In most organizations, with the start of a new calendar year, we are asked to set goals for the upcoming year. Hopefully, we meet with our managers on a regular basis to review these goals, and at the end of the year, we self-report on the achievement of goals.
This process is as old as … well… internal audit, but are we setting the right goals? Will the achievement of these goals help us evolve in an age where the pace of change is staggering?
I was recently re-acquainted with the idea of Objectives and Key Results (OKRs) and how many organizations use OKRs to create 10X growth or change. Google, LinkedIn, Twitter and other organizations have used this process for goal setting for years and the results have been pretty amazing. So how could OKRs help Internal Audit with their goals?
First off, let's understand the basics of OKRs. Set 3 to 5 high-level objectives that link back to a key strategy. Then define 3 to 5 key measurable results that when attained guarantee that you have met the high-level objective. These are team goals, not just personal goals, to ensure everyone is rowing in the same direction. Then, as a team, meet at least quarterly to assess your progress. You will rate the key results from 0 to 100 on achievement. Sounds simple right? The key is picking the right objectives.
As an example, your Internal Audit team knows that the audits you add to your audit plan in January may not be as relevant as you approach the end of that audit plan year. You know this means that senior executives and your Audit Committee wonder if re-assessing more frequently would ensure the right risks are being reviewed at the right time. Essentially, the team needs to demonstrate adaptably or agility. Let's set up an OKR for that.
Objective: Increase the frequency and efficiency of risk assessment and confirmation of the audit plan to be quarterly.
- During the first week of each quarter, publish a Risk Self-Assessment (RSA) to the areas of the business related to our top corporate objective(s).
- Report the completion rate of RSA to senior executives and the Audit Committee and highlight any business areas with no to low responses within 5 business days of the RSA closing.
- Review the trends and changes in risk scores and propose any changes to the Audit Plan within 10 business days of the RSA closing.
- Update the Audit Plan with approved changes within 15 business days of the RSA closing.
- Identify at least one change to this process every quarter that would improve efficiency or decrease the total elapsed time from RSA publishing to approved and updated Audit Plan.
The above is a small but tangible example of how OKRs work. Organizations that get really good at OKRs then start planning for BHAGs (Big Hairy Audacious Goals), that is where the 10X factor comes in. Is your Internal Audit team in need of taking the step towards automating and you want to achieve this within the next 6 months - set an OKR.
Is your Internal Audit team looking to lead your organization to Combined Assurance maturity - set an OKR with quarterly goals. Perhaps your team goals are far higher reaching and you are looking to incorporate technologies like artificial intelligence or robotics process automation to expand your coverage and automate repetitive tasks. This sounds like the perfect time to implement OKRs with your team.