CEB Blogs


Risk Management

How to Implement Aligned Assurance

As industries, markets, companies, and workforces become more interconnected, risks become more complex and the number of employees making material decisions rises; assurance functions should integrate their efforts

The teams in a big company that carry out what is known as “assurance” work – namely internal audit, risk, compliance, and legal functions – often coordinate their activities in some way. After all, they are often asking colleauges across the company similar questions about the implications of various activities and decisions, whether they pose a risk, break a company’s code of conduct or, indeed, the law.

The problem is that, although about half of assurance functions currently coordinate their activities with other functions in at least some ways, only 11% of a recent poll of 156 assurance professionals said they had an integrated system for efficient management of threats in line with their corporate risk appetite.

Changing Conditions

Risk professionals need to prepare for change. Nearly all companies (91%) are planning to re-organize their risk management programs in the next three years, and better alignment is the direction in which they’re all heading. In fact, companies that are not moving this way may already be behind. This is particularly true for North American companies; European business is ahead in this regard. Two big changes are behind the shift:

  1. Assurance functions are on the rise: Spurred by the financial crisis and the resulting interest from regulators, the number of assurance functions has nearly doubled since 2008. This means that mandates now overlap and one function’s assessments may often conflict with another’s.

    Boards are struggling to make sense of different narratives, business leaders are sick and tired of redundant requests, and employees in general are rightly questioning why they have to provide the same answers over and over.

  2. Risks are becoming more complex: At the same time, regulatory environments are more uncertain, threats are more interconnected, and the enterprise is more exposed (see chart 1). This has led to a host of problems, including:

    • Slower decision making and greater risk aversion caused by multiple versions of the “truth” (the top concern of 41% of assurance executives, according to CEB, now Gartner data).

    • Increased risk because of gaps in assurance oversight or process avoidance (singled out as the top concern by 22% of those polled).

    • Slower operations.

    • Increased total costs of assurance with diminishing returns on that investment.

    • Confusion about each function’s role.

    Chart 1: The interconnected risk landscape  Source: CEB analysis

Four Steps to Alignment

With the costs of inaction piling up, it’s time for many assurance teams to get together and start coordinating their efforts. Chart 2 shows four categories where assurance functions can make a start. At first glance, this  might seem daunting, but it is a multi-year process.

Chart 2: Hallmarks of integrated assurance  Source: CEB analysis

The US director of ethics and compliance for a large multinational power company in CEB, now Gartner’s networks says that, at first, “I was a little skeptical. I wasn’t really sure how effective it would be.” But, he added, he’s seen “a lot of benefits from it and each day we continue to improve.”

To get started, risk teams should take four steps.

  1. Determine whether you should create an aligned assurance program: Clearly understand why you should pursue aligned assurance and whether you need to lay more groundwork before forging ahead.

    The benefits: The number of assurance functions has doubled since 2008, while risks have become more complex. Better coordination can remove wasteful duplication, consolidate inconsistent frameworks, and uncover blind spots that still exist despite all this proliferation.

    Readiness: Review the corporate landscape — look for gaps that you must address before proceeding. There are three categories to assess.

    1. Assurance baselines and processes exist across the organization:

      • Identify existing process, baselines, and benchmarks that may overlap with other assurance departments, such as quality assurance and regulatory compliance.

      • Assess the overall assurance and testing landscape through interviews and conversations with other assurance providers and senior management.

      • Review the business needs and assurance provider activities for opportunities to integrate activities.

      • Review the KPIs used by the internal audit team to assess potential overlapping areas.

    2. The business is structured in a way that will support aligned assurance:

      • Interview business units to understand the current impact of assurance activities.

      • Identify organizational changes required to implement aligned assurance; most commonly this involves making mandates and communication initiatives clearer.

    3. Strong drivers exist for implementing aligned assurance:

      • Investigate the advantages of process improvement against the cost of implementing aligned assurance.

      • Evaluate stakeholder feedback for pain points that can be solved with aligned assurance.

    Also, make sure the comapny is ready for aligned assurance. Check that:

    1. The organization can support aligned assurance efforts without major disruption to its existing workflow:

      • Assess stakeholder understanding of aligned assurance, and clarify objectives and potential benefits.

      • Pressure-test stakeholder perception of the opportunity for aligned assurance.

    2. A long-term and organization-wide appetite exists for sustainable aligned assurance efforts:

      • Assess organizational initiatives won’t disrupt future aligned assurance efforts.

      • Analyze organizational dynamics to understand which aligned assurance tactics (e.g., assurance mapping, common risk language) you should start working on first.

  2. Establish guiding principles and get stakeholder buy-in: Once you’re ready, get the other relevant assurance functions on board. Consider who should be leading the integration process. In many cases, Internal Audit is in charge of creating an aligned assurance program. It all depends on how your company is structured, who has the best relationships with stakeholders, and what your needs are. No matter what, each function should understand the process in order to provide strong support.

    Create guiding principles for the process, like emphasizing that even though one function will coordinate activities, the process should be collaborative, with each function performing self-assessments to drive the initiative. When seeking collaboration, be sure to tackle some possible misconceptions that each group may have. See the chart below to guide conversations with each audience and address specific concerns.

  3. Map everything out: With other functions ready and committed to moving forward, assign clear ownership roles for each risk area. Work with senior business executives to understand responsibilities for each assurance activity. The assurance teams at one firm in CEB, now Gartner’s networks used a map like the one in chart 3.

    Then, reframe the table; mark each compliance risk area with the owner so everyone has a clear sense of his or her responsibilities. For each risk, those accountable must define risk appetite, tolerance, and standards. You should also use this step to establish consistent language and rating scales among all functions.

    Chart 3: Assurance map  llustrative  Source: CEB analysis

    Click chart to expand

  4. Determine each risk area’s current level of maturity and the target level: Ask each risk owner to assess the maturity level of their risk area. Work with the owners to establish a target maturity and timeline for each. Aligned assurance is also about continuous improvement. As you go through the process:

    • Try to continuously simplify.

    • Be flexible and listen to colleagues in the business.

    • Challenge, but don’t micro-manage.

    • Be clear on what you’re trying to achieve.


More On…

  • Lessons from the CEB Assurance Conference

    Fill out the form to download an overview of CEB's recent assurance conference, which included in-depth discussion of implementing aligned assurance.

  • Risk Assessment & Audit Planning

    The size and complexity of many organizations, and the constantly changing risk environment, means there is now often insufficient information to make good decisions. Learn how to change that with these resources.

Leave a Reply



Recommended For You

When Risk Managers Should Get Involved in Growth Decisions

Avoiding risks can be almost as dangerous to a firm's long-term health as taking the...