A clear lens on risk
Helping a consumer products company modernize its internal audit risk assessment
GETTING CLEAR
ABOUT RISK
The Situation
It was that time of the year again—audit leaders for a large consumer product company were on the hook to deliver their annual internal risk assessment and audit plan. But there was a challenge this year: competing priorities, which affected their ability to deliver. And no one—despite the sudden churn—was completely surprised. The company had deep, historic roots, and like many heritage enterprises, most of its systems and processes had been updated over the years, while some—like the annual risk assessment—hadn’t.
The company’s internal auditors were still manually soliciting information for the assessment from stakeholders across the business—a cohort that had grown, over the years, to more than 100 people around the globe. And as any corporate employee can tell you: requesting information is one thing. You then need to actually obtain it, then synthesize it in order to perform your analysis. The process had become too unwieldy. It was time for a change.
Modernizing things could help internal audit leaders make more efficient use of time and other resources and tell a better story of enterprisewide risk to boot.
They envisioned a new, digital process that standardized risk assessment across all divisions of the company and through all risk domains. First, the process would provide greater insights into the inherent risks each department was likely to face over the next one to two years. Next, it would surface how well management mitigated these risks so that, finally, anything as yet unaddressed—residual risks—could be flagged for internal audit.
Company leaders turned to Deloitte’s Digital Internal Audit practice for help getting it done.
THE SOLVE
As with many other organizations, the company’s annual risk assessment process was hampered by disparate and siloed activities—tried-and-true methods that rarely-to-never deviated from the previous year (but couldn’t scale). The Deloitte practitioners suggested that a true and lasting transformation—one that didn’t just update processes, but introduced a dynamic element that could continually flex with the business—would mean deploying a specialized artificial intelligence (AI) engine.
But AI models are only as good as the data that’s fed to them. How would that work?
By going to the source(s) of institutional knowledge. Deloitte and company stakeholders convened a representative working group of internal audit leaders from across Europe, Asia, and North America to capture key activities for the annual assessment—and more importantly, the data those activities would ultimately produce. Questions covered in initial sessions focused on building a risk taxonomy—the core risk elements the tool would be asked to identify across regulatory, compliance, and operational domains.
With this information in hand, the Deloitte team built an automated and customizable AI solution for risk assessment. The solution incorporates advanced data capture and natural language processing to identify prominent risks and group them according to the taxonomy. A visual dashboard provided company leaders with a bird’s-eye view of common risk themes that could then be tracked back to the risk taxonomy and the associated risk statements and metadata that underpinned the engine.
The result? A timely and dynamic 360-degree view of risk (that wasn’t reliant on pestering colleagues for data dumps).
A CUSTOMIZABLE
SOLUTION
TO IDENTIFY RISK
The Impact
The AI solution the Deloitte team built helped the company generate insights that weren’t just better than before, but faster, with automated data collection freeing up employees from manual tasks and creating new bandwidth for more strategic work.
By facilitating collecting, processing, and analyzing unstructured data at a granular level, the technology ultimately served as a storytelling device for the company. The internal audit team could now hone more accurate insights that support a strong narrative for how the company’s testing, controls, and mitigation strategies are aligned to its enterprise risk management (ERM).
The company had more time to not only bring risk findings to responsible leaders (who could then identify the source of the risk), but there was more time to work out a mitigation strategy from the leadership level.
Ultimately, the client had a powerful board-level tool that helped tell a more informed, data-driven story, which previously required spending several manual hours to achieve.
The tool brought standardization to the risk assessment process across the divisions and helped the client evaluate risk on an ongoing basis.
What started out as an exercise to standardize an annual planning procedure ended up transforming the entire risk assessment process by providing more granular—and therefore more valuable—information with less effort.
-
Geoffrey Kovesdy
Principal
Deloitte & Touche LLP
gkovesdy@deloitte.com
+1 617 462 1386 -
Greg Nicholson
Senior Manager
Deloitte & Touche LLP
gnicholson@deloitte.com
+1 313 324 1368 -
Sid Siddhartha
Senior Manager
Deloitte Assurance & Enterprise Risk Services India Private Limited
ssiddhartha@deloitte.com
+91 971 755 4800 -
Siva Venkataramanan
Manager
Deloitte Assurance & Enterprise Risk Services India Private Limited
svenkataramanan@deloitte.com
+91 983 021 2800
Explore more stories
One company, one voice
How Deloitte helped simplify and strengthen a company’s system landscape
Does managing risk mean hitting pause on innovation?
A fintech firm strengthens its control environment without losing forward momentum
Learning to manage vulnerabilities before they are an issue
Through a mock regulatory exam, Deloitte helps a leading financial institution detect and manage risk.