Managing both traditional and emerging risks has become increasingly complex for business leaders. The challenge is further exacerbated by the fragmented nature of risk management, with responsibilities, data, and processes spread across different departments and systems. This makes it difficult for any single team to fully grasp and address the organization’s overall risk exposure and report a cohesive risk narrative to senior management, audit committees, and/or boards.
To address these gaps, CrossCountry Consulting’s Integrated Risk Management experts hosted audit and risk leaders for an engaging session and discussion on how to identify and respond to companies’ changing risk profiles. Explore some of the critical insights from leading voices in the industry:
Elevated AI Threats Demand Integrated Cyber and Risk Programs
The evolving risks associated with AI often intersect with existing cybersecurity threats but with a new spin. For instance, AI has made it easier and more scalable for threat actors to enhance phishing, deepfakes, and data poisoning to target unsuspecting companies and employees.
Enterprise risk management (ERM) functions must regularly assess these risks in collaboration with CISO functions to ensure that both traditional and AI-specific threats are recognized, catalogued, and addressed. These threats are only expected to increase as reliance on critical technology and vendors rises, so it’s imperative that leaders design a responsive risk posture and cross-functional risk management framework.
Misalignment Between 2nd and 3rd Lines of Defense Remains a Cause for Concern
Risk and compliance functions (2LOD) and internal audit functions (3LOD) still aren’t operating from the same consistent playbook. In some cases, they never speak at all.
Internal audit plans may not be taking into account inputs from 2LOD on emerging risks or results from risk assessments. Similarly, if internal audit doesn’t provide continuous feedback, 2LOD has a much harder time refining and improving controls. This dynamic can cause duplicate work and poor utilization of resources.
Organizations should promote stronger alignment between these functions to prevent silos and establish a holistic approach to risk management. Closer collaboration can enable 3LOD to identify weaknesses and inefficiencies in risk controls 2LOD may have missed, in addition to clearly defining who and how risk assessments, evaluations, and controls testing should be run.
When these two groups work together, they provide a more consistent reporting experience to senior management and the board, which improves corporate decision-making due to a clearer picture of the risk landscape and the effectiveness of risk management processes.
Aligning KRIs and KPIs Is Critical to Risk Prioritization
Key risk indicators (KRIs) provide early warning signals to potential threats, which can empower teams to proactively communicate risks and take mitigation measures. Ensuring these KRIs map back to the organization’s key performance indicators (KPIs) rationalizes the risk management framework and provides a tactical way for all teams to prioritize mitigation efforts that will have the greatest potential impact on the business at large, not just on a single department.
This point of integration also allows leaders to balance risk and reward, reduce redundancies, optimize resources, and build a risk-aware culture.
For expert support implementing pragmatic integrated risk management programs, contact CrossCountry Consulting.