Creating a combined assurance function is all about finding a holistic way to manage risk and increase levels of assurance within your organisation’s risk controls. This is achieved by bringing together the risk and audit functions into one business unit in order to improve efficiencies and remove the duplication of efforts.
While this process is an important one, it can also be complicated if not approached in the right way.
Here, I’ve distilled three top tips for establishing a combined assurance function, taken from a case study conversation with one of our network’s risk leaders (the full write up of which can be found by members in the Intelligence platform).
1. Understanding your risks
The first step in creating a combined assurance function is to gain a proper understanding of the risks facing your organisation.
In addition to knowing which risks sit within your risk register, you also need to know who within the organisation is assuring that risk, as well as who the assurance providers are.
You can then move onto categorising your risk controls by the levels of assurance that are built-in to the measures.
Independence is an important factor to look at here, with the more independent a measure is, the higher the level of assurance it offers.
Other factors to look at include the complexity of the assurance work, and whether they are tied to any professional or ethical standards.
2. Deciding on levels of assurance
Within this new framework you need to look at the different types of assurance you have in place, and whether that is appropriate to the risk being faced.
The highest levels of assurance should be saved for those risks that are deemed to have a threat to life or could have a severe financial impact on the business.
For less significant risks, you may decide to put in place lower levels of assurance in order to preserve resources that could be better deployed elsewhere within the organisation.
It may also be the case that you settle for lower levels of assurance for controls you know have existing gaps or inefficiencies. Then you can focus your efforts on improving these controls instead of just offering assurances that they are working in a way that has already been deemed ineffective.
3. Creating a unified approach
When bringing together the various different risk and audit functions into one cohesive unit, it is important to ensure that each learns to work together in a unified manner.
In order to achieve this, it is useful to have all of the assurance, compliance, risk and audit functions sitting under one executive.
It is equally important, however, to maintain the independence of the audit function. Therefore, it is usually essential that the head of the audit function also has a direct line to the chairman of the audit committee.