How to Build a Risk-Based Compliance Program

Building a risk-based compliance program can seem daunting, but we discovered several best practices as we integrated our Corporate Audit and IT Risk and Compliance processes during our AuditBoard implementation. We found great success by aligning the risk language used in our teams, structuring the different risk assessments as both top-down and bottom-up, and encouraging open communication with stakeholders related to risk.

 

Adopting a common risk language is the first step to success in building a connected, risk-based program. In our case, we had two separate teams using AuditBoard, and we had different perspectives on risks. In Corporate Audit, we generally looked at risk from the enterprise level to understand the global impact of risks. The IT Risk and Compliance team took a more granular approach to understanding risks and implementing controls. 

 

To work together, we aligned the terminology related to risks, controls, mitigating actions, and action plans to see the entire risk landscape, including the micro and macro-level risk details. At first, we thought of these areas as separate, each with unique terminology, but we quickly realized this would hinder our ability to see from a connected risk perspective. Using technology like AuditBoard enforces consistent language and terminology visible on connected dashboards that aggregate the risk information. Now, when we have risk-based conversations, we start the conversation without needing to begin with education on risk management — everyone already knows the basics because we are sharing information. 

 

Download a copy of this article to read more about best practices so you can learn from our experiences and avoid some of the pitfalls we face.