Evolving risk and regulatory environments are prompting greater strategic collaboration between Internal Audit (IA) and Enterprise Risk Management (ERM) teams like never before. While internal auditors have historically served in a third line of defense (3LD) capacity and risk managers led the second line of defense (2LD), these lines are now blurring.
To effectively support the organization and Board of Directors in fulfilling total risk responsibilities, providing a more consistent reporting experience, and improving corporate decision-making, the lines of defense have larger, more integrated roles to play. This includes, among other things, the timely identification of emerging risks, the development of risk-mitigation strategies, and serving as a strategic advisor.
So where should these two groups begin?
Clarify Roles of Internal Audit and Risk Management Teams
First, it’s helpful to distinguish between IA and ERM roles. This clarification is important to building a mutually beneficial working relationship, minimizing duplicity, and maximizing impact:
- “Internal Audit is an independent, objective assurance and consulting activity.” Its core role is to provide objective assurance to the Board on the effectiveness of risk management. While IA cannot own or manage risks, it can provide input and collaborate with risk management functions.
- “Enterprise Risk Management is a structured, consistent, and continuous process across the entire organization that identifies, assesses, and decides on responses to and reporting for opportunities and threats that affect the achievement of its objectives.”
Interestingly, internal audit functions that are better aligned to strategic organizational goals are better funded, an Institute of Internal Audit Report found. Additionally, Chief Audit Executives – traditionally internal auditors themselves – are more likely than ever to be responsible for ERM as well. It’s clear that alignment is a bottom-line business imperative.
Explore expert Risk Management solutions that solve real-world problems
Understand emerging threats, changing regulations, and evolving technologies – then formulate actionable, pragmatic strategies to reduce risk across the enterprise.
How to Optimize an Organization’s Risk Intelligence
The focus of IA and ERM is similar, yet many organizations execute these roles in silos, impacting enterprise-wide risk management and risk assessments. This hinders each function’s ability to identify and respond to changing risks, establish governance processes, and meet audit committee expectations.
If you find yourself in this position, below are four practical yet high-impact ways to maximize your collective efforts toward dynamic risk management:
1. Speak the Same Language
A common risk universe and risk taxonomy are the building blocks for establishing a strong and uniform risk culture. From a strategic viewpoint, it’s hard for the executive team and the Board to engage in an effective risk dialogue if they don’t speak the same language. Imagine facilitating a conversation with a team of executives regarding an issue, with everyone using words that mean different things to different people; it’s likely that people are talking about completely different things!
A uniform risk language is essential for executive sponsorship, engagement, and control. IA and ERM are in the perfect position to help develop risk language that will become part of the fabric of the organization, ultimately creating a risk-savvy culture and making internal auditing and risk management processes more frictionless.
2. Share Risk Intelligence
IA and ERM have unique access to management’s decision-making process and are privy to early information around strategic changes or future direction, be it introducing a new product to the market, implementing new technology, or considering a change in strategic direction.
Given their distinct roles in the organization, the timing and nature of involvement may be different. Appropriately sharing information between teams that may change the organization’s risk landscape will ensure that IA and ERM priorities and efforts are spent in the most critical risk areas. Collectively, information-sharing can lead to stronger governance, collaborative risk identification, and aligned business objectives.
3. Leverage Data Analytics and AI
As IA and ERM coordinate to create a uniform risk language and share risk intelligence, data analytics should be leveraged to first define and then monitor key risk indicators (KRIs). A data-driven approach supports the monitoring of KRIs, which identify emerging risks of strategic business objectives and enables management to deliver a timely response, thus mitigating risk. Streamlining the data analytics program (e.g., approach and technology) and tracking KRIs will maximize cost efficiencies and increase collaboration among IA and ERM. According to IIA’s Vision 2035 survey, 92% of CAEs identify data analytics as the most important future technology skill.
Additionally, AI-enabled capabilities are now becoming part of standard internal audit activity and risk management strategy. For example, AI can more efficiently populate risk registers by pulling information from past audits while also forecasting potential risks through scenario planning techniques. Lastly, AI also has a role to play in increasing the efficiency of financial and board reporting, anomaly detection, and enabling greater collaboration between IA and ERM teams that leverage shared platforms.
Based on the latest survey insights from IIA’s North American Pulse of Internal Audit, 4 in 10 respondents are using GenAI for internal audit activities, with adoption expected to grow throughout 2025 and beyond.
4. Use One Source of Truth
While it seems intuitive, organizations don’t always invest or upgrade to an enterprise Governance, Risk, and Compliance (GRC) platform. In fact, they often purchase various tools from separate buyers, creating silos within the organization. However, using a GRC platform for IA and ERM provides greater efficiency and a single source of truth. This enables continuous IA and ERM collaboration, resulting in further testing and reporting efficiencies into new realms of business operations, such as environmental, social, and governance goals. The right GRC Platform will benefit the entire organization – not just IA and ERM.
A single source of truth is the foundation for the creation of a risk management framework that can:
- Establish organizational risk oversight, including the appointment of risk managers and a risk owner.
- Consolidate governance, risk, and compliance data in one platform, ensuring easy access, consistency, and accuracy across the organization.
- Provide real-time insights and data-driven analytics, enabling more informed, timely decisions and better risk management.
- Foster cross-functional collaboration by allowing different departments to work from the same set of information, reducing silos.
As IA and ERM collaborate, they play a crucial role in reshaping their traditional perception – from being seen as mere risk reducers that slow processes to becoming strategic risk stewards. Embracing the right perspective is the first step toward fostering a collaborative risk culture.
For more information on defining a risk management program in your organization, contact CrossCountry Consulting today.