We’ve explored in our trust in the boardroom publication, and in subsequent articles, how critical it is for Boards to have a full and accurate picture of what is going on in an organisation. We’ve touched on business resilience and the roles of non-executive directors - both of which play a key role in overall Board assurance, but a Board Assurance Framework helps to focus risk management even further.
Should something go wrong in any organisation, one of the first questions that is likely to be asked is – what went wrong? As such, Boards need to be as comfortable as they reasonably can be, that things are running as they should, with relevant level of supporting risk management. In this context, it is helpful to think of a Board Assurance Framework like an extension of risk management arrangements which should already in place. A Board Assurance Framework is a main mechanism for helping Boards achieve the level of assurance they need to assess their own resilience, help avoid blind spots and secure a sustainable future for the organisation they govern.
The HM Treasury Guidance on Assurance Frameworks (2012) defines an assurance framework as: 'a structured means of identifying and mapping the main sources of assurance in an organisation, and co-ordinating them to best effect'. Essentially what this means is bringing together in one place a complete picture of the effectiveness of the key controls that manage the principal or major risks that could impact on the achievement of the board’s strategic or core objectives. The Board Assurance Framework should outline and give evidence that controls and procedures have been implemented, that resources are not allocated inefficiently and that the outcome is as intended. It should show that things are operating as they should - i.e. it should confirm what they think they know.
To this end, Boards have to ask themselves:
- what they want assurance over; and
- what level of assurance does the Board need to feel comfortable?
There are a number of sources of assurance that exist within an organisation, but typically these could be categorised in to three components, often referred to 1st, 2nd and 3rd line of defence or assurance.
1st line - explicit confirmation or reporting by those directly responsible for the application of or management of controls.
2nd line - other scrutiny or advisory functions within the organisation, for example the finance team reviewing or challenging financial transactions and budgets.
3rd line - independent review of controls or activities e.g. internal audit, or a specialist review by an external organisation.
All these elements, either separately or combined, will contribute to the level of confidence that the Board has over the organisation's ability to manage its risks, be these business as usual or exceptional.
Boards in all organisations should be asking themselves how they are assured – over what, by whom and how? And whether Boards really know what they think they know? Exploring the use of a Board Assurance Framework may be the answer.
Contact Matthew Humphrey for more information.