Combined assurance — also known as integrated risk assurance — involves combining risk management efforts across the three lines (and their external assurance providers) to enable an effective control environment and uniform risk reporting to executives and the board.
When successfully implemented, this model results in a more holistic, organized, and accurate view of risk, as well as more efficient and cost-effective risk management activities. Yet, though most governance, risk, and compliance (GRC) leaders agree that combined assurance represents an efficient approach to risk management, many struggle to effectively embed this model in their organizations due to common challenges that can oftentimes derail implementation efforts. Learn how to tackle these challenges below, and download the full guide, Advancing Combined Assurance to Manage Key Risks, for more leading practices to maturing combined assurance in your organization.
Challenge 1: Lack of clear leadership.
Every business is organized differently depending on its size, industry, and years of operation. Organizations with multiple risk management functions may struggle to identify and agree upon the right team or individual to lead their combined assurance efforts. Without proper leadership that can advocate for Board and management support and backing from the Audit Committee, combined assurance efforts may quickly lose steam in the business.
Solution: Internal Audit should take the lead.
In 2017, the Institute of Internal Auditors (IIA) announced the new Coordination and Reliance standard that recommends auditors initiate combining assurance efforts with other risk parties. IIA Standard 2050 states:
“The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.”
Internal audit is one of the few groups in the business that has the most in-depth understanding of the organization’s processes and controls, as well as a direct line to the Audit Committee. Moreover, as the independent line of assurance in the business, internal audit is already conditioned to operating at the most granular level of detail before forming opinions on controls. As a result, it is the natural function to lead this effort.
Challenge 2: Difficulty obtaining stakeholder buy-in.
A common misperception is that combined assurance requires reorganizing and changing the basic roles of the three lines and their reporting structure. It is important to communicate to your stakeholders that adopting a combined assurance model is not a mutually exclusive exercise, but an effort to coordinate efforts and share knowledge to ultimately add value to the organization.
Solution: Provide reassurance that independence does not imply isolation.
When meeting with other assurance stakeholders, communicate that advancing combined assurance in your organization is for the greater good of the organization and all stakeholders involved. Reference IIA Standard 2050, The IIA’s updated Three Lines Model, and messaging from external assurance providers such as Deloitte and PwC. Emphasize that combined assurance does not change the mission statement, reporting structure, or capabilities of each individual function. Each business function remains distinct and continues to execute its unique role as part of a fully integrated effort in reducing risk within the organization.
Challenge 3: Lack of visibility into gaps despite strong assurance.
Organizations may lack a comprehensive understanding of the key risks facing their business, despite extensive risk management work being performed by multiple functions. One way this manifests is in conflicting issue reports; for example, an internal audit report on a particular business unit comes back as satisfactory, while a health and safety report on the same business unit may include several high-risk issues. Negative consequences of poor risk visibility include: gaps in coverage, significant control failures, and unexpected risk events — despite significant time and resources spent on assurance.
Solution: Create an assurance map.
Poor visibility and misaligned reporting is often the result of various modes of risk categorization and terminology. Initiating a combined assurance effort presents an opportunity to take stock of the gaps in your organization by creating an assurance map. An assurance map like the sample below is a living document that helps identify any gaps or overlaps in your business’s risk management processes.
To create an assurance map:
- Map assurance coverage against the key risks in your organization.
- Identify and address the gaps and overlaps in your risk management processes.
Performing this exercise can quickly help you identify your key assurance stakeholders, their coverage, and address gaps. This is an important tool to bring to combined assurance meetings to give stakeholders comfort that A) risks are being managed and reported on, and B) regulatory and legal obligations are being met.
Challenge 4: Difficulty developing a common controls framework.
Designing a common controls framework for use across functions is the foundation for unified issue reporting. However, mapping multiple requirements across different frameworks, while integrating various risk ranking criteria and risk definitions into a single risk taxonomy, is arguably the most complex hurdle in combined assurance.
Solution: Break down big goals into manageable goals.
This is an opportune moment for assurance stakeholders to step back and strategize at the highest level. Organize your combined assurance goals into common buckets that can be easily referenced, such as in the example below, and from there prioritize how to tackle them based on majority opinion.
Visualizing your combined assurance goals in this way can help you establish connections between goals, which can help stakeholders brainstorm solutions together that can efficiently address multiple goals at once.
Challenge 5: Decentralized systems create inefficiency.
When attempting to unite siloed business functions under the goal of combined assurance for the first time, a major hurdle is making sense of disparate risk and controls data exported from multiple systems. A February 2021 AuditBoard poll of over 1,500 audit, risk, and compliance professionals found that 56% of respondents stated their respective department function managed its data in multiple systems of record.
Source: AuditBoard Poll, February 2021
As a result, assurance stakeholders working in decentralized environments spend a significant amount of their time reconciling version control issues and cleaning data. The same poll found nearly 50% of respondents spend between 25% to 50% of their time on administrative tasks, while 15% spend over 50% of their time on administrative tasks.
Solution: Use technology to jumpstart combined assurance
A combined assurance initiative can be seen as an opportunity to solve multiple problems by working together. Use your combined assurance effort as a dual front for helping stakeholders organize their records by migrating their risk data into a centralized system of record. Not only will this help to alleviate decentralization issues for individual GRC functions, but it also serves to streamline several major goals of combined assurance, including:
- Establishing a risk taxonomy.
- Establishing a risk ranking system.
- Creating a common controls framework.
- Mapping controls to strategic objectives.
- Mapping controls to requirements and risks.
- Centralizing issue data into a single issues register.
- Standardizing reporting.
Reaching a state of mature combined assurance can give businesses a competitive advantage in a volatile risk environment. Download our full guide, Advancing Combined Assurance to Manage Key Risks, for more ways to mature your organization’s combined assurance practices.
Anand Bhakta is Sr. Director of Risk Solutions at AuditBoard and a cofounder and Principal of SAS. He has over twenty years of audit and advisory experience. Anand spent 8 years at Ernst & Young prior to SAS, and has served as a trusted advisor for numerous internal audit and management executives. Connect with Anand on LinkedIn.