An effective assurance programme not only helps provide certainty around an organisation’s risk management, but it can also improve efficiencies and create a more unified business.
Here we break down three key considerations when building an integrated assurance programme, taken from a private meeting with several of our network’s risk leaders as part of a series of meetings on aligned assurance (the full write up of which can be found by members in the Intelligence platform).
1. Think ahead
When it comes to planning an integrated assurance programme, organisation is key. Try to combine complementary programmes together in order to minimise disruption and improve overall efficiencies.
By combining programmes with similar scope, you can reduce the need for multiple interviews on the same topic, or limit the amount of time an area needs to be closed.
Likewise, it is always best to separate conflicting assurance programmes, such as tactical and strategic-based activities, with tactical programmes best carried out first to allow the conformance-based intelligence to inform the performance-based analysis.
2. Engage stakeholders
Integrated assurance programmes can follow a three-two-one-one delivery method to improve stakeholder engagement:
- Three months out – notify the site about the assurance activity being organised, with a focus on collaboration
- Two months out – carry out a scoping session with the on-site team which actively engages the general manager and relevant members of their team to ensure their key areas are considered and incorporated into the scope of the programme
- One month out – carry out logistics scheduling to identify common conversations so that if the same person is needed for various elements of the programme, these can be scheduled for the same time
- One month after – agree an action plan and objectives from the findings with managers and relevant stakeholders, including what signals and signal monitoring you might need to implement
3. Record progress
You should record findings from an assurance programme on one system, but where this is not possible, the exceptions need to be made clear so people are not under the impression that they are working with a complete dataset.
It is also useful to coordinate programme reporting across the entire line of defence using three key metrics:
- Delivery – has the plan been delivered in line with the approval that was directionally given by the risk management committee?
- Acceptance – this looks into how accepting management is of a programme’s finding, and whether or not it has been difficult or time-consuming for that report to be accepted.
- Gap closure – are the gaps being closed in line with the agreed plan of action?
We've also got a post on three tips for creating a combined assurance programme you might find useful.
Are you an in-house risk manager who could benefit from collaborating with a global network of risk leaders? Find out what's included in Risk Leadership Network membership here.
