Our client, which plays a significant role in Europe’s financial infrastructure, had a mature, well developed three lines of defence model in place. However, the Audit and Risk committees had limited visibility of the assurance provided by the first line and both Risk Management and Internal Audit were going through separate (un-coordinated) transformation programmes, leading to concerns over duplication of effort and gaps in coverage.
Halex Consulting helped the client define an integrated assurance (three lines of defence) strategy to address the committees’ concerns but also to clarify roles, responsibilities and boundaries between the first, second and third lines of defence.
Key to this was:
- Requiring first line management to become the primary source of (non-independent) assurance to senior management and the Audit and Risk committees through development of a system of ‘positive assurance’ (PAR) reporting
- Leveraging the PAR process to focus first line management on the achievement of business objectives through the effective identification and management of risks
- Clarifying the role of the Risk function as providing robust, independent oversight of management risk-taking (with a view to achievement of strategic business objectives)
- Encouraging Internal Audit to step back from excessively detailed testing of processes and controls to developing an understanding of what was really happening in the business and then plan their work accordingly. (This led to a smaller, but bigger hitting, internal audit department with a reduced number of higher-calibre internal auditors, increasing their value to the business.)
With the positive assurance framework in place, the second and third lines re-positioned themselves appropriately, reinforcing the assurance provided by the first line and improving the overall efficiency and effectiveness of the business’ internal control arrangements.