Chapter two

Governance, Risk Management, Control and Assurance

Internal audit is one of the cornerstones of good governance, reviewing and reporting on the organisation’s arrangements for controlling its resources and managing its objectives.

The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

■Promoting appropriate ethics and values within the organisation;
■Ensuring effective organisational performance management and accountability;
■Communicating risk and control information to appropriate areas of the organisation; and
■Coordinating the activities of and communicating information among the governing body, external and internal auditors and management.

Source: PSIAS 2110 Governance

To perform this role, internal audit needs to have a good understanding of the governance arrangements in their organisation, and the way in which risk management and internal control support governance. This chapter helps the internal auditor’s understanding of these areas by:

■summarising the key features of public sector governance and the importance of risk management and internal control
■clarifying the responsibility of senior management/the governing body and the audit committee in leading and championing governance
■exploring the concepts of assurance, assurance frameworks and assurance mapping.

GOVERNANCE IN THE PUBLIC SECTOR

The public sector landscape is wide; it has expanded beyond the traditional boundaries of central and local government, health and education to cover a wide variety of agencies, arm’s-length bodies, public–private partnerships and joint arrangements, not-for-profit organisations, and community and voluntary groups.

Although the form that governance takes varies widely across the public sector, governance commonly means the arrangements in place to ensure that an organisation fulfils its overall purpose, achieves its intended outcomes and operates in an economical, effective, efficient and ethical manner.

Risk management is a key concept in good governance. In 2014 CIPFA and IFAC (the International Federation of Accountants) published International Framework: Good Governance in the Public Sector. One of the framework principles is managing risks and performance through robust internal control and strong public financial management:

The governing bodies of public sector entities need to ensure that the entities they oversee have implemented – and can sustain – an effective performance management system that facilitates the effective and efficient delivery of planned services. Risk management and internal control are important and integral parts of a performance management system and crucial to the achievement of outcomes. They consist of an ongoing process designed to identify and address significant risks involved in achieving an entity’s objectives.

Responsibility and accountability for governance flows from the top; every public sector entity needs one or more individuals who are explicitly responsible for providing strategic direction and oversight while being accountable to stakeholders. The CIPFA/IFAC framework uses the term ‘governing body’ to identify the person(s) or group with primary responsibility for overseeing an entity’s strategic direction, operations, and accountability. This publication uses this definition.

Relationships between good governance principles in the public sector

Source: International Framework: Good Governance in the Public Sector,
CIPFA/IFAC, 2014

Good governance requires a well-defined framework to operate in. The key elements of a governance framework are clear strategic objectives, an effective governing body focused on achieving these objectives and managing related risks, an effective scheme of delegation for executive decisions to be taken, and all parts of the framework understanding their roles and responsibilities, and how they relate to each other. A wide range of systems, activities and processes make up an organisation’s governance framework. These are considered later in this chapter.

EXPLORING THE CONCEPT OF RISK MANAGEMENT

Risk management needs to be treated as a positive concept, enabling organisations to identify, assess and seize opportunities in ways that were not necessarily possible before, to take decisions about making the most of these opportunities, and to invest resources in a consistent, controllable way.

What is important is that risk is managed in the right way to make the most of opportunities and to safeguard an organisation’s objectives from harm.

The international standard on risk management, ISO 31000, has been widely adopted and replaces other national or sectoral risk management standards. Its principles for effective risk management are:

■Risk management creates and protects value; contributing to the organisation’s objectives, improving performance, efficiency, governance and reputation.
■It is an integral part of all organisational processes, not a standalone activity. It is a part of management’s responsibility, and part of strategic planning, project and change management.
■It is part of decision making, helping management take informed choices and prioritise actions.
■It helps organisations understand and address uncertainty.
■It needs to be systematic, structured and timely.
■It is based on the best available information – historical data, stakeholder and customer feedback, forecasting and expert judgment. It should be tailored to the organisation’s internal and external context and risk profile.
■It takes human and cultural factors into account – recognising that people’s capabilities, behaviours and intentions can facilitate or hinder the organisation’s objectives.
■It is transparent and inclusive, needing the timely and appropriate involvement of stakeholders and decision makers at each stage, and ensuring proper representation of all those affected.
■It needs to be iterative, dynamic and responsive to change, taking account of changes in the internal and external environment.
■Finally, it needs to demonstrate continuous improvement.

