Coordinated Assurance Frameworks – Shared Culture that Create Organizational Assurance Value Greater than the Sum of the Parts

Introduction

Most modern-day organizations often have mature Internal Audit, Compliance and Operational Risk?Management functions. These functions are supported by clear mandates and generally coexist well together, but as a collective set of assurance providers are they effective??Are these teams sufficiently coordinated to generate value while avoiding unnecessary overlap or conflict?

Does management and the board understand the different types of assurance that each team provides?

In this article we will explore the case for implementing a Coordinated Assurance Framework (CAF) to help align assurance functions and increase risk awareness and responsiveness to create organizational value.?

?

Deliver Assurance Value Greater than the Sum of the Parts

Within any organization a sense of harmony, especially among the assurance functions, is a good thing. By harmony we mean a sense of each function knowing ‘big’ picture what the other teams are focused on, open and regular dialogue among the teams, shared assurance objectives and risk understanding. Business stakeholders will derive value from meeting with the assurance functions together as a unit rather than having separate relationship calls.?

Comradery rather than competition among the Assurance Functions is good operating model. I worked in a large global organization for over a decade where we actively operated a CAF model. This required up-front support from the Board and Global Function Heads and helped our organization cover risks more effectively.?Conversely, within an organization there is nothing more destructive to the organization’s culture than in-fighting and one-upmanship occurring within the assurance functions.?Partners need to act like partners.

While each team – Governance, Operational Risk Management, Compliance, and Internal Audit had different mandates and roles, we worked well together to share perspectives and learnings, swap resources periodically and have our voices heard and peer challenged. Uniquely, Internal Audit provides objective and independent internal control design and operational effectiveness testing back by samples or in our case full data hypotheses and analysis. As we often referred to it, as Assurance with a Capital A! Assurance provided by the other CAF teams is equally valuable and performed by very capable people who are objective but by design aligned with the business organization more directly. Together, combining these assurance capabilities and perspectives in the right mix and at the right time will help support a well-controlled organization and a positive organizational risk culture.

Six Practical Steps to Help You Implement a Coordinated Assurance Framework

Here are six practical steps to implement a Coordinated Assurance Framework within your organization.?Operating as Coordinated Assurance Partners requires an open risk culture, positive mindset, and willingness to operate and share perspectives openly across department lines. Critically, this requires leaders within these functions to be catalysts – thriving on open engagement and partnership to deliver value, beyond their own specific mandates. I make this point because at the outset having the right types of assurance leaders is a critical success factor.?

STEP 1

Strive to meet with key business stakeholders together; we met our key stakeholders at least quarterly and had a shared meeting agenda (typically 1 / 2 ppt slides) and normally one rep from each Assurance team. Delivering a more integrated view of assurance activities adds value. Our meetings were about two thirds updates on: organization changes, key and emerging risks, business performance and regulatory environment; and one-third updates to the business from the CAF partners on relevant activities, outcomes and plans within our respective functions.?In these relationship meetings we were in listening mode for the first 2/3rds of the meeting but by striving to share perspective on assurance topics and insights or quarterly messages with the business allowed us to build trust as we were demonstrating that we cared about the business, outside of the formal audit cycle.?

STEP 2

Meet regularly to share perspectives among your CAF colleagues; these should be by design informal calls or meetings with no set agenda other than to catch up and brief each other, share perspectives, reflect on audit or other risk review work, share operational events or regulatory developments. These meetings help to develop a shared sense of purpose and build trust among the assurance teams.?Rotating the call chair can also help build accountability across the various teams.

STEP 3

Challenge key risks and emerging risks together. Shared perspectives on risks and risk impact helps shape the right assurance work. We held a session like this annually with some follow-on check-ins later in the year. In our CAF calls mentioned in Step 2 above, we also used to reference and discuss any big changes in the key risk matrix, which supported each assurance function in having a grounded view on the changes in the business risk environment. This also helped develop a shared view on the key risks and inherent risk levels; while Internal Audit ultimately held its own risk assessment and audit planning pen, and could always document a different residual risk view, 95% of the time our starting point the organization key risks were the assessments documented by our CAF partners in Risk Management and Compliance. The ongoing demonstration of partnership, open dialogue, challenge, and active coordination among assurance functions will also be seen as a positive from your regulators.?

