Risk assurance in the modern enterprise is a team effort. So that begs the question: exactly what do the many types of risk assurance professionals out there do, anyway? What position does each person on the team play?
By my count there are at least seven job titles that address cybersecurity and compliance somehow. Clearly defining those roles and responsibilities is crucial for effective compliance, because without that clarity your business can face either of two big mistakes.
First, you might have multiple roles focused on the same task. That breeds confusion, squanders resources, provokes office turf wars, and hampers corporate efficiency.
The second potential mistake is even worse: you might have no roles focused on certain tasks—which can leave risks to fester unaddressed, until a crisis explodes. Then comes one of the worst questions a board can ask:
“Didn’t we have someone paying attention to this?”
For those reasons, it’s important to understand the range of risk assurance professionals and how each one contributes to strong corporate compliance. Let’s take a look at the big seven.
- CISO
- Internal auditor
- External auditor
- IT auditor
- Compliance officer
- Risk officer
- Privacy officer
What Each Assurance Role Does
Chief information security officer (CISO): The CISO is responsible for assuring that the business has sufficient security processes in place for its business operations and that those security processes are working effectively. They work with the board and management team to determine an acceptable amount of security risk and then implement appropriate security measures (e.g., encryption, access controls, vendor security audits, penetration testing, and so forth) to keep security risk within those tolerances.
Internal auditor: The internal auditor assesses various risks to the organization, tests the controls that are supposed to keep those risks in check, and advises the board and business operating units on how to improve any weaknesses found during the audit. For example, the internal auditor might review the CISO’s process for performing vendor security audits, and then provide a report to the board and the IT security team about any weaknesses uncovered and what mitigation steps the internal auditor recommends.
External auditor: The external auditor is not part of the corporate organization per se. Rather, the company hires an external audit firm to provide an objective review of the company’s risks and controls. For example, public companies have an audit firm review the company’s internal controls over financial reporting every year, and many security controls are part of that audit. Or the company might hire an audit firm to perform a SOC 2 audit of its data security controls so the company can provide assurance to customers that its security is effective.
IT auditor: The IT auditor is a specialist within the internal audit realm who specifically assesses risks related to the IT environment. For example, the IT auditor might review the company’s maintenance of IT assets, its security patch management, or its procedures to evaluate new technologies. (This role is especially relevant these days since the pandemic has changed both how people use existing systems and what technology they use: their own devices versus corporate equipment, a blend of their own and corporate-approved software, and so forth). The IT auditor usually answers to the chief internal audit executive, but works often with the CISO.
Compliance officer: Large or highly regulated businesses usually have a dedicated compliance officer responsible for assuring that the company has processes in place to meet its regulatory compliance obligations. That can include everything from privacy regulations and banking industry rules on use of technology vendors to anti-corruption laws, and more — all of which touch on issues around vendor risk management, access controls, and data integrity.
Chief risk officer (CRO): Financial firms define the risk officer as someone responsible for operational and liquidity risk management, often with the regulatory compliance officer reporting into the CRO. An emerging trend in other industries is to “promote” the chief internal auditor into the CRO role so that they have responsibility for maintaining effective risk management rather than only assessing risks and finding weaknesses.
Privacy officer: The privacy officer is a specialist in corporate compliance who focuses on compliance with privacy laws: the EU General Data Protection Regulation, the California Consumer Privacy Act, and similar laws or regulations. The privacy officer typically isn’t part of the IT security function because privacy compliance involves more than security. That said, privacy officers might work closely with CISOs or IT auditors because security lapses are so often the source of a privacy breach. The privacy officer may also be the designated “data protection officer,” a role most businesses need to identify as part of compliance with the GDPR.
Assurance Roles Working With ‘the Business’
Not every business needs to fill all seven roles listed above. Smaller organizations might be able to let the legal team run privacy and regulatory compliance or be okay without someone in the IT audit role. Some non-financial firms might consolidate internal audit and risk management into one function. Each business will need to find its own ideal structure based on factors such as organizational complexity, regulatory compliance burdens, and risk tolerances defined by the board.
The better question to ask is how your company will fulfill all the duties referenced in the roles of those seven risk assurance professionals — regardless of exactly who does what and which job titles they have. How do those risk assurance executives work with the rest of the business so that risk management priorities are aligned with business objectives?
To do that, have a clear sense of which risk assurance executives advise others on risk, and which ones might actually own responsibility for a risk.
For example, CISOs own some risks related to cybersecurity, such as managing security patches or performing penetration tests of SaaS vendors the company might use. Compliance or privacy officers might be responsible for certain regulatory filings or alerting regulators to a data breach.
On the other hand, any type of auditor typically advises others about risk but doesn’t assume responsibility for mitigating those risks. The auditor acts as a third line of defense, advising other risk management executives (the second line) or business operations people (the first line) about where things are weak and how to strengthen defenses.
That’s a lot of responsibility to keep straight, which means lots of communication and collaboration. Hence the wisdom of creating an in-house risk committee, to forge the communication channels and trust that make collaboration possible. It’s also helpful to have a technology platform where various risk assurance and compliance work streams can be scoped, documented, and managed; progress can be measured; and areas for improvement identified.
Otherwise, as we noted above, you might have too many people sparring about who does want or nobody paying attention to a risk that might explode into a crisis. Neither scenario does an organization any good.
And that, ultimately, is what the board wants to know: that the executive team is working in a coordinated fashion to keep risk at an acceptable level so the organization can pursue its objectives as wisely as possible.
That’s how the team effort leads to victory.
Monthly Newsletter