A cautionary tale of risk assurance

By: Alex Roberts, Cura Software Solutions’ regional director

2017 saw the resignation of several senior executives of large global corporations as a result of organisation-wide malpractice. 

This has established a new benchmark for accountability in South Africa: executives are being more assertive when it comes to wrongdoings within their businesses. The directors’ role is to balance performance and compliance by ensuring that management’s actions are consistent with corporate strategy, reflective of the culture of the business, and in line with the organisation’s risk tolerance. Failure to do so is grounds for dismissal. Executive committee members taking oversight responsibility for the actions of others is a step towards the mandate of transparency and honesty that audit firms and consultancies endeavour to uphold , believes that this is a cautionary tale for every organisation to establish airtight assurance processes in 2018 in order to ensure that your exco board does not fall into the line of fire. “All organisational risk stems from one of two places: business objectives or operational processes. It is of paramount importance that your business implements appropriate levels of combined assurance to manage risk. The three tiers of assurance – audits, reviews and agreed-upon procedures – should be carefully maintained.”

So, how do you protect your executives against catastrophic risk repercussions? According to Roberts, the key to a sound risk assurance structure is to instil a GRC culture from a strategic perspective. This provides a three- dimensional safeguard, incorporating people, technology and processes. It is essential that these assurance activities are coordinated to ensure resources are used in the most efficient and effective way.

The first step to be taken towards a sound assurance structure is appointing the right representatives within your business. Management and the board will need to ensure that the assurance providers appointed – both external and internal – are equipped with the necessary experience and skills to execute an acceptable approach. Your risk manager should be supported by a carefully constructed team, including line managers, senior management, internal and external auditors, financial reporting review teams, and workplace health and safety auditors. This team then establishes a business case: an overview status of the assurance profile.

This profile sets the scene for the establishment of a combined assurance strategy. The second step to take is accumulating consistent, accurate data from multiple sources. This effective control environment supports the integrity of information for both internal decision-making and of the organisation’s external reports. Ideally, the data should be captured within risk management software to allow analysis and reporting from the data captured.

Developing an effective combined assurance approach is one thing, but implementation must be supported by ongoing efforts to ensure that this methodology continues to increase the value it is designed to create.

Roberts concludes, “The implementation of a combined assurance model will take time and effort to establish and maintain, however, this time and effort is insignificant compared to the potential repercussions from having an insufficient strategy in place.”