Strategic and operational risks

It is important that the governing body has a clear understanding of strategic risks.

Strategic risks are those that represent major threats to achieving an organisation’s strategic objectives; for example, a health body failing to increase life expectancy or to reduce teenage pregnancies, or an education body failing to improve academic performance. These can also include serious service failures; for example, failing to safeguard a vulnerable client. The way in which internal auditors consider strategic risk as part of the risk-based audit planning process is covered in detail in chapter four.

Operational risks relate to the day-to-day running of the organisation and include financial and resource risks; threats to assets through fraud, loss or error; the risk of system failure; and legal and compliance risks. These risks are identified and controlled by line management, but they need to be reported to the governing body level on an exception basis.

Whichever type of risk is being managed, organisations need to ensure that risk is integral to decision making: weighing up the consequences of decisions, their likelihood and impact on strategic objectives, and the potential losses through not taking opportunities by avoiding risk. Once a decision is made, the governing body remains accountable for the risk taken.

Identifying, measuring and recording risk

Risk identification involves understanding what could threaten the achievement of the organisation’s objectives. It is necessary to know how and why things could go wrong. Risks need to be described so that others understand what the risk is, and its cause, effect and impact; and each needs to be assigned an owner.

The likelihood of a risk materialising and its impact need to be scored, and the likely timeframe identified. The organisation should then list the actions that need to be taken to reduce the likelihood of the risk happening or to mitigate its effects should it happen.

Risks are typically assigned a score based on a combination of the likelihood of occurrence and the expected impact.

Likelihood may range from remote to very likely. Impact may range from minor service disruption, minor loss of budget or occasional complaints to employee fatality, service suspension or loss of most or all of budget. The higher the score, the more attention the risk requires and the more likely it is that the governing body will seek assurance about how that risk is being managed. Some organisations allocate a cost to the impact, enabling them to match their ability to deal with the risk to financial capacity.

The net impact of a risk is effectively the residual risk after taking into account the controls in place to reduce the likelihood of it materialising, or to minimise its impact should it do so. This evaluation determines the appropriate level of managerial supervision and action and so, while gross risk is important in considering the risk profile of the organisation, it is the residual risk that largely drives operational risk management.

A risk register is the way in which an organisation records its risk management process. There are many different ways of presenting risk registers and terminology also varies, but the following example covers the concepts described above.

Risk matrix assessment template

Of course, organisations do not exist in a risk-free environment; they must accept that risks exist and put in place measures to reduce, control and mitigate them. But there are consequences to over-controlling risk. The more an organisation attempts to remove risk from a service or activity, the more costly it can be to deliver, as complex procedures are required to mitigate risk. The following extract illustrates this point well.

Consideration of risk and benefit can be formalised. For example, the As Low As Reasonably Practicable (ALARP) principle is used to define the tolerable level of risk for health and safety. The principle recognises that risk cannot be reduced to zero, and that risk reduction will have a cost attached (in terms of time, money, or quality/functionality). Decisions to take risks are often harder as the benefits are often less tangible and the probability of success is uncertain. This is particularly true when considering investment in research and development

Source: Thinking About Your Risk – Setting and Communicating Your Risk Appetite,
HM Treasury, 2006

In order to judge whether risks are being over-controlled, risk registers should therefore include the cost of any investment needed either to reduce the risk to an acceptable level or to remove it. This allows clear evaluation of investment decisions, whether during the planning round or as part of in-year financial management processes.

Developing the theme of risk as a positive concept, risk management has become a key ingredient of new forms of public service delivery. The challenge for public sector organisations now is to thrive in an environment of greater risk opportunity and radical change and transformation. They cannot survive by standing still. Innovative solutions need to be supported by effective risk appraisal.

