Rebecca Grogan on Governance, Risk Managment & Audit

Views are my own

Integrated Assurance Approach

When an uncoordinated assurance approach lets us down

The Institute of Internal Auditors (IIA) “Three Lines of Defence” model [1] has been around for some time, its purpose being to provide structure on the roles and responsibilities in the management and oversight of risk and control. A revised model for governance and risk management was issued in July 2020 by the IIA. The new “Three Lines Model” [2] is designed to better identify and structure interactions and responsibilities of management, internal audit, and those charged with governance to achieve more effective alignment, collaboration, accountability, and objectives.

With the increasing regulatory focus to identify and mitigate all risks, there has been an explosion in recent years in assurance activities within financial services companies. Unfortunately this can be without an equivalent rise in insights of risk and risk management. Uncoordinated assurance approaches to risk and overlap of work performed can lead to gaps in risk coverage, business fatigue, duplication in reporting and little added value. The “Three Lines Model” calls for a need for collaboration and communication across both the first and second line roles and internal audit to ensure there is no unnecessary duplication, overlap, or gaps. In such cases, an integrated assurance approach can offer a solution.

Three lines recap

Generally speaking, the first line is handled by front line and midline managers who have day to day ownership and management over risks and controls. The second line is put in place to support senior management by bringing expertise, monitoring and challenge to ensure that risks and controls are properly managed. The third line provides independent assurance to senior management and the board that the first and second lines’ efforts are consistent with expectations.

The three lines model has helped many organisations clarify risk responsibilities and bring structure to risk management, but it has also presented challenges. The second and third line can be found to operate independently of each other in their assurance activities, competing against each other for management time and attention, sometimes duplicating and reporting on the same risks and associated issues.

Three Lines Model

Impact of an un-coordinated approach to assurance activities

  • Gaps in risk coverage: When assurance functions don’t work together, this raises the likelihood of an overlap of work as each function can focus on the same risks to the detriment of other areas, giving rise to unexpected risk events and control failures.
  • Business fatigue: Multiple uncoordinated interactions between risk and assurance functions lead to confusion in the business and to questions about the effectiveness and value of these functions.
  • Inconsistent and complex risk reporting to Board Committees: With an uncoordinated approach to risk management, the second and third line functions could report on different risks with conflicting information or even duplicate work performed. There is no one true view of key risks and management in the company leading to confusion and headaches for members of the Board.

Some thoughts on an integrated assurance solution:

  • Agree one view of risk: Assurance functions should work off the same hymn sheet - one risk register with a comprehensive view of the key risks the company faces and how they are being managed. Risks are identified and recorded on the risk register with senior management input and approved by the Risk Committee and Board. In line with the Three Lines Model, risk should be identified by first considering the objectives of the organisation, and then ascertaining the uncertainties/risks in meeting those objectives. This will facilitate not only a more collaborative approach to assurance activities but also more effective reporting at Board level - one true view of risk management in the organisation.
  • Collaborative approach to assurance activities: The second and third line should base their work programmes off the agreed risk register, and coordinate assurance activities so that there is sufficient coverage of all key risks without overlap of work performed. The role of the second and third line could be based on the need for senior-level transparency and objectivity related to each risk. Where the need is greater, the third line of defence should play a greater role in providing assurance. It is important to recognise that while the second line provides support and challenge to the first line, the third line’s defining characteristic is its complete independence from management.
  • The second line as business advisors only: Another way could entail for the second line to set standards and be business advisors, with the third line fully accountable for all assurance activities. The second line can be more involved with advice and input into managing risk (and associated opportunities) upfront as part of strategy setting, strategic initiatives and large scale change, while the third line provides assurance that the correct approach was taken.

Concluding thoughts

In practice, every organisation needs a bespoke approach to integrating risk assurance. The approach depends on business strategy, specific risks, available resources and the regulatory requirement applicable to the organisation. Should that approach be for the second line to provide an assurance role, then an integrated assurance approach should be considered. In my view having the second line risk function as primarily business advisors adds more value to risk management in an organisation.

[1] IIA Position Paper: The Three Lines of Defense in effective risk management and control
[2] The IIA’s Three Lines Model