In today’s fast-paced, technology-driven world, risk-based decision-making is as much about seizing opportunities as it is about defensive moves. A long-overdue update to the popular Three Lines of Defense risk management model embraces this new reality.
“Risk management goes beyond mere defense,” says IIA President and CEO Richard Chambers. “Organizations need effective structures and processes to enable the achievement of objectives and support strong governance and risk management. The updated Three Lines Model addresses the complexities of our modern world.”
The IIA spearheaded a task force of audit practitioners, risk and compliance executives, stakeholders, and others to identify the relationships between the central and common components of organizations and consider the continued relevancy of the Three Lines concept. “The update reinforces that organizations must determine appropriate, pragmatic structures for themselves, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape,” says task force leader and IIA Global Chair Jenitha John.
The Three Lines Model is based on six principles: governance, governing body roles, management and first and second line roles, third line roles, third line independence, and creating and protecting value. It presents the accountability of the governing body for oversight, of management to achieve organizational objectives, and of an independent internal audit function for assurance and advice. The model notes that although the governing body, management, and internal audit all have distinct responsibilities, “the basis for successful coherence is regular and effective coordination, collaboration, and communication.”
“For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value,” Chambers says. — A. Millage
DOJ Issues Compliance Guidance
Prosecutors to consider risk practices for assessing criminal liability.
Revised U.S. Department of Justice (DOJ) guidance provides recommendations to help prosecutors assess whether a company’s compliance program was effective at the time of an offense, make informed charging decisions, and determine an appropriate penalty or resolution. Originally issued in 2017, Evaluation of Corporate Compliance Programs advises prosecutors to consider how the organization has defined its risk profile and whether risk assessment consists of ongoing examination.
Among key areas of review, the DOJ recommends prosecutors gauge the effectiveness of the organization’s risk management process and determine what methodology it uses to “identify, analyze, and address the particular risks it faces.” They should look at the specific information the company collected to detect the type of misconduct in question.
The guidance also advises evaluating the company’s risk resource allocation, to help understand whether the company spends too much time focusing on low-risk areas. Moreover, prosecutors should examine whether a process exists for updating and revising the risk assessment program. They also should consider whether the organization captures lessons learned from either its own compliance-related challenges or those experienced by industry and geographic peers. — D. Salierno
Boards Detail Crisis Concerns
Directors share top governance challenges during the pandemic.
Most U.S. board members say creating a post-crisis strategy is the top governance challenge at their organization, according to the National Association of Corporate Directors’ latest COVID-19 Pulse Survey. Almost half of the nearly 300 directors surveyed also identify concerns about their ability to understand new risks arising from the pandemic and to ensure employees’ health and safety.
Looking ahead, directors say shifts in the nature of work would be a chief concern, as would the technological challenges of moving their businesses forward. More than half say changes in how work is accomplished is one of their top three concerns. And almost one-third cite “accelerating digital transformation” as an ongoing priority.
As the need for communication with management has increased during the pandemic, board members’ time commitment has risen. Directors say they expect to continue a more frequent meeting cadence after the crisis. “New, responsive best practices are potentially on the horizon with directors engaging more frequently with management and in new ways,” the report says.
Participants also note issues their board must address as organizations continue to navigate the crisis. They cite, for example, the need to determine what information stakeholders require to maintain confidence in the business, as well as lessons learned from management’s response to the pandemic.
Directors also say it’s important to consider whether the organization’s workforce should be redesigned after the crisis, what business development opportunities may have arisen, and what risks those opportunities may present. Lastly, they note the importance of considering how boards can promote new leadership capabilities within the executive suite. — D. Salierno
Addressing Social Justice
Businesses should be advocates for diversity and inclusion, says Dennis Kennedy, founder and chair of the National Diversity Council.
How can businesses support social justice issues such as Black Lives Matter, and how can internal auditors assist organizations in making changes to support social justice movements? Companies should advocate for diversity and inclusion for all people and not focus on the risk of being forthright in their stance against racial injustice. They should be inclusive in their messaging and equitable in their business practices, as change starts with leadership and affects how employees view their workplace experiences. Companies should focus on propelling themselves into an inclusive space where all can feel comfortable.
Internal audit can help companies thrive through these uncertain times by assisting them in making changes to support social justice movements through score cards, diversity and inclusion indexes, integration of equity conversations within their business functions, and using business resource groups to spread awareness. Diversity and inclusion promote growth, creativity, and innovation, and are a source of value for businesses. Recent social protests in the U.S. and around the world have stressed the urgency of creating diverse and inclusive organizations, not just as a matter of economics, but as a means to address systemic racism.
What should be expected of businesses in the area of diversity and inclusion? Businesses should focus on transparency and awareness as it relates to diversity and inclusion, rising to the occasion and taking the lead by investing in efforts to address racial injustice within the community at all levels. Business leaders play an essential role in acknowledging the impact of systemic racism in the larger society and how racism permeates systems, processes, and practices within the workplace. Their commitment to addressing this issue and their intention to advocate towards substantive change will be essential to achieving true racial justice.
40% of 500 surveyed companies delayed revenue-generating initiatives for a month or more to prioritize remote work setup.
44% of respondents say the postponed work included cybersecurity initiatives.
“This research indicates that with many employees remaining at home for the foreseeable future or even permanently, refining how we grant and manage digital access is more important than ever,” says Sectigo CEO Bill Holtz.
Source: Sectigo and Wakefield Research, 2020 Work-from-home IT Impact Study
Backing the Blockchain
Executives seek to grow value of digital assets.
Once considered a technology experiment, businesses are making blockchain and digital asset investments a top-five priority, says Deloitte’s Global Blockchain Survey of nearly 1,500 senior executives. Nearly 40% report their organizations have implemented blockchain into production, up from 23% last year.
More than half of respondents view blockchain as a strategic priority, with 83% saying it is necessary to maintain a competitive advantage. As such, 82% plan to hire blockchain expertise in the next 12 months. “Like many disruptive technologies, blockchain has evolved from a merely promising and potentially groundbreaking approach to a now integral solution to organizational innovation,” says Linda Pawczuk, principal, Global and U.S. Consulting Leader for Blockchain and Digital Assets at Deloitte Consulting LLP.
One key component in blockchain’s value is digital assets, which nearly 90% of respondents say will be important in the next three years. These assets include cryptocurrencies, financial instruments, tokenized debt or equity, and digital representations of land or commodities. Among their benefits are the ability to trade them easily on secondary markets and their heightened transparency to traders. — T. McCollum