Organizations have to be laser-focused on risk to stay competitive, but teams can miss the risks right in front of them if they’re working in silos. A combined assurance program can help, but CAEs should first ask if their risk culture and risk management approaches are mature enough to handle it.
(We outlined the combined assurance model and its background in our white paper What is combined assurance? It’s a good overview of the business value combined assurance delivers, how it supports risk management, and how it works within the Three Lines of Defense model.)
Implementing combined assurance is a project, and like any project, there’s a chance it can go sideways and fail, losing you both time and money. So, just like anything else in business, CAEs need to take a risk-based approach to assessing their organization’s risk management maturity.
"The more mature your risk management processes are, the easier it will be to implement combined assurance."
5 questions to determine your maturity
The first step toward combined assurance is understanding your current maturity level. This will help you establish and outline the need for combined assurance, which then leads you to:
- Envisioning a solution
- Planning a solution
- Implementing a solution
- And finally, operationalizing combined assurance.
In this blog, we’re talking specifically about analyzing your maturity, but you can read about the other steps in our white paper Implementing combined assurance.
The combined assurance implementation process.
To assess your organization’s risk management maturity, you’ll need to take a close look at five aspects.
1. What is your corporate risk culture?
An organization’s risk culture refers not only to how it manages risk, but also everyone’s attitudes and behaviors toward it. Risk culture and risk appetite shape an organization’s decision-making, and that culture is reflected at every level.
Organizations who are more risk-averse tend to be unwilling to make quick decisions without evidence and data. On the other hand, risk-tolerant organizations take more risks, make rapid decisions, and pivot quickly, often without performing due diligence.
From leadership support to data-driven decision-making, your organization’s risk culture plays a key role in how successful your combined assurance program will be.
2. How risk aware are your employees?
If employees don’t know—and don’t prioritize—how risk can and should be managed in your organization, your implementation program will fail. Whether an employee clicks on a phishing link in an email, doesn’t properly vet a third-party vendor, or can’t acquire and retain top talent, risk is everywhere, at all levels of an organization. Because assurance is very closely tied to risk, it’s important to communicate constantly and make people aware that risk throughout the business must be adequately managed.
3. Do you have solid risk management processes in place?
We just stated that risk and assurance are tightly coupled, so it makes sense that the more mature your risk management processes are, the easier it will be to implement combined assurance. Mature risk management means you’ve got processes defined, documented, running, and refined. For the lucky few who have all of these things, you’re going to have a much easier time compared to those who don’t.
4. What’s your risk and controls language?
We can’t have people making up names for tools, referring to processes in different ways, or worst of all, reporting on totally random KPIs. Without question, you will require a common risk and compliance language. In the words of Sam C. J. Huibers in his research paper for The IIA Research Foundation on Combined Assurance, the result of combined assurance should be “one language, one voice, one view” of the risks and issues across the organization.
5. Do you have the right risk management software in place?
Without dedicated technology, it’s extremely difficult to provide a sustainable risk management system with sound processes, a single taxonomy, and integrated risks and controls. How technology is used in your organization will determine the sustainability of combined assurance. (If you already have a risk management and controls platform that has these integration capabilities, implementation will be easier.)
How to rank your risk management maturity
Despite combined assurance being introduced over a decade ago, it’s still being talked about as if it were a relatively new concept. Its adoption is fragmented, and many organizations struggle to implement it. That’s why CAEs need to look at all the make-or-break capability factors for implementing combined assurance, which are more than we can cover here. Read our white paper below to get a broader view of assessing your organization’s readiness for a combined assurance program, and to learn how to rank your organization’s risk management maturity.
White paper:
Implementing combined assurance
We’ll guide you through:
- Establishing the need for a combined assurance program
- Envisioning and planning the solution
- Implementing your plan
- Operationalizing your program
