Combined Assurance Case Studies on a Holistic Approach to Organizational Governance
by Gerrit Sarens, Loïc Decaux and Rainer Lenz
ISBN: 978-0-89413-727-3, Publisher: IIA Research Foundation (2012)
Reviewed by: Julie Garland McLellan*
If risk is everywhere why isn't assurance? This is an especially pertinent question for directors as we are required to attest to the adequacy and appropriateness of our controls, risk management, and reward or remuneration structures. How can we do so without a more holistic assurance than the current, hit and miss financial-system centric, and temporal assurance boards typically receive?
This book answers those questions - and does so very well.
It starts by assessing the need for assurance and looks at some lessons emerging from the global financial crisis. In particular it focuses on:
- The inability (or unwillingness) of boards to articulate and measure an acceptable level of risk and the related inability of management to deliver this
- The arrangements that favour risk takers at the expense of risk managers and their associated compensation schemes, and
- The inadequate and often fragmented way boards have traditionally approached risk management and reporting.
The book then sets out how boards can pro-actively address these issues.
The book tackles head on the issue of risk management evolving into a system that is divorced from the business of the organisation and sets it squarely in the centre of everything the company does. Combined assurance is defined as bringing together assurance providers from different disciplines to provide assurance to the board that all risks are being managed appropriately. If the board does not understand these risks or does not form an adequate view of them then it should be unable to attest that it is discharging its duty. This raises a frightening thought - if most boards don't do combined assurance and yet disclose that all risks are managed appropriately is the attestation baseless?
Bringing different professionals together to view assurance allows for immediate efficiency gains in prioritising work and making sure nothing `drops off the radar'. However it also requires managers and assurance professionals to challenge each other's assumptions and priorities and this is only going to work if the organisational culture allows such behaviour.
In particular, at some stage in time a brave manager is going to have to tell a board "these are the real risks, these could ruin our strategy and destroy shareholder wealth, these are the things we are doing to manage them, but#some risk still remains". That takes courage. It takes a board that is willing to listen and a manager that is willing to stand alongside the risks and facilitate a proper board understanding of them. Few organisations possess a culture where this is easy. Few managers are trained in presenting unpalatable truths to boards (and most presentation skills training will teach them to obfuscate and/or avoid doing so, which is a whole new risk category in and of itself).
The book posits a new role for assurance professionals to work alongside technical and management staff to provide a strategically focused assurance that adds value even as it protects value. At no stage does the book suggest that risk management should fall within the purview of audit. Managers should manage the risks and the assurance professionals should help them to do so. It will not be easy to develop such a role and the case studies illustrate some pitfalls. However the resounding message is one of hope and capability. This positive book puts a pragmatic, rather than Pollyanna-ish, spin on the ideas.
The case studies are rendered nameless but can be fairly easily identified though a little fact checking. The generosity of the managers who provide the insightful quotes is matched by the generosity of the authors who give their interview questions and methodology in the appendices.
This book will make directors uneasy. It should. Complacency is the enemy of true assurance; this book is an assurance professional's true friend, a manager's resource, and a director's call to action. Highly recommended!
* Julie Garland McLellan is a professional non-executive director, board and governance consultant and mentor. She is the author of "Dilemmas, Dilemmas: practical case studies for company directors", "The Director's Dilemma", "All Above Board: Great Governance for the Government Sector" and numerous articles on corporate strategy and governance.