Oversight and governance of risks through increased use of risk data and MI continues to be a growing area of focus for regulators around the world. This has led to increasing competing requests from Boards and Executive Committees for more and more risk data from multiple sources across the three lines of defence (3LoD) to help visualise and better understand the organisation’s risk capabilities and approach.
These competing requests are becoming increasingly burdensome, particularly when there is more than one Risk Management Framework in operation or differing approaches to the identification, monitoring and assessment of risks implemented across the 3LoD model. This can lead to a lack of consistency, or fragmentation, in risk management and oversight across the 3LoD and can result in regulatory and risk reporting that becomes incomplete, diffused, inefficient, and even intrusive, to businesses and functions. This is particularly noticeable where accountabilities and responsibilities between the 1LoD and 2LoD are not clearly documented and implemented. These factors can ultimately hinder risk monitoring, performance and the adoption of well-defined business drivers of value.
As a result of this divergence and lack of consistency in approach, “assurance fatigue” can begin to set in within the business. As firms continue to respond to increasing or emerging risks, high-profile risk events, regulatory expectations and/or adapting to challenges being experienced by peer firms, senior management should consider enhancements, or in some cases an overhaul, of their risk management operating model to increase efficiency and alignment to business drivers of value.
One way that firms are seeking to address these issues is through the development of an Aligned Assurance (also known as Integrated Assurance) Framework. This refers to an organisation’s ability to demonstrate that its assurance functions are providing a holistic and consistent approach to the delivery of risk management, risk monitoring, risk reporting and risk governance across the enterprise. This is achieved through the implementation of one Risk Management Framework which is embedded across all lines of defence within the organisation, resulting in an amalgamated risk taxonomy, impact matrices and assurance activities. This provides a consistent view of the organisation’s risk profile, control weaknesses, and risk performance on a global, regional, and local scale.
The first building block for developing, or enhancing, an Aligned Assurance Framework is to identify and refine the business drivers of value. This requires an exercise to understand which areas of the business add enterprise value, and then to inspect each one to understand what is driving that value. Various factors feed into business drivers of value, from the organisation’s business strategy to operational performance to the external business environment. Each business driver sits at the top of a Risk Management Framework and must be clearly defined and understood in order to provide a unified view of the areas of priority for risk assurance activities.
Secondly, key or top risks to the organisation must be identified and assessed to understand which risks endanger or enhance each business driver the most. The ability to clearly understand and articulate the risks which have the highest impact should be factored into the organisation’s risk appetite and set the expectations of key stakeholders in decision-making. Whilst this might sound simple enough, a key factor which is often overlooked is consistency of risk language and terminology which can habitually differ across varying risks and on a global, regional and local scale.
Thirdly, grouping and prioritising risk themes and their associated key or top risks is important for driving assurance priorities that need to align with business strategy and operations. An agreed list of risk themes is essential for effective risk management, risk monitoring and risk reporting across the organisation.
Defined key or top risks along with consistent risk language and terminology will help to clarify assurance responsibilities to an extent. Once the above building blocks are in place, the organisation should consider a fourth element; the roles and responsibilities across the 3LoD. The organisation should consider further how effective each role is for the day-to-day execution on ongoing risk management, whether there are any blurred lines in accountabilities and responsibilities across each aspect of the Aligned Assurance Framework, as well as the level of clarity to the wider business in terms of where each function and teams are aligned within the Framework.
The four building blocks outlined above lay the foundations for a strong Aligned Assurance Framework and will help to provide an effective assurance planning lifecycle that does not overburden the 1LoD, Compliance, Operational Risk, or Internal Audit.
Once the foundations are set and resources are appropriately aligned, unified risk reporting and risk monitoring is the natural next step. Many organisations focus on digitising their existing capabilities or adopting new solutions and tools, yet the journey does not stop there. Strong consideration should be given early on of how to test the effectiveness of the Aligned Assurance Framework, and this should include check and challenge from senior management as to whether the Framework is meeting their needs. For example, the implementation of UK ICARA brought a regulatory spotlight on whether organisations are currently dealing with risks properly and the oversight capabilities of the management body. Organisations have had to ask themselves whether they truly reflect the risks to which their firm is exposed, and amount of risk this poses to clients and to the markets, as well as how those risks could evolve throughout the economic cycle.
The roadmap to Aligned Assurance and risk maturity will look different for every organisation, and it is by no means a quick journey. Outside of motivation to streamline costs and resources, investing time and effort now is critical to achieving an Aligned Assurance Framework that can provide actionable insights through unified risk reporting and risk monitoring, enhanced risk anticipation with deeper insights into issues, and a more panoramic view of critical risks.
Firms should challenge themselves on whether they are in a position to truly understand their greatest risks. In our next blog we will address some of the common challenges Asset Managers face from a risk management framework perspective.