Strategic Risk Assurance Mapping

The project

OCM was engaged to conduct a review of the Authority’s second line of defence activities for its strategic risks. The purpose of the review was to obtain a clear view of where assurance was occurring across its strategic risks to allow management to review any gaps and adjust business processes as necessary.

Risk assurance maps are based on the Three Lines Model, which facilitates organisations to identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

A risk assurance map is used to identify the roles and responsibilities within the organisation across the three lines; the assurance activities occurring over the key risks and activities of an organisation, and to identify gaps or duplications in assurance activities.

Our role

The outcomes included:

• Improved understanding of the roles and accountabilities for assurance activities across the Authority;
• Increased knowledge about the Authority’s assurance activities including issues impacting the effectiveness of the activities such as turnover in key executives and decision makers leading to reduced corporate knowledge, changes in responsible Ministers, regional execution of controls, heavily regulated environment and the impact of strategic partnerships
• Recommendations to address potentials assurance gaps (asset management, program management, bulk water metering and business resilience) and duplications (water quality, safety), to make assurance more strategic and consistent, and to improve policies and procedures supporting business activities.

Our methodology conformed to IIA’s International Professional Practices Framework and guidance, particularly the Leveraged COSO Across the Three Lines of Defence publication. Our approach included the following steps:

• Developed an understanding of the Authority’s three lines of defence, including review of any existing models and assurance maps documenting the lines;
• Agreed the format upon which the 2LOD information will be presented to management, e.g., business unit and risks, business unit and activities or functions;
• Reviewed key documentation to identify 2LOD activities, including the Authority’s corporate and other plans; annual report; organisational and governance structure; management reports; risk registers; and policies and procedures. This included activities such as:
  • Risk Management
  • Information Security
  • Financial and Performance Monitoring and Reporting
  • Physical Security
  • Quality Assurance
  • Health and Safety
  • Inspections and Condition Assessments
  • Compliance and Self-assessments
  • Legal
  • Environmental Audits
• Interviewed key executives and managers to confirm 2LOD activities identified during the documentation review, identify other 2LOD activities and discuss coverage and frequency of activities;
• Discussed emerging issues as they arise during the review, and at an exit meeting at the conclusion of fieldwork;
• Prepared a register of 2LOD activities for the Authority’s future use;
• Prepared and delivered a presentation on the results of the review to the Executive Leadership Group.

The deliverables from the review included:

• A presentation to the Executive Leadership Group detailing the outcomes from the review, recommendations and a roadmap to address gaps and duplications in assurance activities
• A Register of 2LOD activities across the key business functions and risks, and
• A Risk Assurance Map for the Authority’s strategic risks.

For other Governance, Risk and Compliance case studies refer to Development of an Assurance Map; Review of Risk Management Framework; Business Continuity Management; Strategic Risk Assurance Mapping.