How to implement an aligned assurance model to build a collective view of risk

Aligned assurance is the correlation of risk, controls and a broader view of the control environment across the three lines. It’s not a new concept by any stretch — but that doesn’t make it any easier for organisations to implement the approach. The effort is worthwhile, though, because it can create multiple benefits, from giving stakeholders a common view of risks and issues across the organisation to reducing repetitive, manual testing, which allows more focus on high-value activities.

In a recent Protiviti webinar on aligned assurance, only 14% of the audience members, which included risk managers and internal auditors, reported that collaboration across the three lines is “highly integrated” (i.e., frequent) in their organisation. So, there is clearly room for improvement — and implementing an aligned assurance model can help.

One of the most valuable outcomes of the aligned assurance journey is getting stakeholder groups from across the organisation to speak the same language about risks, controls and other critical issues. That doesn’t mean that everyone shares the same perspectives on these issues, or even that there is total alignment in all aspects, but that there is alignment for core aspects and definitions and robust across-the-lines communication, collaboration and coordination. That leads to more constructive discussions and collaboration around improving governance and risk management and optimising operating efficiency and the coverage of assurance.

So, how do you build that collective view of risk that’s derived from multiple risk, control, compliance and assurance functions — each one providing a unique perspective — to achieve more effective risk management? Here’s an overview of the framework that Protiviti recommends:

1. Standards and Framework

This first step involves setting the structure that the organisation will use to create alignment around assurance — including the taxonomy to measure, test and gather information and build sustainable systems. A thoughtful strategy and significant degree of coordination (and even compromise) are vital for achieving alignment across the three lines given that each group comes to the process with deeply entrenched ways of looking at and talking about risks and controls from its specific vantage point.

2. Risk Identification and Planning

This is an area where we see many companies eager to achieve synergies. Depending on their industry, organisations have different levels of focus around the ability of their first and/or second lines to perform risk assessments on a rolling basis and have a point of view on what the key risks are for the business.

Creating a strong risk framework from the outset and using it consistently, including as the organisation goes through change, can help ensure that what’s important to various stakeholders in the risk assessment process doesn’t get lost and that a coordinated point of view on risk is still arrived at in the end.

3. Control Identification and Testing

This is the point in the aligned assurance journey where it’s obvious that synergy must occur. But to optimise testing and avoid unnecessary or inefficient overlaps (or, indeed, gaps) in efforts across the three lines, businesses need to step back and understand exactly:

• What they are testing and why
• What the testing is designed to accomplish
• How often they are testing
• Who is performing the testing

Ironically, while the initial objective is eliminating redundancy, when taking stock of their testing holistically, organisations often discover gaps where they aren’t testing, but should be. This exercise also provides an opportunity to revisit existing controls, confirm that the right mix of preventive and detective controls are in place, and identify areas where efficiencies can be gained, as well as explore options to mature the way in which testing is occurring (e.g., through the use of automation and other enabling technologies, and data).

4. Dynamic Risk Reporting

If an organisation is going to make the effort to implement an aligned assurance approach, it must make sure that senior leadership and management are aware of the results of that collaboration.

That means equipping them with access to the right technology and tools that will allow them to lead the company effectively toward achieving its strategic goals, managing risks and increasing agility. Credible, intuitive risk reporting is a key enabler for achieving that agility because it allows for the proactive identification of emerging problems.

Implementing dynamic risk reporting requires buy-in from key stakeholders (e.g., senior management, board members, regulators) and identifying which results they consider most valuable and want to be kept apprised of regularly. Their input will help determine which key risk indicators (KRIs) and key performance indicators (KPIs) should be tracked and mapped directly back to the organisation’s risk appetite and business objectives.

To enable dynamic risk reporting, organisations likely need a data management system to capture, store and analyse risk data in real time. They also need data visualisation, analytical and other robust technology tools to build a dashboard that will meet stakeholders’ reporting expectations and allow them to receive real-time — and ideally, interactive — metrics that they can drill down on to better understand and respond appropriately to emerging risks and trends relevant to the business.

5. Risk Monitoring and Management

Technology is also essential for ongoing risk monitoring and management. Many organisations opt to use a governance, risk and compliance (GRC) tool to help them manage the assurance process across the enterprise. Beyond GRC solutions, organisations are also exploring and adopting other technology solutions (including automation, analytics, and AI) to assist in risk information gathering and analysis and for automation, streamlining and data-enablement of control testing efforts. The right tooling can be an incredibly valuable asset for providing real-time insights into risk, improving data accuracy and more.

That said, tools can’t solve this problem on their own and require consistent application against the standards and taxonomies adopted by the enterprise — hence the initial focus on Standards and Framework.

As for who should take the lead on driving aligned assurance, the short answer is, “it depends.” In some instances, internal audit gets the ball rolling and sometimes the business is the catalyst. But when multiple business lines are involved, it can be challenging to get them and the second and third lines in alignment. So, we often see the second and third lines driving the charge to keep up the momentum.

The most successful, collaborative examples of aligned assurance that we see are those where there is co-ownership of the process, and strong sponsorship from the C-suite and the second and third lines, and in these cases the benefits are clear for all to see.

To learn more about the benefits of transitioning to an aligned assurance model and overcoming barriers to getting the process started, watch the Protiviti webinar on aligned assurance on demand.