I recently attended a webinar with the promising title: “Improved Risk Management through Coordinated Assurance”. Some of the content resonated with my own thoughts and the discussions I have led with other internal audit and risk management practitioners in the course of the last ten years under different titles: convergence, combined assurance, aligned assurance. However, at the end of the 45 minutes I was left with a rather disappointed feeling. Because the webinar had failed to provide a new vision and clearly lacked ambition to show a clear path for a meaningful and valuable solution for the problem statement implicit in its title.
I posted a short comment on LinkedIn and was a little surprised by the resonance it received. This proved the relevance of the question and the dissatisfaction of many with the underlying view of assurance. In this post I reflect on the key messages presented in the webcast , add my own comments and integrate insights from the LinkedIn discussion.
Why is coordination or alignment needed?
The webinar started with the currently prevailing view of the Three Lines of Defense (TLoD) model.
In this model, which has been heavily lobbied for by the global Institute of Internal Auditors (IIA) since 2013, risks are managed in three successive lines of “defense”; the first line being operative management and internal controls exercised by them; the second line supervising and supporting the first and being composed of the “risk management” functions like Quality, Risk, Compliance, Legal, Security, Internal Controls over Financial Reporting; and finally the third line represented by internal audit which ensures the effectiveness of the first and second line dealing with risks in an independent and objective way.
As a problem statement, this model is composed of various assurance providers in the first and second line, all of which have their own views and definitions of risks, of their scope, of assurance methods and engagements, their own assurance plans, input requirements from first line management, reports to senior management and so forth.
As a consequence, this leads to
- Assurance Fatigue: operating units and management subject to assurance engagements are getting „tired“ of being reviewed many times a year from so many different angles.
- Multiple Views of “the Truth”: different assurance functions have different views on the same conditions and circumstances and express them in different reporting formats and risk evaluation systems when reporting to senior management.
- Duplication as well as gaps in assurance coverage: overlapping scopes (e.g. Data Privacy , IT Security, IT Audit) and „white spots“.
I agree with these concerns from my own experience and want to add some of my own:
- A growing expectation gap between what stakeholders (senior management and board) expect from internal audit and what internal audit sees as their main focus based on the Professional Practices of Internal Auditing Framework. More and more work that has previously been done by internal audit is now being addressed by a specific second line of defense function (most importantly compliance), Whereas in the past, compliance findings were the easiest “tick-the-box” exercises for internal audit, stakeholders now expect a higher value contribution from auditors, e.g. strategic analyses, forward looking assurance, emerging risk assurance etc.
- My second, even greater concern which was not top of the list of the webinar is that not all risk assurance actors in the TLoD are working at the same level of professionalism and with soundly defined standards and methodologies, meaning that the quality of their work does not have the same level and stakeholders cannot be sure how reliable the assurance provided actually is. As a reference I am actually using the Professional Practices Framework of the Internal Auditing profession and the ISACA Standards for IT assurance engagements. And my main concern is again the compliance function which is conducting compliance “audits” or monitoring – essentially “assurance-type engagements” – but not necessarily with a sufficient understanding of independence, objectivity, the needed interviewing, process review and data analysis skills that internal auditors are required (or at least expected) to have. And without the requirements of a quality assurance program like the Internal Auditing Standards require for internal audit departments.
- Another concern, not sufficiently analyzed in the webinar, is the focus on mainly downside risks by many of the TLoD assurance functions. This may result in recommendations of adding controls upon controls, uncoordinated, bolted-on instead of built-in, with an overall detrimental impact on efficiency of processes and of course an increase in cost of controls. Not to mention adding to the already inherent bad perception of risk-and-controls by the business.
And what about objectives?
The word “objective” appeared only once throughout the entire webinar, and that’s what made me truly sad. Because risk management, internal controls, assurance – all of these do not make sense if seen disconnected from the objectives of the organization, of the business.
I have especially met compliance practitioners who were completely risk-control or even only control-focused: meaning, they needed to put a control for every risk they could imagine in order to minimize the risks; or they even demanded management to implement controls because they weren’t present but were present in other operating units.
