“Denial is never a good strategy.” How do you understand and try to address risk across an organization? Sabrina Serafin interviews Kristi Atwater, SVP of Internal Audit of Everi Holdings, about Enterprise Risk Management including advice for starting up the ERM function.
Culture of Compliance | Security as a Founding Principle
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin (SS): Welcome to Frazier and Deeter’s Culture of Compliance podcast series where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier and Deeter’s Process, Risk and Governance practice.
Today we’re talking to Kristi Atwater, the Senior Vice President of Internal Audit at Everi Holdings, and Kristi brings 20 years of board experience to her role leading Enterprise Risk and Internal Audit at Everi. She is also active in mentoring and is the co-host of the podcast Hey Boss Lady, Kristi welcome to the podcast.
Kristi Atwater (KA): Well Sabrina first of all thank you so much and I’m so glad to be a part of this.
SS: Before we start talking about enterprise risk management and internal audit, I have to ask you give us the background on your Hey Boss Lady podcast?
KA: I sure can, but first off I want to thank Frazier and Deeter for being a sponsor of our podcast. We super appreciate it.
SS: We’re happy to do it, thank you.
KA: I think the reasons why I started the podcast are firstly, I love podcasting and I loved listening to podcasts and secondly, I also wanted to do something different, but I wanted to make an impact. And one of the things that I’ve seen throughout my career is I initially was in the boardroom at a very young age and because of being in internal audit I was often the only female there. As my career has progressed, I’ve started to notice that I still oftentimes am the only female in the room, and so I feel like women are not getting as much visibility and if there’s any way I can help them get more visibility and find their way to the boardroom that’s one of the things that I wanted to do and that’s what I’m hoping the podcast does for others.
SS: Thank you I’m sure it does great topics, can you give us a little bit of your background, how did you end up in a situation where you were only two very distinct and important business processes?
KA: Well, I started off doing Internal Audit as my normal day job and I knew that the original company that I worked at did not have an Enterprise Risk program, and so I was volun-told to put one together. I did my research, and I had the opportunity of getting some education where I could look at 100 different Enterprise Risk plans and I was able to take the best of them and make an enterprise risk program for the company that I was at. And then every company I went to after that didn’t have Enterprise Risk, so I would adapt and adjust and add that to my function, just because I feel like it is a needed function, and it makes so much sense to be with Internal Audit.
SS: So, let’s get into our first basic question, some of our listeners are from organizations that surprise, surprise don’t have an Enterprise Risk function, can you talk about what the function does, and particularly what’s its scope within the organization?
KA: It’s really simple, it’s basically identifying all the risks facing a company and documenting them, so it could be strategic, competitive, financial. You could even add Black Swan risk for something that’s totally unexpected, then performing assessment of the likelihood and the impact and then documenting how the company is able to mitigate those risks.
SS: I think a lot of us at the onset of the pandemic learned for the first time what Black Swan meant in this context, can you explain that?
KA: Basically, Black Swan event means something that totally is unexpected, and I have to admit that we did not have on our Enterprise Risk that there could be a pandemic that would affect our business, so it was definitely an eye opener for all of us.
SS: That goes for many of us. One of the topics that you and I had discussed before the podcast was the challenge of starting up an Enterprise Risk function, and as someone who’s been through the experience of launching the function multiple times, can you share some of the challenges that someone would expect to arise?
KA: Yeah absolutely, there’s kind of three main things; first of all there’s a cost impact, there’s generally some type of investment and that can be a deterrent to some, and then executives, by nature, are responsible for the organization so sometimes they can be defensive because they like to make sure everything’s covered, and then I’ve even heard some companies have had legal pushback because they didn’t really want the risk documented and I just think denial is never a good plan.
SS: So how do you suggest dealing with those concerns?
KA: Well first of all cost does not have to be expensive. It doesn’t have to be a major investment, in fact I don’t think you should go out and buy a big software program to do it, especially when you’re just starting off. So start small, and then you know ease into it. I’d say just in the beginning when you’re assessing the risk, just identify the likelihood of occurrence and the impact, rather than going into the ability to mitigate. Then I would say once you get the assessment, do not present it to the board or the audit committee until you get buy in from the executives and what the mitigation strategies are. Because that would never bode well for yourself or for the company to go into the boardroom without a plan to mitigate.
SS: Okay, so let’s dive into the idea of investment involved in ramping up the ERM. I know you’ve implemented Enterprise Risk management through a number of organizations really by choice, what are the observations that you have for organizations that may push back because of budget constraints?
KA: Yeah, that is a very good question and I think it needs to be answered because there is a resistance to put an Enterprise Risk program in place, and I think the biggest answer is that it helps the company, it moves it. I have proven over and over again that risks that originally were high impact and high likelihood, we were able to get to low impact, low likelihood. And our confidence in our ability to mitigate those risks also improved over time, and I’ve been able to show that at every company that I’ve been at, and so that alone is a reason to put in Enterprise Risk.