Transformation is frequently used to describe innovative approaches to service delivery, involving service redesign, alternative ways of commissioning or providing, or deciding whether a service is required at all. Even services focused on safety or security, such as fire authorities or HM Prison Service, are looking to service transformation (for example, reducing firefighting personnel in favour of fire safety advice, increasing non-custodial options). Risk management underpins effective transformation.

CIPFA has identified effective financial and risk management as one of the ten key actions for leaders to take in response to the challenging climate of austerity.

Ten key actions leaders need to take

Source: Leading in Hard Times, CIPFA, 2011

Organisations need to use risk creatively to support innovation.

Risk needs to be managed rather than avoided, and consideration of risk should not stifle innovation. The Council delivers services in an increasingly litigious and risk averse society and believes that risk management is a tool for exploiting opportunities as well as safeguarding against potential threats. LBBD uses the discipline of risk management to promote innovation in support of the council’s strategic objectives as detailed in the Corporate Plan.

Source: London Borough of Barking and Dagenham

Internal audit can play an important role in this ‘risk opportunity’ environment; for example, providing assurance over more innovative forms of service delivery, such as joint ventures.

Case study: Deploying internal audit to review governance and risk in an NHS joint venture

The service provision landscape continues to change and foundation trusts are using new delivery models to support the provision of optimal care.

An NHS trust had entered into an innovative joint venture arrangement with a large multi-national private sector healthcare organisation to provide an enhanced private patient experience. Trust executive directors formed part of the joint venture governing body and were keen to seek independent support and assurance on the risk management and governance arrangements. Internal audit’s credibility, relationships and risk and governance expertise led to a request for advice on the adequacy of the arrangements in place around the joint venture and whether the trust governing body was receiving sufficient and accurate information to be assured about the operation of the venture.

This work was undertaken through flexing the core risk-based audit plan as there was a significant reputational risk to the trust in the event of failure or poor performance as well as financial risks in terms of non-receipt of anticipated income.

Internal audit’s review highlighted key weaknesses in the governance arrangements and the absence of a defined risk management system. The report was well received at the trust governing body and provided a clear action plan to support executive directors to proactively address the issues raised. The audit committee chair commented that it was ‘one of the best pieces of internal audit work’ he had read.

In addition to the high-profile interactions within the trust, internal audit liaised closely with the trust’s external auditors as there were a number of areas of shared interest, due to the
profit-sharing arrangements in place and their impact on the trust’s annual accounts.

Source: Mersey Internal Audit Agency

Using risk proactively has been a feature of partnership and project management working in the public sector for many years now.

Most public sector organisations rely on partnership working for at least part of their service delivery. The key challenge in partnership risk management is that there are risks that the organisation cannot by itself fully own or control. There needs to be a shared understanding and management of risks facing the partnership in addition to those faced by each partner. Organisations also need to be aware that partners might be more skilled in risk management and might offload risk to them. Partnership risk management therefore usually requires the development of a shared risk management approach as part of the governance arrangements for the partnership.

Project management methodology (for example PRINCE2) and standards usually require a robust risk management element to ensure the achievement of the project’s objectives. Projects are subject to risk appraisal as part of project initiation. The appraisal usually takes the form of a risk register for the project, setting out key risks in terms of resources, people, delivery, operations, and external threats such as legislative, economic, social or market issues. Project risk management will be owned and regularly reviewed by the project governing body, and mitigation or control action identified if risks change during the life of the project.

There are two types of risk associated with projects: business risk and project risk. Business risk relates to the environment in which the project operates – the economic, environmental or political risks that might adversely affect the outcomes of the project. These are generally external risks. Some may be beyond the project manager’s control; for example, a downturn in the economy affecting the price and supply of building materials, but some may be controlled; for example, taking out insurance to safeguard against damage to the building of a library during construction. Project risk relates to the management of the project; for example, the risk that financial resources become unavailable, that timescales are not met or that key project personnel leave at critical stages.

