An effective assurance programme is not only predicated on the first-line business units understanding what controls are and how they're responsible for them. The enterprise level also plays a major role by collating assurance information and supporting the first line to better manage its risks.
Developing organisation-wide assurance can present a number of challenges. How, then, are companies implementing solutions to strengthen their assurance?
1. Establish accountability for assurance
People need to believe and understand that testing the effectiveness of their controls will actually lead to an outcome, or the activity is little more than ticking boxes.”
CRO, ASX energy company
Risk Leadership Network member
Risk and assurance leaders in our network have shared methodologies they are adopting to ensure the relevant stakeholders are accountable for assurance.
a) Establish custodians within second line of organisation
Identify people in the second line of the organisation — e.g. risk or controls owners — who should be responsible for upholding policies, frameworks and control standards that the first line is required to follow.
b) Embed control teams within first-line business units
By setting up teams in specific areas of the business, who have the responsibility of monitoring controls relevant to their business area, larger companies can distribute more of the assurance effort to the first line.
c) Insert risk champions into business units
Instead of relying on internal audit to identify problems within the first line, place risk champions in business units who can help to identify ineffective controls at source and feed back to the risk team before audit even become involved.
d) Get first-line teams to complete ad-hoc assurance on other business units' projects
This method effectively turns first-line business units into a second-line function, ensuring that controls in place across the first line are being tested and are effective.
e) Assess which employees are interested in controls as an area of career development
This is potentially an effective way of engaging the business on controls and assurance, as you can assign controls activity to members of specific teams with an interest in controls. This will ensure that someone within each business unit is taking responsibility for assurance.
|
Where does this insight come from? A number of Risk Leadership Network have raised setting aligned assurance as a key priority. Through a series of 1-to-1 calls and workshop style meetings, we've been facilitating a series of collaborations for risk leaders to share approaches, discover tried and tested methods and get solutions quickly. To find out more about how we work with our members, watch this short video or book a discovery call with our team. |
2. Define and prioritise controls
|
Key takeaway: A bottom-up process in which the first line is asked to register all of their risks and controls, without the necessary awareness of what a control actually is, can lead to an unsustainable number of controls. |
Risk leaders who have experienced the problem of having too many controls say it's important to set a definition of what "good performance" looks like, and embed a common understanding of what a control is.
For example, one risk team has created a detailed, five-page guardrail document to define what a "key control" is (as opposed to a normal control.)
A separate risk team doesn't draw such a distinction between controls: the only question they use to define controls is "does it mitigate risk or not?"
Once you have defined what controls are, the next step is to prioritise which controls to focus on. In larger companies with a greater number of first-line business units, there could be a vast range of controls in place, so there needs to be a system to assess which are the most important.
Below we've outlined how two companies may take a different approach to the same risk and its underlying controls.
Prioritising compliance risks: yes or no?
| Company A | Company B |
|
Compliance risks are especially significant as regulators are now expecting much more, which is also creating additional board expectation. To ensure these risks are being covered the organisation is implementing an assurance plan that details what amount of assurance activity is justifiable for each of the organisation's chief compliance risks |
Business units are often too scared of the regulator. While small breaches may lead to fines, other principal risks that could meaningfully affect the business should be prioritised if their impact profile is greater. "Not all compliance obligations are created equal," and businesses may want to consider this when deciding which controls to prioritise. |
3. Assurance maps, initiatives and systems
As well as setting accountability and prioritising controls, risk leaders are also leveraging maps, initiatives and systems to support the first line and give the second / third line better oversight of control effectiveness. Here are three examples:
a) Assurance mapping
Drawing up assurance maps for major exposure areas within the business (i.e. risks that could have a major impact on the business' ability to continue operating) is one method of distributing assurance more proportionally across the organisation.
This gives greater autonomy to business units and helps the second line to manage the overall framework centrally, with an emphasis on ensuring those highest-impact risks are controlled.
b) Control amnesty
A "control amnesty" involves capturing every single control used by different teams around the business and testing their effectiveness.
One company who launched a control amnesty found that some teams had four or five effective controls that they relied on too heavily to manage their risks. Other teams, such as finance, had a much larger number of controls, some of which were duplicated or too similar.
While some teams were supported to build on their register of controls, other teams were asked to consolidate multiple controls, avoiding duplication.
c) Leveraging a risk management tool
Some organisations are using their risk management tool to:
i) determine if there are any trends in the controls tested by different teams; and
ii) identify gaps in their control framework.
Ultimately different teams need to be consistent in how they submit control data to a system, if results of assurance activity across the business are to be analysed effectively. This requires business engagement and education, as a siloed approach to inputting control data can make it tougher to understand where your gaps are.
What's next?
Are you interested in the topic of controls assurance? We are supporting risk leaders to develop more effective and aligned assurance programmes within their respective businesses as part of our bespoke assistance service.
To learn more about the targeted collaborations we are facilitating around this topic, book an introductory call with our team.
Share this
How are risk leaders preparing their teams for the future?
Five ways to partner with the business to develop KRIs
