Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Risk as the Rosetta Stone

Having a common risk language can help an organization facilitate business discussions.

Comments Views

Language determines how people share information, invoke emotion in others, or persuade them to action. The words chosen also frame a listener’s perspective on an individual beyond simply that interaction. How people select and use words appropriately in a situation is important.

With this as a backdrop, it was no surprise that when my business partner referred to “risk as the Rosetta Stone” for business, the concept rang true. The Rosetta Stone, discovered in 1799, allowed people to decipher once-challenging Egyptian hieroglyphics. Having the key to deciphering the message unlocked understanding and knowledge previously unavailable. 

Using the language of risk offers a similar master decoding structure — in this case, for businesses to leverage for greater understanding. Business demands as varied as resource allocation and product innovation will benefit from the use of a shared risk language that enables the organization to build from a common baseline. Leveraging a common organizational language can increase the organization’s efficiency and heighten value delivery. For auditors, leveraging components of a shared language can not only increase message clarity and enable more effective communications with business partners, but also enhance the understanding and outcomes of audits, projects, and advisory engagements.

The Language of Risk

Much as a language is made of key components such as vocabulary (shared definition of words and terms), syntax (arranging words in a sentence for meaning), and pragmatic rules for situational use, the language of risk is made of standard components. Ensuring these components are designed, shared, and understood across the organization supports effective communications and decision-making. Internal auditors should consider how these key risk components are structured in their organization and whether modifications or increased awareness might further enable their use as a common language for the business.

Taxonomies (a common vocabulary) The core of any common language leverages a shared baseline. In risk-speak, this baseline is a taxonomy, naming standard, or universe definition. The risk universe or other classification structure provides a consistent lens to assess operational activities, monitor and compare effectiveness, and frame the scope of project or risk remediation efforts. A defined taxonomy also allows for a common aggregated reporting structure. This structure enables effective business decision-making because there is
consistency in comparing and contrasting information over time and across organizational functions.

Measurements/Ratings (a common vocabulary and a guide on syntax and structure) Prioritization is difficult to define or agree upon without a standard rating scale by which to assess risk. Various functions and teams in an organization often share a scale for rating common risk variables — impact and likelihood. Similarly, internal audit usually defines a rating or prioritization scale for findings and reporting. Other teams, such as enterprise risk or security, also may use rating structures, which may be similar or quite different from others in use. To be able to prioritize and understand risk organizationwide, common scales must be used. When a scale includes metrics that apply cross-functionally — such as financial, operational, regulatory, client, or reputational — it can be better applied and leveraged across functions. For example:

  • Apply scale levels to project prioritization based on potential savings or projected revenue increases, or based on customer or marketing impact.
  • Apply scale levels to measuring impact and likelihood of audit findings, helping to prioritize resource allocation for remediation efforts.
  • Apply scale levels to assessing product opportunities for financial impact, client satisfaction increases, or operational challenge points, aiding in prioritizing focus on go-to-market efforts.

Risk Response/Appetite (pragmatic rules) Within an enterprise risk management program, the risk response standard, rules, or matrix guide the norms expected for identified risks. The response standards define when a risk is acceptable within organizational parameters, when action is required, or when a risk is out of bounds but acceptable for monitoring for an interim period. This structure can be applied beyond the risk function to identify points for escalating concerns, engaging management approvals, or prioritizing operational activities.

Business Value of a Shared Language

Leveraging components of the risk language as a Rosetta Stone of understanding can quickly provide value to an organization. Focusing on some key components can enhance communication and improve business functions.

Common Language Enhances Communications Use of a common vocabulary in cross-functional or global communications can ensure the messages reflect a consistent structure and clearly defined operational focus of the organization. The vocabulary should comprise agreed-upon top business risks, common naming, and classification of operational units.

Shared Understanding Improves Efficiencies and Culture Consistent prioritization processes based on a defined measurement scale can increase understanding and alignment among different teams or operational units. While this doesn’t necessarily mean a shared agreement is always expected, a shared understanding of the “why” and comfort in consistent prioritization efforts may increase the effectiveness of communications and enhance corporate culture.  

Translating Details to Themes Speeds Decision-making Use of a defined risk universe structure in operational functions can provide for aggregation of repeated, consistent individual concern points. Use of the standard universe enables comparison across locations or teams and roll-up of reporting and assessments in a framework that is expected and understood by executive management. Enhanced understanding through a common framework can shorten decision-making cycles and produce solutions faster.

Agreed-upon Prioritization for Resources Enables Quick Time to Value Having standards in place for measurement, response, and escalation can level the playing field, and drive consistent and intentional decision-making for allocating the organization’s resources.

Be a Translator

In their role as partners across the organization, internal auditors can promote the common communication and benefits associated with a shared risk language. As audit team members interact with stakeholders and partners, they should share their language with the organization with an eye on promoting understanding, improving efficiencies, and enabling the business.  

Melissa Ryan
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Melissa RyanMelissa Ryan <style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { font:8.0px Interstate; } </style> <style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { font:8.0px Interstate; letter-spacing:-0.1px; } </style> <p>Melissa Ryan, CRMA, CISA, is principal and co-founder at Asureti in Kansas City, Mo.</p>


Comment on this article

comments powered by Disqus
  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3