You suspect you have a problem. You hire a professional to explain what’s wrong. And all you get in return is generic, impersonal advice that you cannot act upon. Now you have more problems.
That’s what happened recently to one professional services organization in the U.S., which assists many of the nation’s biggest companies. After hiring a large consulting firm to conduct a risk management assessment, senior leadership was left with an uneasy, underwhelming feeling.
The assessment, conducted through balloting software, had resulted in rudimentary, focus group-like thinking and did not do a good job of prioritizing risks specific to the company’s culture and management team. The executive team felt they had wasted a lot of time and money on general advice that didn’t resonate with management, and quickly shelved the recommendations.
The assessment went beyond a daunting laundry list to focus on specific recommendations the company could implement to move the meter on risk management on its own. This was the change the organization needed.
Seeking an opportunity to change and set a better and clearer course, the company’s internal audit director sought a second opinion from Protiviti. Rather than pointing to the shortcomings in the original assessment, the director simply let Protiviti draw conclusions independently and from scratch, stressing only that she wanted a more personalized approach to understanding the company’s total exposure to risk.
Protiviti’s risk assessment approach resonated with both her and the new CFO of the company. The assessment went beyond a daunting laundry list to focus on specific recommendations the company could implement on its own to move the meter on risk management. This was the change the organization needed.
The risk management plan the internal audit director received zeroed in on closing loopholes in acquired companies, system consolidation, IT and employee training, data scaling, and maintaining regulatory compliance. It also included metrics to track changes in risk levels over time and ways to evaluate new risks without causing an excessive burden on management.
Unlike the first assessment, this project succeeded in determining which risks mattered most and helped the executive management team come to an agreement on priorities, especially in the areas of IT and sensitive employee data. It brought everyone on the same page with regard to the risk areas that could be improved upon and provided them with the tool to do so.
For the internal audit director, the risk assessment was her first big victory in helping the company get its house in order, and it demonstrated her ability to deliver and partner well. For other stakeholders, the assessment and risk meters Protiviti helped put in place represented a specific improvement that was enthusiastically received and instantly beneficial. It improved the company’s efforts at managing risk by becoming a part of the executive fabric, rather than a folder on a shelf.
Most important, the project brought the executive suite together to discuss risk topics for the first time as a team, generating valuable group insights and consensus on how best to drive the company forward.