Tip of the Month: Implementing Combined Assurance in BarnOwl

Posted on by Nathan

Combined Assurance

Combined assurance is an integrated approach to assurance activities within an organisation. It involves collaboration and coordination among various assurance providers to ensure that risks are effectively managed and that the organisation achieves its objectives.

King IV states that a Combined Assurance Model incorporates and optimises all assurance services and functions to enable an effective control environment that support the integrity of information used for decision making by management, the governing body and its committees; and supports the integrity of the organisation’s external reports.

Implementing combined assurance in line with King IV principles helps organisations achieve better governance outcomes, manage risks more effectively, and create sustainable value for stakeholders.

Key Elements of Combined Assurance

    1. 1. Integrated Assurance Activities:
        • Align assurance activities across different lines of defence, including management, internal audit, external audit, and other external assurance providers.
        • Ensure that these activities are coordinated to avoid duplication and gaps.
    1. Three Lines of Defence Model (often five lines of defence):
      • First Line of Defence: Operational management, which owns and manages risks.
      • Second Line of Defence: Functions like risk management and compliance that oversee and specialise in risk management and compliance.
      • Third Line of Defence: Independent assurance providers, such as internal and external auditors, who provide independent assurance on the effectiveness of governance, risk management, and control processes.
    1. 2. Risk Management:
      • Identify, assess, and manage risks across the organisation.
      • Ensure that risk management processes are integrated with assurance activities.
    1. 3. Coordination and Communication:
      • Facilitate effective communication and coordination amongst assurance providers.
      • Ensure that assurance reports are shared and discussed with relevant stakeholders, including the board and its committees.
    1. 4. Reporting:
      • Provide comprehensive and consolidated assurance reports to the board and management.
      • Use these reports to inform decision-making and improve governance and risk management practices.
    1. 5. Continuous Improvement:
    • Regularly review and enhance the combined assurance framework.
    • Adapt to changes in the business environment, regulatory requirements, and stakeholder expectations.

* (Courtesy of Chat GPT)

Benefits of Combined Assurance

    1. Holistic View of Risk: By integrating various assurance activities, combined assurance offers a comprehensive view of the organization’s risk landscape, ensuring that all significant risks are identified and addressed.
    1. Improved Risk Management: Combining efforts helps in identifying gaps and overlaps in risk management activities, leading to more effective and efficient risk mitigation strategies.
    1. Increased Efficiency: Reducing duplication of efforts among different assurance functions leads to more efficient use of resources, saving time and costs.
    1. Enhanced Reporting: Provides a unified and consistent reporting mechanism to the board and senior management, enhancing their understanding of the organization’s overall risk profile.
    1. Better Decision-Making: A coordinated approach to assurance activities ensures that decision-makers have reliable, comprehensive, and timely information, leading to better strategic and operational decisions.
    1. Strengthened Internal Controls: By leveraging insights from various assurance providers, combined assurance helps in strengthening the internal control environment, thereby reducing the likelihood of control failures.
    1. Regulatory Compliance: Ensures a more robust compliance framework by coordinating efforts to meet regulatory requirements, reducing the risk of non-compliance.
    1. Enhanced Stakeholder Confidence: Provides stakeholders, including investors and regulators, with greater confidence in the organisation’s risk management and governance practices.
    1. Resource Optimization: Facilitates optimal use of assurance resources by aligning activities and focusing on high-risk areas, thus improving overall effectiveness.
  1. Continuous Improvement: Encourages continuous improvement in assurance practices by promoting collaboration and knowledge sharing among different assurance functions.

Overall, combined assurance leads to a more integrated, efficient, and effective assurance framework, contributing to the organisation’s resilience and sustainability.

* (Courtesy of Chat GPT)

Example of a Combined Assurance Framework

An example of 5 lines of defence

* (Courtesy of a leading water utility service provider)

Implementing Combined Assurance in BarnOwl

BarnOwl supports the linking of objectives, risks and controls across all levels of the organisational structure. In addition, parent and child risks can be linked at every level of the organisation. This enables the aggregation of risk ratings from low-level operational (process-based) risks, to business risks up to strategic risks. In addition, risks can be categorised giving further levels of stratification. BarnOwl facilitates combined assurance in a number of ways:

    • The BarnOwl Risk Management module enables risks and controls to be rated by management (risk owners).
    • The BarnOwl Compliance module is fully integrated with risk management allowing for the maintenance of CRMPs (compliance risk management plans) and the rating of compliance risks and controls.
    • The BarnOwl Audit module is fully integrated with risk management enabling common risks and controls to be rated independently by audit.
  • Risk and control self-assessments (RCSAs) can be sent out automatically by the system to respondents from different lines of defence (Risk, Compliance, Audit and other). RCSAs scores can be averaged by line of defence.