STEP 4

Look for opportunities to perform some joint audits, reviews or projects and periodically coordinate staff rotations or job swaps. These 4–8-week stints with a different team actively support skills development and broaden experience. Internal Audit is a great learning ground given our critical thinking and use of agile and data driven capabilities. Equally it is very important to have talent movement across the various CAF teams and the business more broadly and a well-supported rotation program is a great way to help talent move around the organization. Over the years, we had several auditors move to careers in CAF functions and vice versa, which is a much better “people” outcome for your organization than seeing talented resources leave for external opportunities.?We used to develop quarterly messages (organizational insights – typically 5-6 ppt pages) together highlighting relevant risk topics or standards that were broadly relevant to our stakeholders, for example risk and control disciplines over spreadsheets, best practices surrounding reliance on third party assurance reports, etc.?

STEP 5

Have input into each other's plan and look for opportunities to learn together. Before we implemented an agile audit methodology, we would hold planning sessions to ensure all our assurance activities were prioritized and timings of reviews aligned to reduce overlap. At times review sequencing was important to coordinate.?We also strived to learn together, hosting Business teach-ins across the CAF community, and sharing social events etc. to build knowledge and friendships.?Once we were agile, the frequency of input from our CAF colleagues increased to at least quarterly and really helped to ensure that Internal Audit focused its efforts on key risks that mattered more here and now!

STEP 6

Develop heat maps together mapping out assurance delivered against key risks / organizational units. Having this full assurance picture for the previous 3 years could be helpful. We used to document this for one of our larger regulated businesses and it was a very useful analysis as a backdrop for our proposed assurance coverage of key risks with the Audit Committee. Indeed, the regulator of this business felt that out risks and assurance mapping in a coordinated sense was best in class.?If you want to learn more about this topic, see my 2022 article on my LinkedIn profile titled “Internal Audit Game-Boards – Back to The Future?”.?While the risk view for any audit plan needs to be both current and forward-looking and x-referenced to key risks, it is very useful to map out prior audit/risk/compliance coverage and outcomes as a starting baseline.?

Conclusion:

Assurance functions can provide better and more informed risk coverage to their business stakeholders by operating a Coordinated Assurance Framework. While there is no magic formula to implement a Coordinated Assurance Framework, in practice it starts with having the right mindset among the leaders of the respective assurance functions and open support from the Board and Audit Committee. To be successful, the CAF leadership and team members need to develop a shared esprit de corps – often rooted in the shared belief that we are better together. As an experienced Chief Audit Executive in Financial Services, I can attest to the value derived from having a very open, coordinated relationship and operating model among the broader assurance functions. Perspective and input from your Governance, Risk Management and Compliance colleagues will help Internal Audit to perform more focused, valuable audits and deliver better assurance to your stakeholders. Team members will be more engaged and will enjoy opportunities to swap roles with other CAF colleagues as a logical part of career progression and skills development. One other key benefit for Internal Audit – ongoing engagement with your CAF colleagues will provide a broader level of organizational buy-in and support ‘around the table’ for audit work.?Coordinated assurance partners share, challenge and win together.

? Copyright 2023 – Shane Rogers FCA, MBA, all rights reserved.

?About the Author:

Shane Rogers FCA, MBA, transforms traditional Internal Audit teams to be progressive and agile in their risk responsiveness and value delivery.?An independent risk and audit management advisor, he is a former Audit Managing Director and US-based Chief Audit Executive with partner-level, insurance, and investment banking experience globally, and has led progressive and agile Audit teams that thrive.?A Chartered Accountant and currently President of Chartered Accountants Worldwide Network USA, Shane has global experience working large multi-national organizations, including, Swiss Reinsurance, CS First Boston, and Price Waterhouse. Shane has expertise in conducting Audit Function External Quality Reviews against The Institute of Internal Audit (IIA) standards and Enterprise Risk Management team assessments and positions teams to optimize business impact and value-add.?He can be contacted via LinkedIn, or email [email protected]

`