- Advanced internal audit functions integrate the execution of rolling risk assessments with supporting the development and implementation of ERM, ensuring alignment and a cohesive view of the organization's risk landscape by using a shared risk universe.
- A well-rounded approach to identifying top risks combines internal insights with external intelligence, creating a cohesive risk landscape.
- Risk evaluation should focus on residual risks, considering likelihood, impact, and control maturity, while ensuring clear roles, responsibilities, and collaboration across assurance providers to manage critical risks effectively.
With risks constantly evolving, the demand for organizational resilience is greater than ever. Companies face a growing number of risks such as cybersecurity threats, talent scarcity, business interruptions and increasing regulatory and environmental compliance requirements.
To stay ahead, internal audit, internal control, and risk management must adopt a more proactive approach. This includes tracking emerging risks, adapting to shifting regulatory environments, and utilizing advanced technologies, such as analytics, to gain a deeper understanding of these (emerging) risks.
To support organizations in tackling these challenges, TriFinance has been hosting a series of roundtables on related topics to share valuable insights and best practices, helping leaders and internal audit professionals strengthen their risk resilience strategies.
How to enhance organizational preparedness to mitigate emerging risks
On October 10, TriFinance experts Annemie Pelgrims and Steve van der Steen hosted a round table on "How to Enhance Organizational Preparedness to Mitigate Emerging Risks".
Chief Audit Executives from various companies representing a diversity of industries discussed ways to improve the capabilities of internal audit and risk management. Key topics included methodologies for identifying and assessing emerging risks from both enterprise risk management and internal audit perspectives, as well as leveraging the latest advancements in analytics for comprehensive risk assessments.
Building a cohesive risk landscape: from risk-based Internal Audit plans to ERM
We began the roundtable dinner by asking participants about their involvement in risk management - a foundational question that set the stage for the evening’s discussions. From our perspective as TriFinance Risk professionals, we believe that advanced internal audit functions are most effective when they take on a dual role. This includes executing a rolling risk assessment to develop a risk-based audit plan, while also supporting the development and implementation of Enterprise Risk Management (ERM). Ideally, both exercises should start from the same risk universe, promoting alignment and ensuring a cohesive view of the organization’s risk landscape.
In response, participants shared their roles and responsibilities in risk management. Half of the attendees focus primarily on conducting rolling risk assessments to create risk-based audit plans, while another 30% are also involved in ERM development and implementation.
One participant highlighted an evolution in their approach, moving from simply executing risk assessments to taking a more active role in ERM—a shift that strengthens the alignment between internal audit and ERM within a unified risk universe. One organization, without a dedicated enterprise risk management function, has established a compliance steering committee together with the Head of Internal Audit. This committee is responsible for documenting procedures, including those related to the Corporate Sustainability Reporting Directive (CSRD). Composed of representatives from Internal Audit, Legal, Finance, Quality, and Sustainability, this group ensures a coordinated, cross-functional approach to risk management and compliance.
To effectively manage risk, we must align internal audit and enterprise risk management efforts using a shared risk universe, ensuring a cohesive view that enables us to identify internal control weaknesses and develop actionable plans to strengthen internal control maturity.
Annemie Pelgrims
An inspiring metaphor that emerged during the discussion described internal auditors as “Gardeners of Governance,” a concept introduced by Dr. Rainer Lenz. This analogy envisions the internal auditor as a dedicated steward who nurtures an environment for sustainable growth. Like gardeners, internal auditors “sow seeds, fertilize, water, and nurture,” constantly monitoring and adapting to external conditions to cultivate a resilient risk management landscape. Though indirect, their impact is profound, fostering organizational resilience with patience, adaptability, and a results-oriented focus.
Holistic Internal Audit risk assessment: integrating internal insights and external intelligence
At our roundtable, participants emphasized that identifying top risks requires a well-rounded approach combining internal insights and external intelligence. Internally, organizations draw on internal audit observations noted during prior Internal Audits, historical health, safety and fraud incidents and business concerns highlighted by management and executives teams. These processes enable a nuanced understanding of potential vulnerabilities grounded in both past experiences and executive perspectives.
