Regulatory risk is rated a top concern by boards and executives. So now they’re looking at internal auditors to check how effective their compliance programs are. Internal auditors have, in turn, continuously heeded this call. Compliance risks are becoming part of competing priorities in the list of things to watch out for in any internal audit plan.
The biggest challenge for internal audit in today’s continually changing regulatory environment is resourcing. Why? Firstly, the audit universe increases every year with the proliferation of new regulatory requirements. And for us here in the Philippines, with the Implementing Rules and Regulations (IRR) issued last year covering the Data Privacy Act of 2012 (Republic Act No. 10173), we are coming to terms with how to handle the IRR and consider its impact on our internal audit plans. We have to cover implementation efforts on a project basis, constantly address new risks, and provide significantly greater audit coverage of old areas subject to new lenses.
Secondly, we (regulators, banks, legal and consulting firms) are competing against one another for talents within the same limited pool, somehow ending up chasing the same candidates. The cost of recruiting and retaining employees has gone up significantly, creating budget pressures.
Before I go any further on how internal auditors can respond to this long-time problem, I thought of changing my perspective – how can risks be managed from the frontline?
If we take a collaborative approach to risk management, risk accountability can sit in the first line of defense. This can be the key to an organization’s greater resiliency and growth. That means an engaged first line makes risk decisions that are aligned with strategy, while a proactive second line of defense influences decision-making through effective challenge, timely consultation and cooperation.
Shifting more risk management responsibilities toward the first line gives companies more confidence, making them more agile, and better at anticipating and mitigating risk events. Risk management tools and techniques (e.g. risk rating system, building organizational resilience to risks, specifying a corporate risk appetite, third-party vendor audits and stress testing), plus formal second and third lines of defense, have been proven effective. This combination gives a strong boost to the frontliners’ confidence, preparing them better for future disruptions in business models or strategies, operational risks, or geopolitical upheaval.
Let’s go back to the Data Privacy Act as a relevant example in applying this concept. Our designated data protection officers (DPOs) might be tempted to handle the data privacy impact assessment (PIA) on their own in an effort to beat the upcoming March 2018 deadline. After all, who else in the organization has the skills and experience to decide on these important risks? Based on experiences of more advanced countries implementing their privacy laws, PIA control is most effective when it is liberated from the second line of defense – the compliance organization – and embedded directly in the business where data processing occurs.
Deploying PIA control across a multinational enterprise means training and equipping key gates where organizational change gets routed or detected. These key gates include marketing, data analytics, contact centers, procurement, software development, IT operations and information security. Embedding PIA questions into a company’s system development life cycle (SDLC) can provide the single biggest lift in overall PIA adoption. To address accountability, continuous training on effecting privacy and data protection measures is one of the five commandments of the National Privacy Commission.
Being effective frontliners of risk management does not mean diminishing the role and impact of second-line risk management and compliance functions. Instead, it is a natural consequence of the drive to promote risk awareness and responsibility throughout the company’s culture and create an optimal and effective risk ecosystem.
Aligning all lines of defense within a collaborative, strategic framework would lead to the true partnership that would create true value for the organization – stronger revenue and profit growth, expanding market share, lower employee turnover, and greater ability to withstand disruption. Proactive, rather than protective and reactive – that’s what frontline leadership is all about.
* * *
Geraldine H. Apostol is the risk assurance leader, chief internal auditor and transformation leader of Isla Lipana & Co./PwC Philippines. Email your comments and questions to firstname.lastname@example.org. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
GERALDINE H. APOSTOL