Page 26 - iiA
P. 26
compliance without being shared across the How does a compliance breach impact daily
enterprise. Silos create blind spots; that could activities? How does reputational risk affect
lead to decisions being taken without adequate customer interactions? The outcome of non-
consultation process which may be detrimental compliance should be loud and clear.
to the organization.
• Embed risk responsibilities at all levels. Risk
should not be “someone else’s job.” Employees
should know how their actions contribute to
managing risk and if they don’t, what are the
repercussions.
• Frontline feedback must be encouraged.
Employees often spot risks earlier than senior
leadership, but only if they feel heard. There has
to be a mechanism or culture to ensure that the
frontline employees are free to communicate
to the Board through appropriate channels.
Communicating Risk from the Boardroom:
• Overreliance on Formal Channels: Annual The starting point is ensuring that the board’s
risk training or formal reporting is not enough. understanding of risk flows into practical,
Risk awareness needs reinforcement through operational terms. Boards must ensure that they
everyday conversations, coaching, and define the risk appetite. Boards must recognize
decision-making support. Communication that their risk narrative i.e., how they describe,
through informal meetings or town hall discuss, and emphasize risks, will cascade down
meetings would help in connecting with the the organization. If risk is viewed only as an
teams and have effective communication. obstacle or an afterthought, so will it be perceived
on the ground.
• Inconsistent Messaging: Communication is
an art. When senior leaders are not aligned Translating Risk for Operational Leaders:
in their messaging, conflicting signals Middle and operational management play a critical
reach the workforce, creating confusion “transmission role” in risk communication. Nothing
about which risks matter most. The key is should be lost in translation or transmission. They
the timing, message and target audience. hold the key to ensure that the communication is
Companies do hire Chief Communication tailored to the need, with practical examples where
Officers (https://www.forbes.com/councils/ possible, the outcome of their task to be included in
forbesagencycouncil/2024/03/21/the-rise- their performance reviews. There is a need also to
of-the-chief-communications-officer/) who have regular conversations including team huddle,
handle public relations and communicating project reviews, feedback sessions to ensure that
ideas, thoughts, plans etc., to the stakeholders both the channels of communication are working
in the manner it has to be. effectively.
Engaging the Frontlines: Frontline employees
Principles for Effective Risk Communication: must view risk management not as a bureaucratic
To reduce the communication gap, organizations burden or as a routine affair but as part of their
should embed the following principles: responsibility to protect the organization. Effective
approaches include:
• Risk concepts must be expressed clearly.
Avoid jargon. For instance, instead of stating • Storytelling: Share real incidents where risks
“cyber risk escalation,” explain: “There is a materialized and what the consequences were
high likelihood of phishing attacks targeting — both successes and failures. Airports in
employee emails.” India, especially at the security point at time
put a message that their security managed
• Tie risks to the actual work people perform. to identify certain unapproved items being
23 INTERNAL AUDIT TODAY