Risk appetite

Risk appetite is the term commonly used to describe where an organisation considers itself to be on the spectrum ranging from willingness to take or accept risk through to an unwillingness or aversion to taking some risks.

It is based on the level of unmitigated or residual risk that an organisation is prepared to tolerate, or in other words the risk target to be aimed at. The following extract from the Home Office risk management policy describes the approach:

When deciding your risk target consider the following:

What risk rating would [you] like to manage an individual risk down to in an ideal world?

What level [can you] actually and practicably manage this risk down to? (Always think what cost is attached to managing a risk downwards as this may ultimately affect what level you set your risk target at.)

Given that you may have limited resources to use to counter this risk, realistically, what level of risk would you be happy with and can [you] afford?

Having considered the above, assign the risk target a colour that best represents what you are prepared and able to manage it down to using the existing BRAG colours and matrix. If your risk target is:

■BLACK represents a very high tolerance of this risk, ie you are willing to tolerate a risk rated with either a very high likelihood or [a very high] impact (or both).
■RED represents a reasonably high tolerance to the threat – you are more open to the threat occurring, often if there are operational or resourcing constraints.
■AMBER will show you are prepared to tolerate and accept a little more threat – are prepared to be more ‘scared’ as you’re accepting more risk, but are still cautious.
■GREEN, you are risk averse as you can’t tolerate this risk materialising.

Source: Home Office: Risk Management Policy and Guidance, Home Office, 2011

Risk appetite in the public sector may be particularly relevant when the organisation has a policy or delivery role which involves the opportunity to make choices about investment in projects, research and work which are inherently uncertain in its effect or outcome.

Risk appetite will vary according to the nature of the business and the type of service provided. Investment, trading or physical delivery services will focus more on opportunities and their consequent risk than services whose prime purpose is stewarding public funds or protecting the public; so a local authority supply trading organisation will have a different risk appetite to child protection services. Risk appetite may also vary within the organisation if it has a number of discrete functions; for example, risk appetite around a major construction project in a local authority may differ from risk appetite in relation to treasury management or archiving services.

As public sector organisations face reducing financial resources at a time when the demand for public services is increasing, governing bodies need to ensure that their risk appetite is still appropriate to make the most of opportunities as well as to guard against threats.

It is important that the organisation has a clear idea of its risk profile. This is the selection of risks that the organisation is prepared to tolerate or manage; depending on its risk appetite, it may include some higher-scored risks. The organisation needs to understand the strategic risks to the achievement of its objectives, how these risks are scored and graded in terms of likelihood and impact, which of these risks it is prepared to tolerate and which it is not, and how these many change. These are helpfully illustrated on a grid, with one axis indicating impact from low to high, and the other indicating likelihood from low to high. Risks in the top-right quadrant of the grid would then be scored high or unacceptable; risks in the bottom left quadrant would be low or acceptable.

Example risk appetite grid

Source: Shropshire Council

In this example, risk appetite is defined as the risk tolerance level, with risks above this level attracting effort and resources to reduce it to below this level. This target therefore acts as a management indicator, with greater levels of monitoring being required for these risks than for those below it. In addition to this upper level, a lower target has been set, which is the risk acceptance level. Any risks below this level should require minimal effort and resources to manage. This helps ensure that resources are not wasted trying to reduce risks unnecessarily.

Risk culture

The governing body has a key role in embedding a culture of risk management into the organisation. The benefits of this include:

■improved management of resources
■enhanced internal and external communications and reporting of risk and control information
■increased responsiveness to internal and external change
■increased likelihood of successful delivery of objectives
■ownership of risk management and mitigations by everyone in the organisation.

Risk intelligence

An effective risk management culture is one in which risks and issues outside the radar can be identified and acted upon. Many organisations have systems in place to determine existing risks, but the identification of emerging risks, particularly emerging external risks, is typically less well developed.

