In our next series of blogs Tony and John talk about the need for Independent Assurance within the Risk Management process covering both internal and external assurance, audit and risk management oversight. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
Independent assurance is the critical third line of defence. It has two complementary parts – internal and external assurance. In respect of risk, the internal audit function, together with external experts, aims to help protect the assets, reputation and sustainability of the organisation, through providing independent assurance to the board on the effectiveness of the organisation’s governance, risk management framework and internal control systems, including the effectiveness of the risk function itself.
Three lines of defence (3LOD)
There is no set framework for risk management governance. Each instance will depend on the culture and structure of each firm. However, there are basic principles of risk governance, which are demonstrated in the classic three lines of defence model. It started as a construct from the financial services industry, but the principles can work with any type of firm. It should not be rigid. The business line should be working closely with the oversight functions and the oversight functions need to understand the business. It is about communication, not demarcation. That is especially pertinent if we are talking about non-financial risks, such as people, systems and external risks
The internal audit function should challenge the risk department and the board’s insight about the key risks. One of the risk department’s responsibilities is to identify themes or trends that may be relevant to the board’s understanding of the organisation’s principal and emerging risks, including their impact on the likely achievement of strategic objectives, overall risk profile and risk capability.
While internal audit’s brief is inter alia, to assess the first line of defence, the business lines, it must also assess the adequacy and effectiveness of the second line functions. Not only the risk function, but especially compliance and finance. In no circumstances should internal audit rely exclusively on those functions.
Internal audit should be involved in key corporate events as an independent challenger – process changes, new products and services, outsourcing and third parties, mergers and acquisitions and divestments – either because of its knowledge of the organisation’s controls, or to audit external parties or partners. However, because of internal audit’s knowledge of the organisation’s controls, it is easy for the function to have a conflict of interest. It is a fine line, but it is important.
To do their job well, they may call in external independent knowledge experts. These can be a vital form of challenge to the second line and a form of knowledge transfer to the third line.
External audit’s role is to give an opinion on the financial statements. To enable it to do this, it has to assure itself of the quality of risk governance and of controls including ethical values, management style and values, and human resources policies and practice. These factors do not form part of its formal assurance to the board, but they do provide the context to the auditors’ views and decisions.
In our next blog Tony and John delve deeper into the topic of Independent Assurance.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com