But all assurance activities will stay disconnected from business if we keep thinking and talking like this! We need to understand (starting each of us with ourselves) that the only relevant risks are “risks to objectives”, the effect of uncertainty on objectives. And that uncertainty is a given and will to some extent always remain a part of business reality. We live in a VUCA world: volatile, uncertain, complex and ambiguous.
Controls are the reaction of the organization to this, the measures and actions taken to try and cope with uncertainty and achieve the objectives in the best possible way as planned with respect to uncertainty. Not to forget that the effect of uncertainty can also be positive deviations from objectives (“upside risks”).
The “Truth“ about risks – in a VUCA world – are you kidding me?
The only absolute truth is that there are no absolute truths. – Paul Feyerabend
Remember that the problem statement included the fact that there are multiple views of “the Truth” in the TLoD and the webinar suggested that assurance providers cooperate and align in order to achieve a “Single View of the Truth” [about risks]. Understanding risks as the effect if uncertainty on objectives, the use of a metaphysical term like “the Truth” (as in “Multiple Views of the Truth” or “Align on a single view of the Truth”) is very inappropriate and the webinar provider should have known better than to use it.
The “Truth” about risk will never be known beforehand with certainty. Because we are considering potential events in the future. That’s why we call it uncertainty. If it was possible then it would be management’s duty to make sure we achieve this certainty or at least approach it as closely as possible. Moreover, qualitative assessments – even aligned – amongst the different assurance players will never yield “the Truth”.
An achieveable outcome from my view will be an “objectivized” assessment from multiple perspectives. Even better would be a quantification of the risks (by multi-functional contribution to risk modeling and then Monte Carlo simulation). Doesn’t sound as good as “Truth” though, but will probably be closest true representation of the truth you can get (with all assumptions; for a given value of „true“).
The Three Lines of Defense – an out-dated model at the core of the problem
When you realize you are riding a dead horse the best strategy is to get off. – Wisdom of the Dakota Indians
From my view, much of this problem results from staying within the paradigm of the TLoD model itself in the first place. The discussion is led how to align the assurance and coordinate the different actors within the TLoD. But what about taking one step back, looking critically at the entire model and thinking about alternatives instead of optimizing a potentially flawed model?
When I was still in Internal Audit, I loved this system, because it gives auditors this sense of being important. The last line of defence of the organization against all the risks that line management failed to see and where even the second line functions were not paying attention or not functioning properly. And this is mainly what this model does in my eyes: justify the positive self-image of Internal Audit against an ever widening expectation gap. And I am not alone in my criticism of this model.
- It begins with the “martial” title: „Defense“ implies that risks are something bad which the organization needs to defend against. Let’s remember that the bias towards downside risks is one of the parts of our problem statement, why we need more alignment. And let’s not forget what I wrote in my recent post (“What’s in a name”) on the importance of the terms we use for expressing our inner attitude and conveying meaning.
- The separate “lines“ grouping the different „defense“ functions (the TLoD model does not call them „assurance“ functions) in 3 silos, the higher ones overseeing the lower ones with Internal Audit being the culmination of independence and objectivity and the “final internal guardian” against risks. This separation into the different lines is again what causes the need for alignment in the first place, because it creates the silo mentality.
- The second line is a collection of different „governance“ functions which are again silos unto themselves: Financial Reporting Controls, Legal, Quality, IT Security, Data Privacy, Compliance, Health&Safety, Risk Management… All of these have their own evolution and history, their own view of risk, their own taxonomy, more or less evolved professional standards and of course professional associations. And these are jealous guardians their own turf – see for instance the discussions between Risk and Quality and the influence it has had on arriving at an ISO standard for Risk Management. Some of those functions are subject to specific external regulatory requirements (GDPR), have to maintain certifications (ISO 9001; 27000…) and justify their own individuality from this point of view.
Main driver of alignment is Internal Audit
So what is the interest of these players to align more? They have much to lose; their individuality, their independence, their claim for being the authority on their own turf; their autonomy as a separate function; … Currently, as per the webinar, the most frequent drivers are the Chief Audit Executives. But they didn’t elaborate on why this is so.
