all, unrelated to the true drivers of enterprise value and performance. If you’re a senior executive or board member with risk-related responsibilities, consider these questions:
• Does the organization need to refocus on what really matters and clarify accountabilities for risk?
• Are assurance reports heavy on detail, but light on what those details mean?
• Is it difficult to reconcile the views you receive from various information sources for assurance?
• Do people in the business experience “assurance fatigue” due to multiple requests from various assurance functions?
• Does the term assurance need a better definition, along with a better definition of assurance responsibilities?
If you answered yes to any of these questions, it’s time to consider integrated risk assurance.
But first, it’s important to understand the two significant challenges facing current practices:
Read more in Deloitte’s Integrated risk assurance report