The Art of Stakeholder Buy in : Making Risk and Compliance Conversations more Effective by Dr Precious Oshideko

In many instances, clients and stakeholders push back on findings and exceptions identified during testing engagements, whether related to regulatory compliance or internal control assessments.

As risk consultants and IT Auditors, it is our responsibility to effectively communicate the risks associated with these findings in a way that is clear and actionable. This means avoiding excessive technical jargon that may obscure the message, ensuring that clients fully understand both the nature of the issue and its potential impact on the organization.

Risk professionals and IT Auditors must articulate the consequences of an identified exception in terms that resonate with business stakeholders. These impacts may include:

• Regulatory Penalties – The risk of non-compliance leading to fines or legal repercussions.
• Cybersecurity Vulnerabilities – Exposure to both internal and external threats due to control weaknesses.
• Reputational Damage – Negative media coverage or a decline in public trust due to security lapses or compliance failures.

To ensure productive discussions, risk professionals should prepare thoroughly for stakeholder meetings, framing the conversation in a way that fosters collaboration rather than confrontation. Instead of adopting an enforcement-focused approach—akin to a police officer uncovering a crime scene—these discussions should be positioned as educational opportunities that help clients understand and address risks proactively. The goal of these conversations should be to gain stakeholder buy-in, reinforcing the importance of risk mitigation while fostering a cooperative and solution-oriented mindset.
Enhancing Cybersecurity Resilience with Effective Control Documentation By Dr Precious Oshideko

As organizations implement various security tools to mitigate cybersecurity risks and comply with internal controls and regulatory requirements, it is crucial to ensure that these tools are properly configured and managed. However, beyond implementation, the most critical aspect is the continuous testing and monitoring of controls to confirm that they are appropriately designed and operating effectively.

One significant risk that I have observed in this process is the lack of proper documentation for control descriptions. Without clear and well-documented controls descriptions , it becomes difficult to assess whether they effectively mitigate the associated risks and if they can be reliably tested.

Throughout my career, I have frequently challenged control description documentation , the testability of the controls, and their effectiveness in addressing related risks.

To strengthen cybersecurity and risk management, control owners, system owners, and risk professionals must work collaboratively to ensure that key controls especially those considered single points of failure ”are:

1. Clearly Documented : Controls should state what process is being executed, who is executing the process, frequency of execution, why this control is being executed and the repository tool where evidence of execution is logged.

2. Testable : Controls must be documented in a way that allows the control tester to test each of the attributes listed above with appropriate evidence to validate the design and operating effectiveness of the control.

3. Effective in Mitigating Risk: The primary objective of controls is to reduce risk. The control should align with the related identified risk and the execution of the control should mitigate the aligned risk.

Conclusion
By prioritizing comprehensive documentation of control description and ongoing assessment, organizations can enhance the effectiveness of their cybersecurity measures and maintain a strong security posture in an ever-evolving threat landscape.