The term “Combined Assurance” has been very popular over the last few years, and we have fielded many queries as to what exactly this concept entails. Much like Risk Management, the removal of the capital letters somewhat demystifies the notion.
Combined assurance is, simply, ensuring that a co-ordinated (combined) approach is applied in receiving assurance on whether key risks are being managed appropriately within an organisation. Therefore, it is a very logical and simple concept. Like Risk Management, it is something that has been applied within every successful organisation for many years.
So let’s explore the concept further. Firstly, the backbone of a Combined Assurance model is a commonly accepted view of the risks facing the organisation. An organisation looking to apply this model effectively and efficiently is setting itself up for failure if it does not have a robust, mature Risk Management process. Conversely, an organisation that has a Risk Management process, but no Combined Assurance model, is missing a vital piece of this puzzle.
The next concept is the so-called “lines of defence”. Popular theory nowadays suggests five lines of defence. Theory loves complex categorisation, practice does not. We therefore suggest the following simplified model:
-
The first line of defence is management, i.e. the person or persons appointed by the organisation to manage risks. They own and manage the risks.
-
The second line of defence is internal assurance providers that are not directly responsible for managing risks, i.e. they oversee the risks. Examples are the Risk Management, Compliance, and Legal functions, as well as internal safety assessors.
-
The third line of defence is external assurance providers that provide independent, objective assurance on the management of key risks. Examples are the external auditors and external Health and Safety Inspectors. Another example is an internal audit function. Owing to its positioning within an organisation, it would be classified as part of the third line of defence.
It is clear that the different lines of defence offer gradually increasing levels of assurance, from management, who are in fact paid to manage risks, to an external assurance provider, such as the external audit function, who are being measured and regulated by parties external to the organisation.
So, the Combined Assurance model now suggests that a holistic view is taken when assessing the management of risks of an organisation. As an example, if management (the first line of defence) indicates that there is a problem in managing a risk, surely there is no need for any of the other lines of defence confirming that view? Alternatively, if management, the Risk Management function and an external assurance provider all indicate that a risk is being appropriately managed, there should be no need for internal audit to spend time confirming that view. As another alternative, if a risk is assessed as reasonably low, the view may be that no line of defence (beyond the first) needs to spend time assessing the management of that risk.
Who makes the call on what assurance is necessary? In theory, the Audit Committee should. In practice, however, management would appoint the majority of service providers and establish their scope, with the Audit Committee fulfilling an oversight function.
How would the Audit Committee be able to fulfil this oversight mandate? Practically, we suggest that a Risk Register feedback document is utilised, additional columns are added that correspond with the lines of defence, with a colour indicator being utilised to indicate assurance received. This provides both management and oversight with a single, holistic view of the management of the organisation’s risks and the assurance received thereon.
Furthermore, it is our suggestion that the Combined Assurance model is maintained by the internal audit function, as they are uniquely positioned to understand the Risk Management process, as well as being able to interpret the assurance received from the different providers.
If properly executed, the Combined Assurance model is a natural conclusion to the Risk Management process. It plays a vital and indispensable role in ensuring the appropriate management of key risks by ensuring appropriate depth of and maximum benefit from assurance activities.