Re-branding Risk Management and Audit Functions

There is an old joke on power of branding. When a man goes to a woman and says – “I am great in bed, how about it?”, it is sales. When an attractive woman goes over to a guy at a party and says – “Hi, I hear you’re great in bed, how about it?”, it is branding.  Seriously speaking, how many times have the business teams come over to the risk management or audit department and said – “You are great at this, we need your help and advice”. If the business teams aren’t approaching, then we have poor brand image. Our customers are in two minds whether they should involve us or not. Quite often the business teams think they are better off without us. So shouldn’t we be delving deeper to find out that why in the competition between various departments in an organization, we generally are at the bottom on the popularity chart?

1.     Auditors are Watchdogs

Seriously, why do we use this term? It negates the very premise of being of service to others. Think of it for a second. We say, men are dogs, women are bitches, and auditors are watchdogs. Does it connect to negative or positive emotions?

With it we wish to sell the image of trusted partners, advisers and mentors. When we use the word watchdog, do we think –as trustworthy as a dog?

Have you ever felt the urge to pet a strange German Shepard or a Doberman? We see a couple of them coming towards us, and the bravest of us feel a tinge of fear and anxiety. Why do we expect any person interacting with an auditor to feel any different then?  Doesn’t the term watchdog, makes auditing sound like a blood sport? Why get stuck with an age old expression?

2.     The Coolness Quotient

We associate with brands because of their coolness quotient. It feels good to be part of the tribe, now whether it is Facebook site, Intel machines, Apple iPhone or Harvard degree. We desire it because it makes us feel or look good. When does audit or risk management makes the customer feel or look good?

I came across David Brier (@davidbrier), a branding expert on Twitter. In his short book titled “The Lucky Brand Book”, I was stunned by the last point. It said – give a reason to celebrate the brand.

I questioned him – how does one celebrate risk management? He gave me two answers –

a)     “Choreographed spontaneity” – all the fun and with a safety net

b)     All the gain without the pain

Both these answers send out positive messages. It definitely shatters the mind-set that risk management applies to negative aspects of business. Why not give it a try?

3.     The Independence Clause

We profess to maintain independence, and to do so we state quite a few things are management responsibility. At one point we express a desire to sit on the board table; at another we disassociate ourselves from management. I understand the technicalities of requirement to maintain independence. The question is – are we using it to escape responsibility?

As part of an internal audit role we undertake to issue an audit report. In risk management we either assist or conduct a risk assessment. As risk managers we provide the second line of defense and as auditors the third line of defense.

Though we desire a more active role, we don’t wish to match the responsibility with it. For instance, we submit a report with recommendations, and leave the business teams to implement the solutions, as it not part of our job. Doesn’t that appear like sailing a person in  middle of a deep-sea and leaving them there, on their own? As giving a return ride back to the shore isn’t part of the deal.  Is it going to generate trust and respect to build healthy relationships? Next time round, are the business teams going to welcome us back?

Closing Thoughts

I definitely don’t have the answers to this one. Though it is clear, we need to re-brand. Maintaining the status quo isn’t helping us. At the logical level we are doing our job. At the sub-conscious level the business teams receive numerous negative messages, which dissuade them from emotionally connecting with the functions and its members. Risk managers and auditors need to figure out how to brand themselves externally and internally.

While you do so, listen to one of the everlasting brands – Elvis singing Suspicious Mind


The Lucky Brand Book by David Brier

14 comments on “Re-branding Risk Management and Audit Functions

  1. I agree that this re-branding is the need of the hour. This is an effort that would need support of both organizations and also inputs and action from the Consortium at large

  2. I agree that Audit or Risk should be challenged with providing solutions. After all they are the support function even with independent roles. Dipan

  3. In my opinion, we as an auditor should provide constructive comments with practical recommendations considering all the evidence and factors. We should convey the message to the top management and head of business units that we are working in the same for the benefit of the organization. We have to improve our report writing skills, we should maintain the good relationship with the management at the same time being independent (i.e. can advise but should not be involved in decision making).

  4. I agree on the challenge and necessity to improve the impression and performance of Internal Audit. Where, building on Akhtar’s good observations, this deals with clear language and open communication to prevent any misunderstandings. And as well is needs brave auditor’s willing to help the auditee with improvements and being brave in case it turns out that the chosen best recommendation was not the best option after all when the issues / area was re-audited again. (We are all humans…)

    • Agree with you, if the internal audit has given incorrect recommendations, they should accept it. We as auditors are trained to find faults in others systems and processes, but we have quite a few in our own. We should be able to accept that completely without being defensive. As you said, we are humans and nothing and nobody is perfect in the world.


  5. Well done post, Sonia. The re-branding you speak of is a good start, but the larger problem in need of a solution is general corporate culture that sees audit/risk management as a necessary evil, rather than as a cornerstone for proper practices. I have spent twenty years in IT, and with few exceptions, IT people rarely see anything useful about audit. I think this is largely due to a mentality that the job of departments like IT is anything but review and assesment, and proof of practices. The solution? I think education (college, continuing, professional) needs to do more to build up the “brand” of audit/risk management among those outside that profession. While audit/risk departments can help their own image in the ways you detail in your post, corporate culture on this issue will not improve much until top management makes it a priority to communicate the value of audit/risk management to the rest of the company.

    • Bill,

      Thank you and I agree with you that the IT teams don’t see much value, because the whole focus to them appears to be on nitpicking. For example, if access of X was to be revoked, and it wasn’t.

      How many IT auditors or risk managers advise on taking advantage of the upside risks, and give them information on how to gain competitive advantage. Ideally risk managers should be seeing the IT strategy, and advise on the strategic risks, how to gain first mover advantage, what the competition is doing better. However, the whole focus is on operational or tactical risks.

      With that, we expect CXOs to support the IT audit work. No CXO focuses the whole time on minor problems, they are paid to tackle bigger problems. The small ones won’t appear on their radar, so if auditors are expecting a pat on the back for highlighting tactical issues, they aren’t going to get it. Now whether you can say lack of support from senior management or tone at the top. Senior managers need to see concrete value before they buy in and support the activity.

      So we need to do the brand building by providing value, then support will follow. What do you say?


  6. Certainly inspiring thoughts brought to the fore ! The auditor battles this kind of situations very often. The job gets more difficult when you are an employee from within the organisation as compared to professionals coming from outside/ hired from consulting firms (well that’s my perception after all these years I have experienced).

    Time and again I have pondered over this dilemma . “Attitude” would make the difference. A positive mindset and constructive approach will go long way in making the business managers feel comfortable that auditors are integral part of the team and seriously intend an improvement.

    • Vik,

      Thanks and you have identified the crux of the problem “attitude”, we tend to reflect a negative critical one, which gets everyone defenses up.


  7. Great discussion!

    Different Departments, and the respective people play different roles in an organization, internal audit is no exception. It is not appropriate, in my opinion, to turn internal audit into operations managers, i.e. implementors, the objectivity will be lost, that view from outside, from a “disinterested party”.

    On the comment that “has management invited internal audit to come and help/assist?”, or something to that effect, I offer this, management requests to Internal Audit for assistance, should be considered a key performance indicator on the part of Internal Audit; that will certainly contribute to the brand/branding, to the perception and acknowledgment of value delivered by Internal Audit.

    Keep the discussion going….


    • Kiyemba,

      Thanks for the compliment and subscribing to the blog. We need to transform internal audit departments from traditional control checking tick box mentality to advisers on risk levels of the organization. Publishing a post on transformation, do tell me how you find it.


Comments are closed.