What is Integrated Risk Assurance?“
Integrated risk assurance involves an objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organisation”, (as defined by the IIA).
Why is it important?
Despite the events of the recent global financial crisis and the ever-increasing pressure placed on boards and senior management to improve their risk management systems, integrated risk assurance remains an aspirational objective for most large enterprises.
A major benefit of integrated risk assurance is it provides internal stakeholders at each level of an enterprise a common view their risk control performance, thereby enabling them to better discharge their management responsibilities.
It also provides external stakeholders confidence that an enterprise is capable of identifying and correcting risk control problems before they adversely impact its performance and value.
The missing pieces
The first missing piece in the integrated risk assurance puzzle is coming up with a methodology that can reliably monitor and report risk control performance across all enterprise processes, projects and third-parties. To do this effectively it needs to be quantitative.
Without a common monitoring methodology risk assurance tends to operate within siloes. A situation which often leads to disparate assessment methods and technologies, unnecessarily high monitoring costs, inconsistent and unreliable reporting, poor decision making and worse still, ill-informed risk-taking.
The second missing piece is the availability of suitable software solution. This is essential to removing the inefficiencies associated with current risk assurance solutions.
Piece 1: Proven methodology
The most effective quantitative risk monitoring, assessment and control methodology is 100% inspection; buts its impractical for most enterprises. Especially for service-based enterprises. A more affordable solution is some type of statistical auditing system.
There are many types of statistical auditing systems available but the most popular and easiest to understand is that published in ISO 2859.1:1999 – Sampling procedures for inspection by attributes.
The main reason why this standard is particularly suited to solving the integrated risk assurance puzzle is its ability to normalise processes risk assessment. It does this by measuring the type (consequence) and number (likelihood) of risk control failures found in regularly selected samples.
At the completion of each audit results are analysed to determine if the enterprise’s risk appetite has been exceeded. Previous audit results are also analysed and used to assign the responsible process an objective performance rating; i.e. Excellent, Good or Poor.
A major benefit of this highly objective approach to risk performance monitoring is audit outcomes can be used to determine when and what actions are needed to mitigate product and services non-conformances and/or improve process performance; with high levels of confidence.
The statistical methods outlined in ISO 2859.1:1999 are also designed to significantly optimise the risk monitoring of processes by calculating the optimum sample-size for each audit. This calculation is performance based, meaning processes with a Poor performance rating are audited more intensely than those with a Good or Excellent performance rating.
Piece 2: Suitable software solution
The last piece in solving the integrated risk assurance puzzle involves incorporating the above methods into an affordable software solution. The software also needs to be easy-to-use, suitable for staged-implementation and cause minimum disruption to existing risk assurance processes.
A suitable integrated risk assurance software solution must also be capable of producing a easy-to-read risk assurance map similar to that outline below.
It must also be suitable for conducting internal audits and communicating risk performance information to external stakeholders i.e. committee members, shareholders, creditors, suppliers, customers, communities, government and regulators.
The benefits of an integrated risk assurance software solution incorporating the proven quantitative risk monitoring and control methods outlined in ISO 2859.1:1999 include;
> Consistently reliable and accurate risk control performance reporting across all enterprise levels
> Improved capacity to quickly identify and correct unacceptable risk control performance
> Improved confidence in an enterprise’s ability to achieve it strategic objectives and goals
> Significant reductions in risk monitoring, analysis and reporting costs
> Continuous process, project and third-party risk control performance improvement
Significant benefits now await those enterprises prepared to look beyond the traditional siloed approach to risk assurance The methods and technology exist, all that remains is to take the next step.