Skip to main content
search

Visionary Voices

Intelligent Risk-Taking

Intelligent Risk-Taking Creates Big Opportunities

Ian Burnett
Vice President
Internal Audit & Compliance

In our latest Visionary Voices conversation, we sat down with Ian to explore how risk management drives value, particularly when it is focused on the new challenges facing an organization and the upside risks of those challenges. It’s all about being strategic and informed in the face of uncertainty.

Here’s what stood out most:

SOX and Internal Audit Aren’t the Same Thing—but Too Many People Think They Are

Ian cuts straight to a critical misconception: “Young people who did not grow up in an era when SOX didn’t exist, don’t have the context. They may not understand that internal audit and SOX are not the same thing.” While SOX importantly addresses completeness and accuracy of financial statements, it does not focus on efficiency and value optimization. Organizations that spend their entire audit budget on SOX compliance may be missing massive opportunities for strategic impact.

Ian advocates for senior management to take a strong position on SOX when engaging with external auditors:

“If management doesn’t come to the table with a point of view, the auditors will simply tell them to add more controls.”

He emphasizes the importance of pushing back when appropriate:

“Management should be asking, ‘Do we really need to add another control based on the actual likelihood of a material financial reporting impact?’”

Ian has one clear word of advice: “Don’t build your business around SOX. Build SOX around your business.”

Don’t build your business around SOX. Build SOX around your business.

Upside—or Voluntary—Risk Is About Pursuing Opportunities in a Smart, Controlled Way

Ian sees untapped potential across organizations in working across all lines of defense, not just the third line (internal audit).

Whether it’s an acquisition, the implementation of new technology, a product expansion, or entering new markets, these actions create significant opportunities—but also introduce change and uncertainty. As Ian explains:

“Any strategic move creates opportunity, but it must be approached with foresight. You have to ask, What could go wrong on this journey, and are we proactively managing the risks that come with it?

Any strategic move creates opportunity, but it must be approached with foresight. You have to ask, What could go wrong on this journey, and are we proactively managing the risks that come with it?

The Importance of Policy in Driving a Risk Culture

From the boardroom to the C-suite, organizations must clearly define how they intend to operate—and establish firm boundaries around their risk appetite.

“Wherever you can apply quantitative metrics, you should set specific risk tolerances. That way, you can actively monitor whether you’re operating within your defined boundaries.”

This top-down clarity is essential. Leadership must not only set the tone but drive a culture that aligns with the organization’s risk posture.

That’s where policy comes in. Every organization needs clearly articulated risk policies—especially when making intentional, opportunity-driven moves.

“If you’re planning to be acquisitive, launch new products, or expand into new markets—those are voluntary choices. But they still carry risk. The key is to define how you’ll manage it. Whatever the initiative, you need to have clear parameters and policies in place.”

Cloud ERP Migrations, for Instance, Offer a Massive, Missed Opportunity

When migrating to the cloud, it’s essential to consider how your processes and data will change—and to clearly define what will be managed in-house versus by external providers. Every stage of this transition introduces risk, and those risks must be managed holistically and intentionally.

One common oversight? Many system integrators fail to optimize automated controls during ERP implementations. To avoid this, organizations need dedicated controls expertise, thorough pre-implementation reviews, and a clear strategy for activating key features that support automated governance.

Taking a proactive approach ensures not only a smoother ERP transition, but also maximizes the long-term value of the investment—by embedding strong controls and governance from the outset.

Controlling Speed with AI Governance

The concept of managing the risk of technology, even when it’s moving fast, is not that much different from what we’ve always been doing and always advising clients.

When it comes to managing AI implementations, Ian offers a compelling framework: “Which cars have the best brakes in the world? Race cars. Because they go the fastest, you have to control their speed by having the best brakes.”

In other words, the underlying principles of technology risk management haven’t changed; AI just requires better, faster controls.

What Sets Our Risk Advisory Approach Apart?

It’s the combination of deep internal audit expertise with technology implementation experience. Unlike traditional audit firms focused on compliance testing, or system integrators focused on technical delivery, RGP brings both perspectives together. We work in small, agile teams that understand both the risk management frameworks and the practical realities.

As we look ahead, three trends will define the evolution risk management:

1

AI Governance Integration: Organizations need frameworks for managing AI implementations that balance innovation speed with appropriate controls—applying time-tested risk management principles to cutting-edge technology.

2

Advisory vs. Assurance Balance: Moving beyond traditional control testing to provide consulting-style advisory services on major technology investments, organizational change, and process optimization.

3

Cross-Functional Collaboration: Breaking down silos between internal audit, risk management, technology implementation, and change management to create holistic solutions for complex business challenges.

The Bottom Line

Risk management isn’t just about preventing problems—it’s about enabling intelligent risk-taking that drives business value. The organizations that recognize this evolution will unlock significant competitive advantages through optimized technology investments, better change management, and strategic risk governance.

If you’re ready to use risk management as a strategic value driver—let’s talk.

Visionary Voices is a segment of RGP’s LinkedIn newsletter, Mindshift. Each month we highlight a unique futurist who challenges us to think differently and to drive innovation. Mindshift also contains valuable research and curated content.

Mindshift: RGP'S LinkedIn Newsletter

Mindshift: RGP'S LinkedIn Newsletter

Subscribe Now for Bold New Perspectives
Insights

Insights

Bringing Internal Audit Back to Its Roots: Reclaiming Operational Skills in the SOX Era

 By Ian Burnett
Insights

Insights

Cybersecurity: What’s Keeping Your Leaders Awake at Night
Virtual Webinar

Virtual Webinar

Register Today for Navigating Risk in the Age of AI

Resources Global Professionals

Let's Talk
Privacy Preference Center
RGP logo

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change your default settings.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

Functional Cookies

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.