By Alejandro Anievas

‍

A recent discussion on the Internal Audit Collective got me thinking: How many Internal Audit teams are building connected risk programs with no playbook, figuring it out as they go?

‍

Connected risk refers to a practical, evolving approach to risk management in which risks, controls, and issues across different domains are actively linked, coordinated, and contextualized in aggregate, not in isolation. To that end, the IAC conversation was about how to implement integrated risk management — a concept closely aligned with connected risk — when the second line of defense was barely off the ground. The thread reminded me that teams at many different stages of maturity are working to introduce or advance connected risk in their organizations. It can be incredibly challenging to know where to begin. 

‍

Over the past 15+ years, I’ve worked with many companies standing up risk functions, formalizing second-line roles, and trying, often painfully, to link up SOX, compliance, audit, and operational risk into something coherent. In my role, I’ve helped teams build practical momentum and successfully embed sustainable risk practices that leadership can trust (and you can too!).

‍

If that’s where you are — or where you’re headed! — it might help to know that SOX is a great starting point. In fact, your SOX program has the tools and processes you need to quietly build a great foundation for connected risk across your organization. Below are some key lessons from the field for risk leaders in early-stage environments looking to advance connected risk in their organizations.

If You Have a SOX Program, You’re Off to a Good Start

SOX is structured. It has documented risks, controls, and owners. It also gives you something other risk domains don’t: established, repeatable processes, institutional familiarity, and a governance program already in place. These are foundational elements for connected risk. 

‍

Many of your organization’s stakeholders already know your team and processes, and they understand basic SOX risks and controls. The main need now is to better socialize SOX-type processes with stakeholders who aren’t typically in scope for SOX compliance (e.g., operations, non-financial-reporting compliance activities). Here’s how.

3 Practical Steps SOX Teams Can Take to Get Started With Connected Risk

1. Use Your SOX RACMs to Unify Risks and Controls 

Your existing SOX risk and control matrices (RACMs) can be your blueprint for documenting and managing RACMs for your organization’s other key controls. After all, SOX RACMs are what good looks like. 

‍

Think of it this way. Your SOX team maintains super-detailed RACMs, complete with risk and control descriptions, testing, attributes, frequency, and so on. Why not identify the other important controls being performed in your organization and use the same framework to build out and maintain those controls? Those controls are likely important enough to document with the same levels of rigor. 

‍

In most companies, SOX controls are likely the best-documented and most well-understood controls. Control activities are centralized, control owners understand their responsibilities, and end users have the opportunity to update and certify their controls. This creates a single source of truth that makes it easier for them to perform their controls and less likely for those controls to be deficient. 

2. Leverage SOX’s Issue Management Process Across the Business 

Similarly, your SOX team already has a solid risk tracking and remediation process. You also have something very few people in the business can claim: Independence and objectivity. This makes SOX’s issue management process an ideal way to centralize issue management across the business — another key component of connected risk. 

‍

Many companies have siloed teams that are separately tracking the same issues. They’re duplicating efforts and creating disconnected (and potentially conflicting) data. The better path: Combine efforts and create a single source of truth by using SOX’s independent validation process to consolidate issue management. That way, Internal Auditors give issue owners more comfort about validation — and one less thing to do.

‍

Even if it’s just a spreadsheet, consolidate all open issues, owners, and validation steps. Highlight recurring root causes. Flag issues that span departments. Make sure the issue log is accessible to everyone who needs to update it. If you can do that in Excel, you’re already winning. Technology can come later, and will even work better once you’ve laid the groundwork.

‍

With one client I worked with, this simple consolidation made SOX the go-to team for issue tracking and follow-up. And that visibility mattered. It gave leadership clearer insights, reduced duplicative work (including issue reporting), across teams, and positioned SOX as a trusted hub for enterprise-wide risk coordination.

3. Connect Risks and Controls to Enterprise Themes

SOX dives into the weeds of risks like user access, journal entries, and reconciliations. However, zooming out, SOX teams are able to draw connections to broader enterprise risks such as fraud, reputational damage, and operational resilience. This helps leadership see that SOX isn’t isolated, but rather underpins critical enterprise priorities. The way your SOX team ties SOX-related risks and controls to enterprise risks provides another connected risk blueprint. 

