Internal audit, risk, and compliance teams are often thought of in a strictly tactical sense. At best, they are seen as the way businesses are kept out of trouble, and at worst, they are thought of as teams that should be seen and not heard unless asked, or as providing a mere check-the-box approach to regulation and requirements. However, as leaders in the C-Suite and the boardroom face new challenges at their organizations, internal audit, risk, and compliance teams should be more fully integrated into strategic decision-making.
What Are Some of the Current Gaps Between Internal Audit and Risk Teams and the Board?
I firmly believe that the Chief Audit Executive (CAE) and Chief Risk Officer (CRO) should have a seat at the table as an integral part of the strategic planning process. The reasons behind this needed evolution are becoming more apparent as boards are tasked with an ever-growing list of nontraditional risk areas. According to recent findings from Diligent Institute’s October Director Confidence Index, ESG, DEI, and cyber-related risks topped the list of the issues that board members believe should be prominent on every U.S. public company’s board agenda in 2022. As recently as five years ago, these issues would most likely not have been raised, let alone discussed, in your average board meeting. Despite this shift, a full 48% of surveyed directors say their audit team is either never or rarely involved in strategic discussions with the board.
On the risk and compliance side, many CROs and Chief Compliance Officers (CCOs) report that they don’t have enough time or resources in board meetings to properly communicate with and inform the board. To add to these concerns, it’s also often difficult for the board to fully understand the relevance of the material being presented to them, or how it connects with their duties as directors. These trends have resulted in some movement in the last year or two to encourage more boards to appoint former CROs and CCOs to provide that perspective.
What Are the Benefits of Linking Audit, Risk and Compliance to Strategy?
Audit, risk, and compliance teams are trained to look at risk parameters during their day-to-day roles. As the risks they observe become existential threats to business, it’s important to have their input provided to company leadership and the board so that they may conduct proper risk oversight. They can provide the board with specific detailed information that’s directly relevant to the company for rapidly developing issues or emerging risk areas directors may be less familiar with like cyber security, third-party vendor management, or environmental sustainability.
As an example, the CAE of a board that I serve on was able to provide a comparison of companies that had a focus on socially responsible investing. She helped benchmark ESG against our peers, comparing strategies, board compositions, emissions and more. At the end of this exercise, the CAE provided incredibly valuable information on where we were on the continuum of ESG maturity based on our peer group.
When it came to our key risk areas, we completed an extensive SOX analysis a couple of years ago. Originally, we had over 230 controls. However, our CRO pointed out that some of them were duplicative, not directly related to our financial metrics, and a few wouldn’t be relevant moving forward. So, earlier this year we worked with an outside consultant earlier to help us reduce the number of controls to a more manageable 130. This was a key example of our audit team ensuring that we were monitoring what was most important strategically.
What Are Some Best Practices for Integrating Audit, Risk and Compliance with Strategy?
It’s extremely important that your CAE, CRO, and CCO have strategic heft. At Amalgamated Bank, we hired a CAE who is a CPA and has a doctorate in business administration. She is also a Certified Information Systems Auditor (CISA), a Certified Regulatory Compliance Manager (CRCM), and a Certified Anti-Money Laundering Specialist (CAMS).
From there, you must understand the company’s organizational reporting structure including whom your audit, risk, and compliance leader reports to. If it isn’t the CEO, consider this as an option so that independence can be maintained, and issues can be properly elevated to the boardroom. I’ve served on several boards that went through a CEO transition. My Audit Committee board colleagues and I specifically asked the CEO candidates how they viewed the audit, risk, and compliance functions, and whether they would allow the risk framework to be a part of all strategic decisions.
When involving audit, risk, and compliance teams in company strategy, you also need to ensure that these teams are properly coordinated. For example, at Amalgamated Bank, the CAE and CRO work closely together. Each has defined roles and responsibilities so that we ensure there’s no unnecessary overlap.
We also made certain that our CAE was not only deeply involved with the board’s audit committee, but that she also had the opportunity to observe full board meetings. While uncommon, this strategy allowed her to learn more about the board dynamics and where they were coming from in terms of expertise, allowing her to communicate with them more effectively and efficiently.
The business climate is changing more rapidly than ever before. To deal with evolving challenges as they arise, I believe the internal audit, risk, and compliance teams need to be a vital part of ongoing strategic conversations.