Agile and Dynamic Risk Assessment (DRA) are part of the blue print for enabling the internal audit processes of the future.
- Agile approach to IA: iterative, cross-functional collaboration (e.g., collaborate on identification of risk areas and alignment on what is audited and why), focus on business value and continuous improvement.
- Cognitive science / Agile approach suggests:
- The longer we work the less productive we are: Forty-hour week is good.
- Iterative work leads to earlier and higher value: Give results throughout the internal audit, not just at the end. More check-ins.
- Stable teams perform better: Teams have stages of forming, storming, norming and performing—teams go through a cycle that includes polite intro stage, identification of differences, figuring out how to work together, and then high performance. Try to keep your teams together throughout a project so they can get through the stages and reach the high-performance stage.
- Multitasking creates waste: Concentration is broken every time we switch between projects.
- Dynamic Risk Assessment (DRA): Turn IA into a dynamic risk assessment process where the focus is on automated, repeatable, standardized processes that support continuous monitoring (versus a once-a-year assessment).
- Seek to identify and develop Key Risk Indicators (KRIs) to enable automation, which will support repeatable and standardized and processes. For example, a patient safety issue may emerge from interviews— in response, develop a key risk indicator, such as the number of hospital-acquired infections, and then automate reporting.
- DRA is proactive rather than reactive. It helps to anticipate both current and emerging risks areas.
- Goal is to increase the frequency of reporting.
See the full presentation to learn more about bringing the agile method to your internal audit, compliance and risk management control
Thank you to Sweta Shah and April Patterson for their excellent presentation.