I ran a workshop in London over the past two days on the topic of Assurance Maps. Readers will not be surprised to learn that one of the key ingredients for a successful Assurance Map is to be clear about the added value that managers and senior managers will derive from the exercise (often board and audit committee members recognise that an assurance map will help “join up the jigsaw” of assurance efforts, and therefore tend to be supportive).
At face value this may seem to be a straightforward matter – if the board and audit committee can be persuaded support an assurance map, would it really matter if managers and senior managers were not that enthusiastic? In my experience working on assurance mapping efforts for the past 15 years, this is an important question, because there is a big difference between managers and senior managers tolerating an assurance map, but not seeing much benefit in what it gives; compared to them seeing it as a useful management tool that will help them manage aspects of their organisation. Clearly, in the latter case, you are much more likely to get ongoing interest in, and support for, further development of assurance maps from management; rather than them seeing an assurance map as a one-off activity that should be completed and then shelved.
What follows is a summary of our discussions. As you will see, the key message is the importance of being focused, specific and realistic about the added value goals being sought, and the need to think ahead, and manage proactively, how this added value might unfold (or not!).
Case 1
Senior managers run a lean business, conscious of costs and wary of too much bureaucracy. In this context, the Head of Internal Audit (HIA/CAE) thought an auditing assurance map could be “sold” to them on the basis that it might identify overlaps in assurance, resulting in more co-ordinated auditing between second line of defence and third line of defence functions and – ultimately, perhaps – leading to lower costs of auditing. This would also be appealing to operational managers who might feel they were being audited too much.
Case 2
A senior manager had an oversight role of a critical process, that spanned various parts of the organisation and that provided a key revenue stream for the organisation, but at the same time this process was highly regulated and regularly audited by outside bodies, with “clawbacks” and penalties possible if regulations and other requirements were not adhered to. The HIA thought that an assurance map of this process could be useful because it would pin down, across different functions, who was responsible for what to ensure delivery of each of the different elements and to maintain compliance. The HIA was convinced the senior manager responsible for the overall process would like the assurance map and thought that numerous other managers involved in the process might be content to participate in the assurance mapping effort on the basis that it would show what they did (and did not do) and – hopefully – reduce repeat questions/audits from internal audit and others (e.g. regulators/external auditors).
Case 3
The risk management process of an organisation was relatively immature. A new head of risk had been appointed in the past 18 months and was busy working on rolling out risk awareness training and a new risk system to capture and collate key risk information. The HIA felt that working on an assurance map could be used to flush out potential “black holes” in the risk profile, giving it more solid foundations going forward.
Case 4
The manager of a business unit, and the senior manager of the business division above, had already been persuaded by an HIA that an assurance map should help them get greater confidence in relation to how they were going to achieve a key business development initiative. The business development initiative relied upon close working between the business unit, the marketing department and IT (which were managed outside of the division), and it was expected that the assurance map would help pin down accountabilities for particular tasks, in particular highlighting that marketing and IT would most likely need to focus on supporting the business unit more (requiring closer monitoring and them providing better management information), so more timely actions could be taken by the business unit to manage risks, reduce delays, and achieve the business development objectives.
*******
Hopefully readers will already appreciate the benefit of going beyond generic and general descriptions of how to add value and – instead – seek to establish a detailed, specific understanding of the benefits that the assurance map should provide from the perspective of the managers and senior managers who were going to be asked to help with the assurance map. In other words, to put yourself in the shoes of those who are going to be asked to help with the assurance mapping effort and consider “what’s in it for them”? In my experience, the more they can see the benefit/value add they will get, the more chance there is that they will engage with the process and be interested in the insights an assurance map can provide, and apply this going forward as part of their business as usual activities.
So far so good: but now we need to pause to think through how the benefits/value add we foresee may, or may not, arise. As you will see from the following vignettes (which unfolded during discussions at the workshop), even when a clear sense of adding value is understood at the beginning, it is not always so straightforward to ensure this will be delivered by the end of the exercise:
Case 1 revisited – reducing audits and saving costs
Cost savings are a common way that assurance maps are sold, but invariably you will find eager finance directors asking the HIA: “so how much cost will we save from the assurance map work”? And, I am afraid to say, some HIAs I have met have offered a potential savings estimate (“just a ballpark, not guaranteed”) that they have then subsequently been asked to deliver. In these circumstances, if an assurance map is progressed on the basis that it will deliver cost savings, then if those involved in the effort find this out, they may become reluctant to fully co-operate, on the basis that their department budget/headcount might be cut.
Case 2 revisited – critical revenue process with high regulatory scrutiny
Preparing an assurance map to demonstrate that key players in a process are doing what is needed to comply with regulatory requirements can a very useful. However, it should be recognised that it is possible that the assurance map may reveal gaps and short-comings in the assurance picture and, in these circumstances, it may highlight to regulators, if they request sight of the assurance map, that there are weaknesses in compliance.
Case 3 revisited – strengthening risk management
Assurance mapping efforts can be a powerful tool to flush out risk assurance “black holes”. In fact, this is how I first became involved in assurance mapping when I was the HIA/CAE of AstraZeneca in 2003. In the case described earlier, as we explored how the assurance mapping exercise might progress, it was recognised that that the head of risk might be rather sensitive to new risks being presented from an assurance mapping exercise that questioned the progress they were making in relation to the risk management process.
Case 4 revisited – assurance over a key business development initiative
The key risk identified was that the assurance mapping exercise might not yield the exact outcome wanted by the head of the business unit or head of the business division; for example, it might highlight gaps between the roles and responsibilities of the business and the marketing/IT departments, but not resolve them. Also, it was recognised that there might be a sensitivity to manage around how the heads of marketing and IT would react if the assurance map suggested more work for them, or a restriction in their operational independence.
Reflections and key messages for assurance mapping efforts
As we can see, there is a great deal of value in being precise about what benefits are going to be obtained from an assurance map to justify the efforts involved. The value of being clear about “what benefit exactly, and for who” is that it can focus attention on the question: How certain is it that the benefits that are being sought are going to be obtained? In addition, thinking about the specific benefits being sought may reveal pitfalls that might arise, and thereby encourage greater efforts to proactively manage these.
In summary, key insights to be borne in mind when working on an assurance map are:
- Recognise that whilst an assurance map may identify overlaps in assurances, that could yield efficiency and or cost savings; it might also highlight gaps that require additional efforts or costs. Therefore, great care needs to be taken in promising benefits in terms of cost/efficiency savings at the outset of an assurance mapping exercise. This is important not just because the cost agenda may “twist” the outcome of the assurance map to the wrong outcome (e.g. by glossing over gaps), but also because of the motivational impact of such an exercise on those involved (who sense that their jobs may be under threat).
- To recognise that whilst an assurance mapping exercise can be an excellent way of highlighting issues around risk and assurance roles and accountabilities; it must also be recognised that arguments over roles cannot always be resolved between different departments and divisions themselves, since a change or even just a clarification in roles may result in either: i) additional work, which may have resource implications; or ii) a reduction in responsibilities, or freedom to operate, that can be perceived as constraining the autonomy of the department. Consequently, those involved in an assurance mapping effort need to think, up front, about the process and governance that may be needed to resolve any differences between different departments. Note that the resolution of some accountability matters may require executive / C-suite level involvement in some circumstances (since this is the only level with the authority to decide).
- If done well, an assurance mapping exercise may reveal legal and regulatory short-comings that have hitherto been missed (typically “hairline cracks” that have eluded other forms of analysis). Therefore, again, there needs to be thinking, up front, about how any regulatory issues, risks or short-comings would be:
- documented in writing, so that they do not exaggerate the problem and will not be misunderstood by staff, regulators or other stakeholders who might see the results. This will therefore require training for the team involved in the assurance map around legal/regulatory discoverability issues, as well as the close involvement of legal/regulatory expertise as the assurance map effort progresses; and
- remediated timely basis – requiring thought about resourcing/expertise to get key issues fixed without delay. Readers will appreciate that there is little point in becoming even clearer about compliance issues if there is then a limited ability to remediate the key issues on a timely basis!
- An assurance map is typically best done with the full participation of relevant managers and senior managers, with the sense of some benefit that they are interested in, rather than just tolerated by them for no real gain from their perspective. Getting proper buy-in around the benefits of an assurance map should maximise the chances that the results will not just be a paper exercise (which I sometimes call “GRC Theatre”), and instead be something that can yield value, and ensure compliance on an ongoing basis. Consequently, it can be useful to:
- focus the scope of an assurance map to a specific area where there is seen to be a problem or clear opportunity for improvement, also being very clear about the risk/assurance appetite of what good enough looks like (to avoid over or under analysis); and
- recognise that managers, senior managers and other stakeholders may be sensitive to certain outcomes if they might highlight weaknesses in what they have done, or that do not align with outcomes they were anticipating, or the agendas they were hoping to progress. In other words, recognise that there may be political undercurrents to any assurance mapping exercise.
It is outside of the scope of this paper to discuss, in detail, the detailed steps that might be needed to address the dilemmas and challenges of assurance maps in specific situations; since often the way forward will depend on the specific organisation, context and stakeholder expectations and dynamics. However, I do hope article highlights the mind-set needed think through the benefits and concerns when proposing and then progressing an assurance map.
James C Paterson; October 2018
For more information on this topic see other articles on risk assurance.
If you have a specific enquiry on assurance maps, please e-mail: jcp@riskai.co.uk
I contacted [James] for advice as to how Assurance Mapping techniques could be applied in my own authority. Not only were his ideas very constructive, his approach was very professional yet carried out in a friendly, easy going manner which greatly helped my understanding of the issues involved. James was then always happy to deal with any follow up queries I had and he helped to fine tune and discuss the approach with the rest of my team who similarly very quickly formed the same positive view of James’s style and manner. We have recently introduced this new approach into my authority and the results and comments to date have been very encouraging, thanks in no small way to James’s advice and assistance. I would have no hesitation recommending James to anyone.
James has helped me and my team in a number of areas, examples being improving the way we conduct and report on our audits and helping with our assurance mapping. This has all been done in a positive and supportive manner, helping the team to embed learning from these sessions.