Assurance functions are on the rise. With continued proliferation in global regulations and increased public scrutiny of corporate behavior, companies have made significant investments in assurance programs (e.g., compliance, information security, quality) and control systems. These investments are made to identify and manage the operational, compliance and reputational risks that affect an enterprise’s financial results and brand value.
Unfortunately, despite these investments, legal and other assurance executives like compliance officers and information technology executives feel no more capable of managing risks today than they did 10 years ago. This can largely be traced to the fact that the process of managing risk is complex, and there are often assurance mandates and requirements that overlap between teams. This overlap leads to boards that lack visibility into corporate risks, business leaders who are more risk averse and employees who struggle to get work done while navigating compliance requirements.
So what’s the answer? For most companies, it’s coordinated assurance.
A common definition of coordinated assurance is organizing and aligning assurance processes across functional boundaries to maximize operating efficiency while 1) managing risk and governance within company’s risk appetite and 2) providing holistic visibility and assurance to the board, regulators and customers. Done well, the system accomplishes the goals of corporate assurance – providing assurance, visibility and intelligence – while limiting the direct and indirect costs of doing so.
Those unfamiliar with coordinated assurance may struggle to see how it works in practice or understand what good looks like. To help, we’ve identified four key components that define successful coordinated assurance.
Component 1: Integrated Risk Management Framework — Coordinated assurance requires a common understanding of the company’s risk universe, risk ratings, rules for oversight ownership and guidelines for when new risks are added to the framework.
Component 2: Shared Work and Information — Rather than buying or creating new systems and surveys to manage risks, leading companies use existing datasets to obtain that intelligence. Sharing risk information from these datasets across teams helps all assurance functions understand the risk environment and supports mutual conclusions about risk and resource allocation. Taking it one step further, assurance functions can coordinate a schedule of on-site reviews and use each other’s work to avoid duplicating efforts.
Component 3: Activity and Control Rationalization — Coordinated assurance requires processes for reducing duplicative activities. This includes collecting only vital risk information and avoiding repetition of questionnaires and assessments. If two teams must collect the same information, they should ensure the data definitions and metrics of separate surveys are consistent and business leaders do not receive multiple requests at one time.
Component 4: Coordinate Risk Reporting — Assurance partners should coordinate when they deliver risk reports to management and the board and ensure that the reports tell a cohesive story. Reporting timing should also support corporate decision-making and annual planning cycles whenever possible.
Coordinated assurance isn’t easy, and to do it right takes effort – in fact, only 10 percent of assurance leaders believe their company’s risk management functions are integrated – but it’s not impossible. To get started, assurance leaders should work on three things.
Current assurance silos create overlapping mandates and internal bureaucracy while making it difficult to develop a holistic picture of risk. Not only does a coordinated approach to assurance make it easier to get that view, but it also helps reduce the total cost of risk management and support achievement of long-term objectives.
 Adapted from King Report on Governance for South Africa, african.ipapercms.dk/IOD/KINGIII/kingiiicode.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Abbott Martin is a research leader for compliance, legal and data privacy at CEB, now part of Gartner. He has worked with leading corporations to research and improve compliance and ethics program performance with a focus on risk management, training and communication and corporate culture. Abbott holds a BA in Economics from Johns Hopkins University.