Wednesday, January 20, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Promoting Collaboration to Improve Risk Management

by Dan Zitting
April 5, 2016
in Compliance
Risk management must work with internal audit and compliance to effectively mitigate risk

Originally posted in Financial Executives International’s FEI Daily Newsletter.

FEI Daily spoke with Dan Zitting, Chief Product Officer at ACL, about the changing compliance environment and a resulting desire among many companies to foster audit, compliance and risk management collaboration.

FEI Daily: Are the demands on audit, compliance and risk management evolving?

Dan Zitting: We certainly think so, and there are differing pressures in various industries. If you look at the SEC enforcement actions over the last year, you can see pressures on several issues, in particular on bribery and money laundering. It seems regulators have pushed a lot of companies to the point where some of these issues have become much hotter than they were in the past, so the question getting asked becomes, “What are compliance and audit, or risk management and audit, doing to coordinate on some of these problems?”

And we find — especially if the company is big and complex — it’s surprising how often the perception of the risk agenda is different between those groups. That disconnect is creating pressure to bring them together.

FEI: What do you think contributes to that disconnect, or the perception of one?

DZ: What we often see pushing that is a question among the risk management and compliance folks who think audit is missing the mark by focusing on issues that aren’t what they see as really high-risk. Audit’s always in that dual pressure of reporting on the things that audit committees are interested in, and pressure from the business to be closer to their risk management concerns.

So we see more of that coming together to say, are we working off fundamentally the same set of risk assessments? Some of these issues are getting to the point where we need both the front-line testing or monitoring of risks as well as that audit oversight and improving alignment among these functions. It’s interesting how challenging that seems to be across companies.

FEI: How are companies trying to improve that collaboration?

DZ: In the clients that we work with, we see a push coming to give audit a stronger role in providing assurance over the risk management process by working with risk assessments and saying, “Is their process for doing that working well? Is it highly effective?” There’s a move away from starting an annual audit risk assessment from scratch and ending up with a completely different set of priorities than perhaps what the risk management function is focusing on.

Collaboration today is happening more frequently so these groups can become more agile and shift away from an annual planning exercise where they do a big risk assessment and build an audit plan to understanding, “what are the key risks this month?” Things change too quickly for [a] traditional type of annual audit planning exercise.

FEI: Is the risk or regulatory environment evolving too quickly for annual planning to be sufficient?

DZ: It’s not even close anymore, and a good example would be an agency like the Consumer Financial Protection Bureau. That’s only been around a couple of years, but they’re changing the kinds of audits and inspections they’re doing regularly. That forces a reaction on the compliance side and the audit side to say, “How are we going to respond to these changes and these oversight bodies in a more agile way?”

In that environment, we think you need to come up with methodologies and tools to give you the ability to analyze risk much faster. If you spend a month going around setting up interviews with key executives and it takes you two months to build an annual plan, that approach won’t fit this faster-moving model.

You need to encourage the use of tools and data to understand how you’re monitoring risk in real time, or at least be able to do so very quickly every month or every week or whatever the case is.

FEI: Are you starting to see more use of data and analytics to support risk management?

DZ: As a company, it feels like we’ve been working on analytics for a long time, and yet it does still feel early, in the sense that we’re finally starting to see a shift in expectations over the last year or so that everybody in the field needs to be able to analyze data at some kind of level.

Analytics are still harder, I think, than a lot of vendors would like to portray, but we’re getting better at making these data sets available so those less technical users can use tools to do that kind of light-level analysis much more quickly. It’s really just on the early stages of that, but there are opportunities with data because the pressure to move faster is so acute now.

FEI: When you look at the interaction of audit and compliance, are there traditional obstacles you have to address?

DZ: Oddly enough, one of the single biggest choke points I see over and over again is the language that’s used between these different departments. It can be as simple as compliance folks, when there’s a compliance violation, they call it an incident, but when an auditor finds something that’s problematic, they call it a finding. It’s almost like, these relatively simple differences in vocabulary can choke off the collaboration, because these departments will think that they’re doing something different, when at a fundamental level, they’re really not. Most of these departments are saying, “Hey, the business has objectives, there [are] key risks to those objectives and there needs to be controls in place to mitigate those risks.” Yet the language around the methodology they use, I think, can choke off collaboration.

If we could bring folks together on how we’re going to talk about risks, then we can align the processes and use the same sorts of technology [and] reporting then become[s] much less complex.

FEI: When you have a conflict like that, how do you start to address it?

DZ: What we would generally recommend doing is taking a step further back and asking the operational business how would they refer to these things and how would they describe their processes. If they understand the vocabulary and risks, they’re more likely to understand any recommendations and change their operations based on it.

Really, that’s the goal these oversight functions are looking for, and you then move that alignment back into the risk assessment process and the auditors, as an oversight role, are working off that same risk assessment and control process.

I think there’s a big value there.  Certainly in COSO, there’s a recommendation to have an overt culture around risk management and how the organization approaches it. I think that’s a big part of it. We see it on the technology side where it comes down to time to implement technology and there’s conflict or trouble making decisions because of the groupthink. But if they’ve taken time to think and talk about their risk management culture, that makes those down-the-line activities much easier.


Previous Post

Cyber Governance – Sticking Your Head in the Sand Is Not an Option

Next Post

The Future with Gen Z

Dan Zitting

Dan Zitting serves as Chief Product & Strategy Officer at Galvanize, the leading provider of SaaS solutions for enterprise governance, risk management and compliance (GRC) globally. Recognized by both Forrester and Gartner as the category leader, more than 6,000 of the largest enterprises and governments in over 130 countries globally use our HighBond platform to run their organization better. His role includes executive leadership of the company’s strategy, products, underlying technology and customer service/success. Dan has been recognized with multiple prestigious awards, including CPA Practice Advisor Magazine’s Forty under 40, ColoradoBiz Magazine 25 Most Influential Young Professionals, IIA Emerging Leaders, BCTIA Team of the Year, GRC 20/20 Technology Innovation and Business in Vancouver Forty under 40. Prior to Galvanize, Dan spent 10 years in professional services, including four years with the Technology & Security Risk Services practice at Ernst & Young. Following E&Y, he co-founded advisory firm Linford & Company LLP, a provider of GRC consulting services that grew to serve clients across North America, Europe and Asia. While building his firm, Dan developed a software platform for use by clients, which ultimately led him to leave to found Workpapers.com, the first truly cloud-based audit and compliance management system in the market. Under Dan’s leadership, Workpapers.com found strong success and was ultimately acquired by Galvanize in 2011, combining the power of cloud collaboration and “big data” analytics under one market-leading brand.

Related Posts

hand showing three fingers on gray background

A Culture of Compliance: The 3 R’s

January 19, 2021
2021 with light bulb in place of zero on orange background

Why 2021 is a Fresh Start for Compliance Training

January 18, 2021
wrench with 100 dollar bills

DOJ Launches 2 Criminal Prosecutions of Illegal No-Poach and Wage-Fixing Agreements

January 14, 2021
mobile health care app

Prioritizing Compliance Along Health Care’s Digital Transformation Journey

January 14, 2021
Next Post
The Future with Gen Z

The Future with Gen Z

Access realtime data

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights