Tag Archives: Governance & Risk Assurance

Corporate Governance Theatre: Risk culture, plausible deniability and wilful blindness

Very pleased to have been asked by the ACCA to write an article on ‘Corporate Governance Theatre: Risk culture, plausible deniability and wilful blindness’.

An overview follows immediately below, after which is a link to the full article on the ACCA’s website.

Background and introduction

My role as a consultant is to work closely with clients on governance, risk, compliance (GRC) and assurance challenges. Our aim is to ensure GRC improvements are genuinely welcomed and used by business managers, alongside risk, compliance and audit professionals; balancing rigour with pragmatism and cultural fit.
Earlier in 2018, I wrote an article on why we continue to get GRC and assurance surprises of some magnitude, despite management assurances and auditor sign offs. My perspective is that too often we have ‘corporate governance theatre’. Things look good in many ways, but – just below the surface – there are ‘hairline cracks’ that are missed by management, boards and even auditors and regulators, until it is too late.

After writing this article, I was happy to be asked by ACCA to write an article on risk culture – including ‘plausible deniability’ and ‘wilful blindness’, which are part of the theatre problem – and here this article:

  • provides an overview of plausible deniability, wilful blindness and associated phenomena
  • how and why these behaviours arise
  • warning signs to watch out for
  • practical steps in the context of GRC to make meaningful progress.

Note that, in my experience, progress is not about implementing new systems (though these may help), but rather by looking at what is currently being done from a different angle, with the objective of ‘getting real’ about the issues, and potential gaps, that matter the most.

Read the full article here

Not as straightforward as it seems – Adding value – Assurance maps

I ran a workshop in London over the past two days on the topic of Assurance Maps. Readers will not be surprised to learn that one of the key ingredients for a successful Assurance Map is to be clear about the added value that managers and senior managers will derive from the exercise (often board and audit committee members recognise that an assurance map will help “join up the jigsaw” of assurance efforts, and therefore tend to be supportive).

At face value this may seem to be a straightforward matter – if the board and audit committee can be persuaded support an assurance map, would it really matter if managers and senior managers were not that enthusiastic? In my experience working on assurance mapping efforts for the past 15 years, this is an important question, because there is a big difference between managers and senior managers tolerating an assurance map, but not seeing much benefit in what it gives; compared to them seeing it as a useful management tool that will help them manage aspects of their organisation. Clearly, in the latter case, you are much more likely to get ongoing interest in, and support for, further development of assurance maps from management; rather than them seeing an assurance map as a one-off activity that should be completed and then shelved.

What follows is a summary of our discussions. As you will see, the key message is the importance of being focused, specific and realistic about the added value goals being sought, and the need to think ahead, and manage proactively, how this added value might unfold (or not!). Continue Reading

Speaking at IIA HIA Conference

Internal Audit Leaders’ Conference 16th March 2016 

Combined assurance, one language, one voice, one view
James Paterson | Director, Risk & Assurance Insights Ltd.

  • consistent messaging across all governance bodies and functions within an organisation
  • breaking down silos and more efficient collection and reporting of information
  • a common view of risks and issues.

Further details about the conference can be found here.

Assurance ratings – simplistic approaches are not always a good idea

I talked in an earlier blog about the benefits and drawbacks of having a ‘standardized approach’. Here is another example from assurance mapping where ‘standard’ terms can cause problems. Consider the standard assurance ratings as follows:

  • Low assurance confidence – where management are self assessing their own work
  • Medium assurance confidence – where the second line of defense (compliance and risk functions etc.) are checking what is being done
  • High assurance confidence – where there is independent checking of  (say) >50% or 75% of key controls

These seem so sensible and reassuring – let’s use these criteria to produce an assurance map! The importance of independent checking by Internal Audit will become clear!

The problem with this sort of standardized assessment is that it implicitly downplays assurance from the first and second lines of defense and favours audit work in a way that can cause significant issues when management are told about their low levels of assurance.  Lets consider this question more closely how confident should we be with each type of assurance:

1)    Management

Of course there is always a risk of self-deception in self-assessment by managers of their own activities, but if the criteria management should apply are clearly spelled out, and the manager concerned is experienced and unafraid to be honest, we can take a lot from their assessment. This is all the more so when management may be reporting upwards that they have issues and concerns that need to be addressed.  Thus it is a dangerous over simplification to say that all management assurance is only of low quality. Continue Reading

Using tools – when to standardize and when not

At the moment I am working on a big GRC change project for a client and we are starting to think about software tools for control self assessments. The initial interest was to see if some of the existing in-house applications in use for other purposes, but we have discounted these because they do not adequately allow for the aggregation and analysis of results, nor do they enable effective tracking of open issues until closure (after all what is the point of reporting an area for improvement if you cannot be confident it has been dealt with?)

We are now in the process of looking for solutions that some of my other clients have used, adapted for the needs of this client. Here my advice is simple: What is the point of reinventing the wheel? Lets select something that works well elsewhere – our needs are not that different because this is about largely mechanical process of collecting a specific sort of information, categorizing it and then deciding what to do about it.

At the same time I have been working with another client on assurance mapping, focusing on several specific areas of interest to senior stakeholders. Here there was interest at first in me offering a standardized approach, standardized report – and ideally – a simple tool to use. The attraction of a standardized approach and a simple tool is clear, but my client has recognized – over the course of our work together – that force fitting a standard approach would not work for them.

In particular, my client recognized that the real purpose of asking me to work with them to map assurances was not really simply about mapping assurances, but to identify areas for improvement in areas where there had been question marks previously. Continue Reading

Join our mailing list

We will keep you updated with news and events.

Contact

Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914
Email

Please also use our contact form