SS: How does it work then to have both Enterprise Risk management and Internal Audit reporting up to the same person? Talk us through that.
KA: Yeah, so every year as part of the IAEA standards and corporate governance structure, I state my independence to the audit committee. However, when I do say that I say except for the Enterprise Risk function, and so everyone is aware that I perform the Enterprise Risk, as well as doing Internal Audit. And at any moment the board or the executives could have an independent audit of Enterprise Risk, and you would just get a firm like Frazier & Deeter to come in and do an audit of that Enterprise Risk function.
SS: Would you suggest that Enterprise Risk management should be a larger part of Internal Audit, or do you think it’s fair for an organization to keep them separate?
KA: Yeah, I think in my opinion the benefits far outweigh the risk because there’s such an overlap in the functions. So Internal Audit is always considering the risks involved from a financial and operations perspective and pairing the two is the most efficient way a company can handle it. So, what I do is once we have done our Enterprise Risk assessment, I use that to put together our Internal Audit plan, as well as our SOCs testing, and then where the gaps are is where we do an Enterprise Risk plan, and then we track that plan throughout the year.
SS: Would you mind sharing with us how you specifically plan out your year when you’re responsible for both functions?
KA: Yeah, it’s very easy. We take all the risks and then once we get the assessment back, we rate them in priority order. Then we see where we have coverage from an Internal Audit perspective, and then we put together an Enterprise Risk plan perspective, and then we look where we might still have some gaps.
And where those gaps are we either, accept the risk; for instance, in my company workers compensation risk is not a very big risk, we’re all office workers so we do very little for that, because we have insurance covered and we feel covered from that perspective, so there’s no part of the plan that specifically addresses that. So, then you’re able to make good decisions, strategic decisions on how the company can invest to mitigate risks that they feel are the most important.
SS: Do you find having ownership over both functions takes up two seats at the table? Or does it really enforce the importance of Internal Audit’s seat at that table?
KA: I think it definitely takes two seats at the table, because there are some risks that Internal Audit does not cover. You can talk about strategic risks, it’s kind of hard for Internal Audit to audit that, and competitor risks. There’re things like that that just are not in Internal Audit’s wheelhouse to cover, and you need the whole organization to work on it. What’s nice about Enterprise Risk, is it gives the Internal Audit leader more visibility, but also it gives Internal Audit more visibility to the whole operations and the whole company, and I think it’s just a win, win situation.
SS:I have one last question about owning both functions, do you find outside of having risks identified, ranked and rated leads to additional opportunities for audit, or do you think you’re able to consolidate instead, the number of individual audits that you’re responsible throughout the year?
KA: I actually think it’s both it can lead to more audits that are value add to the organization and then it also can consolidate things and get more coverage for the organization for less effort.
SS: Great point. As we wrap up, I would love to hear if you have any closing thoughts on this topic, which I think is very close to your heart.
KA: Yeah, I think to somewhat repeat myself, I think performing Enterprise Risk management for a company can really get Internal Audit a seat at the strategic decision-making table, and I think that’s beneficial again for the individual and it’s beneficial for the company. And being part of Enterprise Risk for me, has been the favorite part of my technical career.
SS During your career you’ve worn a lot of hats obviously. Do you have advice for professionals who are listening, right now, who are maybe mid-career, who are trying to reach the top level of their organization, what direction would you put them?
KA: Yes, my best advice is to continue to grow your skill set, and there’s two ways to do that. You can try new types of positions in your company, or you can offer to work on projects outside of your typical area, and both give you a new skill set and give you different visibility.
SS: I would think that Enterprise Risk is one that gives you ultimate visibility.
KA: It really does, and you know it gives you visibility even with board members. I’ve had board members ask me how I put together my plan so they could take it to other boards who felt like their plan wasn’t sufficient.
SS: That’s great to hear, so it’s become a passion?
KA: Yeah for sure, and you know I love helping other people with it because I have colleagues that come up to me and say how do you do it, and so forth, and you know I just feel like it’s an easy thing once you implement, it can seem overwhelming at first, but it’s just an easy thing to implement and it’s super helpful for companies.
We can we are able to show progress over the years, on how we have mitigated gaps that the company had initially and brought risks that were high impact, high likelihood down to low impact, low likelihood and our ability to mitigate has improved to so the results alone are very fulfilling for myself and for the company.
SS: Well, thank you for being with us here today Kristi and for sharing your views about managing Enterprise Risk and the Internal Audit function.
KA: Thank you, thanks Sabrina for having me it’s been super fun.
SS: And to our audience, thank you for listening to Frazier and Deeter’s Culture of Compliance podcast. Please join us for our next episode, as we continue to discuss transforming compliance requirements into investments in your business.