‍

Your SOX team already links its controls to financial reporting. SOX controls are linked to specific risk statements at various levels, making it easy to tie those lower-level risk statements to enterprise risks. So, if you’re documenting your company’s other important controls in the same way you document SOX controls, you’ll also be capturing specific compliance and operational risk statements. That will make it much easier to associate those controls with enterprise risk themes. 

‍

Mapping SOX risks to operational areas (e.g., access management, change control, segregation of duties) is a great place to begin. When mapped, you will see themes appear across different processes. Use those overlaps to build common language and credibility.

‍

Show teams how specific controls help them prevent fraud, reduce downtime, ensure compliance, or improve coverage. The more you connect detailed risks to strategic outcomes, the more traction you’ll gain. 

‍

At one organization, we mapped a SOX control failure around user access provisioning in the general ledger system to broader operational risks in IT and HR. The investigation revealed that delays in offboarding employees were not just a financial reporting issue, but also posed a security risk across multiple systems. This connection prompted cross-departmental collaboration to streamline the offboarding process, strengthening both financial control and enterprise-wide access governance.

Tips for Opening Doors and Ensuring a Smooth Start

1. Aggregate What You Already Know

SOX teams have access to a tremendous amount of data. So, before building a risk register, look at what you already have (e.g., deficiencies listing, internal audit findings, compliance issues, IT incidents). Bring it all together and look for patterns. 

‍

You don’t need a perfect model. You just need to show leadership what’s trending and where risk is concentrated.

2. Don’t Boil the Ocean

You don’t need to roll your efforts out company-wide and all at once. Instead, pick a few friendly teams and build a lightweight process. When others see it working, they’ll want in. 

‍

For example, at one organization, we started with just the IT and Procurement departments. We helped them map out non-SOX operational controls using the existing SOX RACM format. That provided them with a clearer view of shared access risks and control gaps, which led to faster remediation and (after we told everyone about our success) sparked interest from other departments to join the initiative.

‍

After all, if your organization is early in its risk journey, you're not behind — you're building. And if you’re running a SOX program, you already have a solid foundation.

3. Start Small and Stay Consistent

You don’t need to build a steering committee right away. Anyway, if you start talking to potential steering committee members and saying words like “connected risk,” they’re probably going to look at you like a deer in headlights. Instead, start small. Initiate a conversation, show up prepared, highlight what you can do, and build momentum over time. Make the process lighter, not heavier. Use what you already know to focus on helping the business, not grading it. 

‍

Approach teams with information you’ve already prepared using the three steps I outlined. Use it to build your business case, start or strengthen relationships, and slowly expand your connected risk efforts. You can also consider starting with a quarterly call. At one company, we began with one question: “What are you worried about this quarter?” That simple conversation between Finance, Legal, Operations, and IT opened lines of communication and built real momentum.

4. Frame Your Role as “Support,” Not Oversight

When the business hears “risk,” they may think you’re taking over. You'll need to clarify that your role is not to own their risk, but to support them in owning it by providing structure, visibility, and escalation. The hope is that the shift in tone builds trust and keeps doors open, helping to reduce resistance.

‍

Anyway, if you’ve already completed these three steps, you’ll already have proof that you’re genuinely there to help. 

5. Find Agreement on the Definition of Risk 

Although this may sound easy, many stakeholders see risk differently. Their views may be more broad or narrow than yours. No matter the viewpoint, coming to a mutual understanding is vital. 

Use SOX as Your Connected Risk Launchpad

If you’re already running a SOX program, you’re sitting on a strategic advantage. You have the language, structure, and governance needed to lay the groundwork for connected risk in your organization.

‍

The path doesn’t have to be complex. By unifying risks and controls through your SOX RACMs, centralizing issue management, and linking financial controls to enterprise risk themes, you’re helping leadership make better decisions faster.