Risk Management

Evolved models of combined assurance bolster organizational risk management

By: Terrance M. Booysen (Director: CGF) & Anton van Wyk (Partner & Risk Assurance Leader: PwC)
Organisations can no longer operate only for the economically-driven rationale of generating a profit for their shareholders and investors.  Organisations are an integral part of the societies and the environments in which they operate.  As such, they affect — and are affected by — both internal and external stakeholders, and are consequently accountable to them.
Accountability is key
The accountability of an organisation to its various stakeholders lends the organisation its legitimacy, and is both critical and complex.  It is critical insofar as it ensures the viability and sustainability of the organisation in the face of increased expectations from informed stakeholders and institutional investors.  It is complex insofar as the accountability of an organisation cannot simply be measured on the basis of returns to shareholders and investors, but must take into account its impact of a broad range of other role-players, such as employees, customers, the media, government, local communities and even the natural environment.
As a requirement of sound corporate governance, and in the interests of maintaining their sustainability, organisations should consider and report on their interdependence with the economy, society and the environment (collectively known as the triple context).  They should also consider and report on their interactions with the six forms of capital which they use or affect.  These six capitals are financial, manufactured, intellectual, human, social and relationship, and natural.
An important facet of an organisation’s accountability to its stakeholders — which considers the triple context as well as the six forms of capital — is its ability to give true and valid assurances that the organisation is functioning soundly in the integrated environment within which it operates.  As a part of the organisation’s normal risk-management processes, it should be able to adequately show how the organisation identifies, manages and mitigates the myriad risks which it faces. “…it is now accepted that organisations operate in the triple context of the economy, society and they environment.   How they make their money does have an impact on these three elements and, in turn, they impact on organisations.”
The King IV Code on Corporate Governance for South Africa, 2016™
Risks are many and varied
As organisations evolve and become a more integral part of the society in which they operate, their circle of influence expands.  Equally, the factors which influence organisations, in either a positive or negative way, are constantly changing; managing the heightened complexity of risk is just one reason which may explain the rationale for the new COSO ERM Framework – Integrating with Strategy and Performance which was released in 2017.
It is unlikely that an organisation’s Board of directors will be able to single-handedly identify, address, manage and mitigate all of the risks (i.e. financial and non-financial risks) which arise from the very nature of the organisation’s business, as well as from the changing world in which that business operates.
An integrated approach to an organisation’s risk management requires a combined assurance approach, which can provide the Board, and ultimately the organisation’s stakeholders, with confidence in the full suite of control and review measures implemented by way of the unified efforts of a wide range of assurance providers.  Ultimately, the concept of combined assurance aims to address all of the risks which an organisation faces, and in so doing, it aims to optimise the organisation’s strategy, performance and its approach to risk management.
Assurance is evolving
The provisions of the King Code on Governance for South Africa, 2009 (‘King III’) defined the concept and practice of combined assurance as “integrating and aligning assurance processes in a company to maximise risk and governance oversight and control efficiencies, and optimise overall assurance to the audit and risk committee, considering the company’s risk appetite”.  In achieving combined assurance, King III required organisations to rely on the expertise and assurances of internal and external auditors, as well as the assurances given by the management of the organisation itself.  These role-players were considered to constitute the ‘three lines of defence’, which would address an organisation’s risks.
In line with the evolving nature of business and the tenets of good corporate governance, the King IV Code on Corporate Governance for South Africa, 2016™ (‘King IVTM’) — which replaced King III — has taken the concept of combined assurance further to require an extra three lines of defence (now a total of six lines of defence) as additional measures to identify unwanted risks, and ultimately, to protect an organisation from them.
In addition to an organisation’s management, including the functions and duties of the internal and external auditors of the organisation who provide the Board with a certain level of assurance; the following functions should now also be considered as part of a combined assurance matrix: organisational specialist functions that facilitate and oversee risk management and compliance; other external assurance providers, such as IT auditors, sustainability and environmental auditors, external actuaries, and external forensic fraud examiners and auditors; and regulatory bodies, which provide high-level monitoring and oversight.
Each of the six categories of assurance providers will afford the organisation different levels — or degrees — of assurance.  Moreover, the organisation’s key stakeholders must be assured that there are levels of independence provided between the various assurance categories. “In King IV™…a combined assurance model incorporates and optimises all assurance services and functions so that, taken as a whole, these enable an effective control environment; support the integrity of information used for internal decision-making by management, the governing body and its committees; and support the integrity of the organisation’s external reports.”
The King IV Code on Corporate Governance for South Africa, 2016™
As ‘independence’ and ‘assurance’ go hand-in-hand, in practice it should come as no surprise that the less independent the assurance provider is, lower levels of assurance may be expected.  Accordingly, it is imperative for the organisation to ensure it has implemented a robust and diverse combined assurance matrix to identify and facilitate the most effective approach to addressing key risks.
Indeed, a combined assurance model and approach may warrant the need for more than one assurance provider to provide assurance over a given risk to ensure that the risk is appropriately reviewed, and that independence measures are incorporated into the approach.
Organisations should evolve accordingly
Well-governed and mature organisations will have taken progressive steps towards the establishment of a combined assurance model and they should develop systems which facilitate a formal reporting process, including the regular measurement of how the model has performed against its goals.  This will encourage ongoing focus on combined assurance, and will assist organisations to identify and address those parts of the control, monitoring and oversight system which may be under-performing or lacking integration.  In so doing, organisations may identify new opportunities or areas for change and development, especially in relation to their risk management strategies.  In addition, the integrity of information used for internal decision-making within an organisation’s Board and management structures will be enhanced, as will the integrity of external reports, such as the organisation’s annual Integrated Report to its stakeholders.
Whilst the costs of combined assurance may seem prohibitive, the benefits to an organisation adopting a comprehensive, six-level combined assurance model go far beyond complying with the requirements of King IVTM.  These benefits have a knock-on effect which operate both horizontally and vertically within an organisation and ultimately serve to assist the Board of directors in the fulfilment of their fiduciary duties, not least also providing the Board itself with a degree of comfort that the risks within the organisation are known and contained.
Such assurance is especially important for non-executive directors who do not work on a full-time basis within the organisation they serve, and accordingly have limited information, unlike their executive counterparts. Through an improved combined assurance model, which provides the entire Board and the organisation’s key stakeholders with the required comfort that all the necessary risks have been addressed, there is no doubt that the organisation’s reputation will be enhanced, amongst other benefits.
Distinct from the recent shockwaves that rippled through the local and international markets in respect of the Steinhoff share price collapse, adopting a pragmatic combined assurance model greatly reduces unwanted risk, irrespective of its form.  In addition, through proper controls and reporting, it also provides all vested stakeholders with the clarity required to determine exactly how the Board and the organisation are directing and controlling the business, hopefully with a bolstered approach to risk management that a combined assurance model encourages.

Related posts
Risk Management

Managing business risks: easy steps any SME can take today

Research and SurveysRisk Management

Lloyd’s and Aon report reveals the highly interrelated risks of Ukraine conflict reshaping business models and global economy

Risk ManagementShort-term

iTOO stays the course amid continued increase of commercial crime risks

Risk ManagementShort-term

Fire, faulty workmanship, and natural catastrophes top causes of insurance claims for business in South Africa