Externally, they leverage insights from industry publications, the appointed external auditor and professional bodies such as the Institute of Internal Auditors (IIA) and the World Economic Forum (WEF), which provide valuable context on industry norms and evolving risks. Benchmarking against sector peers (competitors, customers and suppliers) also emerged as a crucial strategy, helping organizations to align their risk outlook with broader industry trends.
Our TriFinance risk experts then invited participants to share their top five current risks, revealing a range of pressing and common concerns. Key risks included cybersecurity threats, talent acquisition and management challenges, raw material shortages (alongside the need for alternative materials), digital transformation, and compliance requirements.
Participants also highlighted the impact of geopolitical instability—particularly in Russia, Ukraine, and Lebanon—as well as hyperinflation in Argentina, all of which are disrupting local operations and influencing the management of fixed assets. In response, many organizations are intensifying third-party screening for political exposure to sanctions, while banks increasingly scrutinize outgoing payments to high-risk regions. To further support these efforts, TriFinance Risk professionals highlighted the potential of continuous control monitoring techniques for the ongoing review of outgoing payments, extending coverage to sensitive regions and tax havens alike.
As risks evolve, so must our approach—leveraging technology and analytics to gain deeper insights, and ensuring clear roles, responsibilities and collaboration across assurance providers is key to managing critical risks and enhancing organizational resilience.
Steven van der Steen
Comprehensive Enterprise Risk Management: strengthening residual risk profiling
To deepen enterprise-wide understanding of risk management, we recommend evaluating risks on a residual level, using the same risk universe as internal audit. This approach centers on three key parameters: the likelihood of risk occurrence, its potential impact, and the maturity of existing internal controls. Such a structured evaluation enables organizations to accurately identify vulnerabilities and create action plans that strengthen control maturity.
We explored whether participants felt their assurance providers—such as external audit, internal audit, quality departments, and management—are proactively addressing the top risks with high likelihood and impact, alongside low internal control maturity. Most agreed that while management assumes responsibility for risk mitigation, Internal Audit and Enterprise Risk Management responsibles often face accountability challenges. Participants emphasized the importance of clear roles and collaboration across the second and third lines of defense to effectively manage critical risks.
Additionally, when asked about tools used for risk assessment, most participants noted reliance on Excel. There was broad interest in a European-focused audit & risk management system, with a preference for in-house or integrated solutions over outsourcing. Participants stressed that such systems should serve business needs, rather than requiring the business to adapt to the tool.
In conclusion, as organizations face an increasingly complex risk landscape, aligning internal audit and enterprise risk management efforts through a shared risk universe is essential for a comprehensive view of risks. A combined risk identification approach—blending internal insights, external intelligence, and residual risk profiling—enables the detection of internal control weaknesses and the development of effective action plans. Clear roles, responsibilities, and collaboration across assurance providers are key to managing top risks effectively. As businesses confront rising challenges like cybersecurity threats and geopolitical instability, adopting proactive, technology-driven risk management strategies is crucial.
Discover more about our expertise in internal audit, internal control, and risk management
our expertiseRelated content
-
Blog
#takeaways Risk webinar 4: How internal audit contributes to continuous control monitoring
-
Reference case
Building a roadmap to e-invoicing compliance at a clean-energy provider
-
Blog
#takeaways ESG webinar 10: ESG data management, a practical example for first time adopters
-
Reference case
From process optimization to Treasury expertise: a Project consultant's journey through a critical transition
-
Reference case
Documenting Internal Controls for Korean SOX: a pragmatic approach to overcoming resistance
-
Blog
5 reasons why TriFinance is the perfect EPM partner for your organization
-
Career as Consultant
Data Engineering Manager
-
Career as Consultant
Enterprise Performance Management Consultant
-
Career as Consultant
Finance Consultant
-
Career as Consultant
Risk advisory consultant
-
Career as Consultant
Project Manager Finance
-
Freelance opportunities
Interim Manager Finance | Wallonia