On our side, IA does their own, independent audit risk assessment which they use to plan their audit schedule, auditable hours, etc. As the heads of various BU's, IA doesn't request that much information from us. Occasionally they will ask for "As of" of certain KPIs and KRIs, but that's it.
Separate of the above, our ERM team sends RCSA's to each BU Head, and the RCSA's request a lot information, along with current data points for all relevant KPIs and KRIs. This information is used to complete an ERM Dashboard which is distributed at risk committee and board meetings.
Originally we had a universal RCSA and certain items would be marked as N/A when appropriate. After some regulatory criticism, the ERM team came back with tailored RCSA's to each BU. The RCSA's are very in-depth, and the ERM team will conduct periodic reviews of the responses and data we provided. It's a very in-depth process and we spend a lot of time with our CRO to make sure everyone is aligned and on the same page.
_________________________
"100 victories in 100 battles isnt the most skillful. Subduing the other's military w/o battle is the most skillful." Sun-Tzu