4 Key Components
The number of distinct assurance functions has nearly doubled over the last 10 years, but only 10 percent of assurance leaders believe that their company’s risk management functions are currently integrated. Unfortunately, despite investments in these functions, the lack of integration leaves general counsel and compliance officers feeling no more confident in managing risks today than they have in the past.
Assurance functions are on the rise. With continued proliferation in global regulations and increased public scrutiny of corporate behavior, companies have made significant investments in assurance programs (e.g., compliance, information security, quality) and control systems. These investments are made to identify and manage the operational, compliance and reputational risks that affect an enterprise’s financial results and brand value.
Unfortunately, despite these investments, legal and other assurance executives like compliance officers and information technology executives feel no more capable of managing risks today than they did 10 years ago. This can largely be traced to the fact that the process of managing risk is complex, and there are often assurance mandates and requirements that overlap between teams. This overlap leads to boards that lack visibility into corporate risks, business leaders who are more risk averse and employees who struggle to get work done while navigating compliance requirements.
So what’s the answer? For most companies, it’s coordinated assurance.
A common definition of coordinated assurance is organizing and aligning assurance processes across functional boundaries to maximize operating efficiency while 1) managing risk and governance within company’s risk appetite and 2) providing holistic visibility and assurance to the board, regulators and customers.[1] Done well, the system accomplishes the goals of corporate assurance – providing assurance, visibility and intelligence – while limiting the direct and indirect costs of doing so.
Those unfamiliar with coordinated assurance may struggle to see how it works in practice or understand what good looks like. To help, we’ve identified four key components that define successful coordinated assurance.
Component 1: Integrated Risk Management Framework — Coordinated assurance requires a common understanding of the company’s risk universe, risk ratings, rules for oversight ownership and guidelines for when new risks are added to the framework.
Component 2: Shared Work and Information — Rather than buying or creating new systems and surveys to manage risks, leading companies use existing datasets to obtain that intelligence. Sharing risk information from these datasets across teams helps all assurance functions understand the risk environment and supports mutual conclusions about risk and resource allocation. Taking it one step further, assurance functions can coordinate a schedule of on-site reviews and use each other’s work to avoid duplicating efforts.
Component 3: Activity and Control Rationalization — Coordinated assurance requires processes for reducing duplicative activities. This includes collecting only vital risk information and avoiding repetition of questionnaires and assessments. If two teams must collect the same information, they should ensure the data definitions and metrics of separate surveys are consistent and business leaders do not receive multiple requests at one time.
Component 4: Coordinate Risk Reporting — Assurance partners should coordinate when they deliver risk reports to management and the board and ensure that the reports tell a cohesive story. Reporting timing should also support corporate decision-making and annual planning cycles whenever possible.
Getting Started with Coordinated Assurance
Coordinated assurance isn’t easy, and to do it right takes effort – in fact, only 10 percent of assurance leaders believe their company’s risk management functions are integrated – but it’s not impossible. To get started, assurance leaders should work on three things.
- Establishing Goals and Structure — Coordinated assurance requires clear goals, structure and commitment. Each part of the team needs to agree on project scope and objective, and one person must be appointed to lead the integrated effort.
- Building Processes and Trust Across Assurance Functions — Each assurance function has specific concerns and needs that they can’t (or won’t be willing to) easily sacrifice to create a more streamlined corporate process. The functions need to work together to create a set of governing rules that makes everyone comfortable that their concerns won’t be neglected while working toward better coordination and alignment.
- Creating a Roadmap — Once goals, structure and trust have been built, the real work of coordination can begin. By sharing activity schedules, calendars and risk reporting dates, assurance partners can begin to identify where gaps, duplication and natural alignment exist.
Current assurance silos create overlapping mandates and internal bureaucracy while making it difficult to develop a holistic picture of risk. Not only does a coordinated approach to assurance make it easier to get that view, but it also helps reduce the total cost of risk management and support achievement of long-term objectives.
[1] Adapted from King Report on Governance for South Africa, african.ipapercms.dk/IOD/KINGIII/kingiiicode.