An aligned assurance programme can not only improve efficiencies and create increased levels of assurance, but also deliver greater business insight and added value to the decision-making process across an organisation. From assurance fatigue to creating a siloed risk function, here we bust some myths concerning aligned assurance.
Aligned assurance creates a common language to communicate risk and embed risk management across the business. But getting it right proves difficult for many risk managers, not least because they can face push-back from those who say it makes the three lines of defence obsolete, along with other concerns.
On the contrary, aligned assurance can create an environment in which each line is challenged to bring the most value to the business.
Below we have listed key questions asked - and answered - at a private member meeting last week with several of our network’s risk leaders. This meeting is part of a series on aligned assurance, complementing our series on organisational resilience, too.
There is also an accompanying case study (available for members on our Intelligence platform) that takes you through the step-by-step process of establishing an aligned assurance programme from a member and seasoned practitioner.
1. Don’t aligned assurance programmes create a siloed risk function?
While an aligned assurance programme does create a very distinct three lined system for managing risk, an effective programme will actually encourage conversation between those lines of defence rather than creating a siloed approach.
This means that each line will challenge the others if they feel a previous line has missed picking up a particular activity. But this is not about pointing fingers; it is all about constructive challenges that are aimed at improving the programme and making it more robust.
2. How do you ensure that the three lines of defence each use the same language and with the same overarching goal?
The different lines of defence do usually have different ways of talking and operating, but you are able to set a united way of thinking and talking in your risk portal. This can be difficult to establish, but taking the time to get it right is vital.
It is usually best to have a number of different tiers within the portal that roll-up through the different levels of the assurance programme.
Regulation is a good example of this, as it is usually the easiest to do.
At a strategic level, regulation is a very complex and large risk, but as you roll it through the different levels of the assurance programme you can take the different parts of legislation and map them to applicable risks throughout different parts of the organisation.
This then allows people across the different lines of defence to see exactly how everything fits together, at the same time seeing how it directly impacts their line of work.
3. Does aligned assurance give you more insight into forward-looking measures?
Yes, and it does so very quickly. An aligned assurance programme not only gets more insight from the business, it also gets more insight from professional affiliations.
As a result of this insight, you are then a lot more able to predict what’s coming down the line and can then better prepare for those changes.
The output should provide a multidisciplinary view that helps the business enhance forward-looking measures, including its approach to handling emerging risks.
4. But how do you combat assurance fatigue?
You need to make sure that any interactions with the business are short and sharp so that the business doesn’t feel like it has to deal with many different programme pieces.
But by running these interactions with a multidisciplinary team you can ensure that the business still gets the benefit of all the different views, whether that be compliance, audit or risk, in one single setting.
The programme is then very much about monitoring rather than interactions that require direct input and engagement from the business.
5. And how do you ensure there are not any duplicated efforts when it comes to reporting?
Remember who your audience is for each of the reports so you create and tailor the content accordingly.
The risk committee, for example, will want to see a holistic overview of all the major risks facing the organisation. The audit committee, meanwhile, will need to see a much more detailed view of the risks affecting the audit function, but won’t need to see the detail relating to other areas of the assurance programme.
It is essentially about curating the information that is relevant to the audience you are reporting to, and not providing them with too much information on matters that are irrelevant to their role.
You might also find useful our tips and tricks for building an integrated assurance programme from another member meeting as part of this series.
Are you an in-house risk manager who could benefit from collaborating with a global network of risk leaders? Find out what's happening at Risk Leadership Network here.