Things to consider when implementing combined assurance

    • A common risk, compliance and audit framework across all lines of defence (including external assurance providers) is required. For example, risk ratings (impact and likelihood scale) and control ratings (adequacy and effectiveness) must be standard across all lines of defence.
    • A common risk taxonomy (such as the naming and categorisation of risks) across the organisation is required. BarnOwl’s library look-up functionality supports a common risk and control taxonomy i.e. helps prevent the same risk from being named and categorised differently, not only across business units, but also by the various assurance providers.
  • How best to setup your organisational structure to ensure a practical independent approach for each assurance provider (e.g. risk, compliance, audit and other) whilst still being able to achieve combined assurance reporting. The following table indicates the advantages and disadvantages of the different approaches when setting up your organisational structure in BarnOwl:
Options for setting up your Organisational structure in BarnOwl Advantages Disadvantages
Option 1 – Shared Org structure with Risk, Compliance and Audit sharing the same Units Risk Management (RM) risks, Compliance risks and Audit risks can be linked to Group Risks (Strategic) for reporting purposes Cannot have separate permissions for RM risks, Compliance risks and Audit risks as they all share the same unit
Requires Classification filter on Standard, Global and Flat risk registers
Requires Classification filter on Power BI dashboards to separate Risk, Compliance and Audit risks
Risk registers will become very busy / confusing
Option 2 – Shared Org structure with sub-units for Risk, Compliance and Audit Compliance and Audit risks (operational) can be linked to RM risks (business) which in turn can be linked to Group risks (Strategic) for reporting purposes Requires complex permissions setup (since the default permission is inherited from the Parent Unit)
Single common Org structure – Risk Management (RM), Compliance and Audit will have their own risk registers in their own Units within a common Org structure Requires Classification filter on Global and Flat risk registers
Requires Classification filter on Power BI dashboards to separate Risk, Compliance and Audit risks
If RM copy their unit structure from one year to the next (which is common in the public sector), it will affect Compliance and Audit. Compliance and Audit will need to re-apply all processes to their newly created Units. It will also leave open audits spread across the 2023/2024 and 2024/2025 Org structure. This could become very confusing.
Option 3 – Separate Org structure for Risk, Compliance and Audit An overarching Parent Company Unit must be created with sub-unit structure (universe) for Risk, Compliance and Audit Risk, Compliance and Audit will need to maintain a separate Org structure within their own Universe.
Audit risks (operational) can be linked to RM risks (business) which in turn can be linked to Group risks (Strategic) for reporting purposes The Org structure in each Universe will not be aligned, however a custom field on the Unit, can be used to group Units across the different Universes for reporting purposes.
Audit will still be able to audit the risks in the RM unit structure and Compliance unit structure (Audit will however need to be given RM / Compliance unit permissions)
Risk Management (RM), Compliance and Audit will have their own risk registers in their own Units (i.e. within their own Universes)
Risk, Audit and Compliance permissions will be simplified by Units being under separate Universes
Risk Management copying the Org structure from one year to the next will not affect Audit or Compliance

NB: For all options, an overarching Parent Company Unit must be created as the top node in the Org structure to enable global / flat register functionality. The same applies to Processes, where a Parent Process node must be created as the top node in the Process structure to enable global / flat process register functionality.

The following are examples of each of the options including linked parent / child risks:

Option 1 – Shared Org structure with Risk, Compliance and Audit sharing the same Units

Option 2 – Shared Org structure with sub-units for Risk, Compliance and Audit

Option 3 – Separate Org structure for Risk, Compliance and Audit

Conclusion

Combined assurance can be challenging, as it requires the buy-in and implementation of a common risk framework and risk taxonomy by all assurance providers. In addition, it requires that your organisational structure is set up in such a way as to allow the different assurance providers (e.g. risk, compliance, audit and other) to work independently, whilst still enabling combined assurance reporting.

However, the benefits of combined assurance are significant and lead to a more integrated, efficient, and effective assurance framework, contributing to the organisation’s resilience and sustainability.

Useful links

https://barnowl.co.za/knowledge-base/tip-of-the-month/barnowl-combined-assurance/

About BarnOwl

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 blue-chip organisations. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see www.barnowl.co.za for more information.

Leave a Reply

Your email address will not be published. Required fields are marked *