The reason, in my opinion, is that Internal Audit has the most comprehensive mission and assurance scope, but has in the past 15 years (since SOX) “lost” some turf to the 2nd line functions: ICoFR, Risk Management and more recently Compliance. These were traditionally – and in smaller audit shops still are – under the responsibility of the Chief Audit Executive (CAE).
In the latest revision of their Standards, the IIA have finally expanded their view that this is a reality and will not go away even if the Standards say it’s not ideal. So the Standards now say it’s possible to leave these under the responsibility of the CAE if the IA function doesn’t provide assurance on these activities. But that means that the IIA actually acknowledge themselves that the separation of second and third line isn’t strict. (Interestingly, this explicitly includes the IA function being responsible for Risk Management – which according to the IIA Definition of Internal Auditing constitutes one third of the elementary assurance scope of IA: „governance, risk management and internal controls“!)
Also, it has for some time been a part if the IIA Professional Practices Framework that the CAE should coordinate work with other internal assurance functions and create assurance maps. Again, a reason for IA to drive some alignment and get a positive check mark in their next Quality Assessment.
Alignment vs. Integration
The webinar went on to explain why the provider prefers the term “aligned assurance” over similar and variations like “integrated assurance” or “combined assurance” or “convergence”. (Interestingly, the title of the webinar wasn’t “aligned assurance“ but „coordinated assurance“.)
Alignment means that the different risk functions/assurance providers will stay separate functions but sit together at one table to “align” on
- their methodology and taxonomy for viewing risk and
- co-ordinate their work in terms of risk coverage, timing of engagements and
- agree – if possible – on similar reporting, rely on one another’s work or at least exchange their reports for mutual information.
Great! Another meeting or committee. Headed by … the CAE, because he called everyone to the table and can justify his role from the IIA professional Standards. This approach really lacks ambition is as it tries to solve the problem half-heartedly by keeping the structure in place from which most if the problem originates.
Can you understand my disappointment? Will this lead to improved risk management as promised in the title?
A committee is a group that keeps minutes and loses hours. – Milton Berle
The Common Denominator: Risk
In my personal opinion, the “glue“ between the three lines and the one common denominator is „risk“ and the co-ordinating function should be (Enterprise) Risk Management. From a system theoretical point of view: it’s a subsystem how the overall system (organization) deals with risk, meaning the effect of uncertainty on objectives. There’s no reason to divide this subsystem into three lines and no reason to call it defense, because the latter implies a negatively biased view of risk .
Why not break up the lines and put in place one Chief Assurance Officer, reporting directly to the CEO, who integrates below all assurance functions from the previous 2nd and 3rd line (with a new, integrated mission). This will be a little like on the „olden days“ when most of this was taken care of by Internal Audit, because there wasn’t yet a more differentiated second line.
This way real synergies could be achieved, assurance costs, effort, time saved, impact of the engagements on the organization minimized and simultaneously the quality of assurance would be increased (if not maximized). Reporting to senior management will be unified, using one taxonomy, one common and consistent risk rating system and one format and logic for remediation actions and their tracking.
It will also eliminate the need for so many other Chief Officers, all dealing with some specialized area of risk and wanting the CEO’s attention, writing reports based on different methodologies… So we would no longer need a Chief Ethics and Compliance Officer, a Chief Risk Officer, a Chief Information Security Officer, a Chief Audit Executive, … and the list goes on.
Focus this integrated function on excellent integrated risk management (in the sense of assuring informed management decision making in the face of uncertainty ) and supporting operative management from a holistic perspective by integrating all like Financial Controls, IT Security , Quality, Compliance, Legal … And – I hope the IA community won’t brand me a heretic for this – give up the idealistic aspiration of a truly independent and objective “internal” audit function; instead contract this assurance from an external provider, sponsored by the Audit Committee/ Board of Directors.
That way, former first and second line are key and focus is on achieving objectives and effective, informed management in the face of uncertainty. But this integration would mean a true paradigm shift – and it’s unlikely that any one if the incumbent assurance players would drive such an initiative.
The human mind has only two functions: survival and being right. – Ron Smothermon