First-line management, second-line functions monitoring compliance and internal audit all gain comfort from evidence that business risk is being managed effectively. A key challenge in this is how to synthesise risk information and assurance in-line with the agreed corporate risk appetite. This clarity can be achieved with effective assurance mapping.
Good assurance mapping provides a consolidated view of assurance against each key risk, process, or function. It enables the board and audit committee to:
Effective assurance mapping can also prompt a valuable risk-management discussion, challenge and oversight from the audit committee, and provide a basis from which to plan future assurance activity.
There's also increased regulatory focus on assurance strategies. For example, the Brydon review recommends a three-year rolling audit and assurance policy for principal risks. This provides an ideal opportunity for internal audit to add value and play a role.
However, I've often seen assurance mapping that's either lacking detail or fails to deliver by being overly theoretical or engineered. In this case, this useful tool can actually add to the complexity they are intended to cut through.
So, what does good assurance mapping look like?
The first step is to provide a one-page summary of your assurance mapping to senior stakeholders. Draft the output template and begin stakeholder communications to define expectations.
This will ensure that results can be summarised in a way that allows stakeholders to use it as an input to decision making. This includes agreeing how much assurance mapping is expected against each risk, how you will represent opinions on both the quality and coverage of the assurance and how you will show the impact of the assessments made.
Be sure to agree realistic expectations and avoid getting lost in the detail. The most effective assurance mapping is iterative and evolves as understanding increases across the business.
Provide an initial high-level overview, highlighting potential gaps that need to be addressed by management, before performing a deeper analysis.
Consider how assurance mapping can offer a deep dive on specific risk areas, such as compliance or data privacy, where assurance is generally more established or understood. Or use discrete business units as a pilot to road test and refine your approach.
There may not always be a clear delineation between first- and second-line activities. For example, finance, HR and IT blend operational management with compliance and monitoring roles.
Consider the level of reliance that can be placed on each assurance provider and how you will assess their quality and coverage This is impacted by their remit and focus, skills and competence, resources, consistency of process, oversight and reporting, independence and objectivity.
Clarify the reasons for existing assurance activities. Are they:
This will help determine what assurance activities are designed for, and whether they can be changed.
Not all functions you have defined as second-line will agree or understand what that role involves.
We often have discussions with functions that agree they are responsible for setting policy, but not that they have a role to define processes and controls, or monitor compliance. We also see many second-line functions that focus on specific areas of the business, such as divisions or regions, with a much-looser understanding of areas outside the adopted boundary.
Internal audit must continue to drive high-quality challenge around the risk and assurance agenda. The discussions and actions that follow are essential to helping boards deliver better and more-efficient governance.
If you would like to discuss how you could improve your assurance mapping, or risk management frameworks generally, contact Eddie Best.