13 February 2015
Integrated risk and assurance mapping can improve the quality of information for directors
Changing legislation and regulation has brought increasing focus on the roles of audit and risk committees, as well as the board itself, to ensure appropriate attention is paid to risk and assurance.
The quality of risk and assurance information provided to directors is key. The company secretary is at the centre of ensuring this information is available, providing the advice and guidance directors require to achieve the company’s aims and protect its interests.
Integrated risk and assurance mapping (IRAM) is one approach which provides the standard of assurance mapping that regulators are now seeking.
Assurance mapping provides a methodology for looking at the different sources of assurance, giving a view on the effectiveness of the functions or areas of risk within the business.
Assurance essentially refers to the evidence that describes how well the controls are operating. This might be as straightforward as a performance measure, or a more complex specialist consultant’s review of a particular operation. The assurance map (see Figure 1) is often presented in the form of a table, with the key areas of the business or the risks on the left, and the sources of assurance categorised using a ‘three lines of defence’ model:
- First line – operated by managers across the business
- Second line – corporate oversight functions and challenge
- Third line – independent assurance
- ‘Internal audit’ includes assurance on effectiveness of the first and second lines
- ‘Other external’ includes external reviews, quality assurance and accreditation
This is a convenient way of categorising the assurance according to how independent it is likely to be.
The sources of assurance may be colour-coded to denote the level of assurance – what they say about the effectiveness of controls and the quality – that is, how much reliance can be placed on it (to simplify this example, Figure 1 has not been colour-coded). This is a useful tool for identifying the main controls and the different sources of assurance which describe how effectively these are operating. It can also be used to highlight where there may be duplication or gaps. This information can then be used in the internal audit planning process.
For the true value of the assurance map to be realised, the information must be kept up-to-date and be brought into the risk management framework.
The use of IRAM has been developed and implemented by Wakefield and District Housing which owns and manages more than 31,000 homes in the north of England. The method is cited as leading practice, featuring in the National Housing Federation’s new guide and shortlisted for the Institute of Risk Management’s (IRM) Global Risk Awards 2015. The IRM is also interested in using the methodology within the charities sector.
The first hurdle to achieving integration is dealing with the volume of information within the assurance map. This could quickly overload the risk reports, losing the key messages.
Another issue is the way assurance usually has a single score to capture both the level and quality of assurance, which can result in lost information. An alternative approach is to have a traffic light score for the level of assurance, and use coloured circles to denote the quality of assurance. This provides the risk report with sufficient information.
It is a very simple concept, but one which can really improve the quality of risk reporting to both the executive and board.
If, for example, you do not have effective arrangements to ensure an appropriate employee base with skills and competencies to meet current and future needs, you may highlight the following potential causes or issues:
The organisation should then consider the controls that it has in place to manage each potential cause. The final stage is to identify the different sources of assurance that exist, and what they tell you about how well the controls are operating in relation to each cause. These sources are categorised using the three lines of defence, and scored according to the level and quality of assurance they provide. See Figure 2 below.
This level of analysis might be too detailed for how some organisations report their risks but the sources of assurances could be summarised at a higher level if this is the preferred style.
In addition to improving risk governance, the new approach also drives greater value from external assurance providers such as consultants or internal audit, bringing these valuable resources into the risk management framework, and directing reviews to those areas needing assurance.
Jeff Colley is Business Excellence and Risk Manager at Wakefield and District Housing