Processes to determine emerging risks could be enhanced by risk managers and auditors within sectors pooling and analysing common risks. In the NHS, a recent survey undertaken of 10 board assurance frameworks covering four NHS regions and 211 clinical commissioning groups found a variety of approaches to the layout and detail of frameworks, but consistent patterns of risk themes and key risks, as illustrated in the following table.

Top three risk themes	Sample of common key risks
Safety/quality/experience	Failure to safeguard vulnerable adults or children Inability to gain adequate clinical governance assurance from providers Inability to secure improvement in quality of care in residential/nursing homes
Performance	Failure to provide prompt patient access; for example, cancer treatment or A&E Failure to meet ambulance response times Failure to achieve key performance targets
Finance	Funding loss through new group allocations formula Overspending on emergency and elective referrals Failure to meet group financial targets

Source: NHS London Audit Consortium

Such exercises could usefully inform individual organisations of the pattern of risk across the country. In addition to assurance frameworks, head of audit opinions could also be analysed to share intelligence on risk.

Another means of gaining risk intelligence is for internal auditors or risk managers to liaise collectively with regulators and national stakeholders who typically have wider insight about the pattern of risks and have considered the risks associated with new policies. For example, NHS internal auditors are seeking to liaise with national stakeholders such as the Care Quality Commission and Monitor to understand emerging risks and disseminate key facts across the service.

The NHS now requires individual organisations to assess their vulnerability to the problems found in investigations such as the Francis Inquiry report into the Mid Staffordshire NHS Foundation Trust and to develop action plans. It is obviously good practice for organisations to remain appraised of national investigations and to undertake local assessments.

Risk management and the system of internal control

Internal controls are designed to ensure that there are processes in place to safeguard against fraud, loss, waste, inefficiency, damage to assets or other adverse events that prevent an organisation achieving its objectives. Risk management is therefore another way of looking at internal control, since no control should be present unless it is designed to prevent the risk of something adverse happening.

The system of internal control facilitates the effective exercise of an organisation’s functions. It is the totality of the way an organisation designs, implements, tests and modifies controls in specific systems, to provide assurance at the corporate level that the organisation is operating efficiently and effectively. As such, it includes the governance framework, risk management, information and communications, monitoring processes and assurance activities. It is the effectiveness of all this that the accountable officer is certifying when signing the governance statement. So, as risk management underpins the system of internal control, it also forms an essential contribution to the governance framework.

To finish this section on exploring the concept of risk management, here are some straightforward questions to help organisations manage their risks:

■What are you trying to achieve/what are your desired outcomes (eg promoting healthier lifestyles)?
■What is the risk (risk identification)?
■What will happen to desired outcomes (risk evaluation – impact should the risk occur)?
■How likely is it that the risk will occur (risk evaluation – probability)?
■Does the benefit outweigh the risk (risk–benefit analysis)?
■Can we do anything to reduce the risk (risk reduction)?
■Has anything happened that alters the risk (risk monitoring)?
■What plans can we put in place in case the risk occurs (contingency/service continuity planning)?
■Would insurance be a cost-effective way of mitigating the risk, or can we contract out this risk (risk transfer)?
■What financial provisions should we hold for the primary or residual risk (risk funding)?

Remember: risk management is about being ‘risk aware’, not ‘risk averse’.

THE ROLE OF THE GOVERNING BODY

The nature of governing bodies varies widely across the public sector; from school governing bodies, cabinet or executive models in local government, NHS trust boards, and trustee boards of charities to central government department boards chaired by secretaries of state. Composition can also vary, with different combinations of elected members, non-executive directors or nominated laypersons. But the main purpose of any governing body remains the same – to lead and govern the organisation, to define its purpose, vision and objectives, to ensure the achievement of outcomes, to promote a culture of ethical behaviour and to ensure effective risk management and control.

Too often, the sorts of high-profile failures and disasters mentioned in chapter one stem from governing bodies failing in their purpose. In the wake of the banking crisis and the resulting perception that financial institutions had failed to identify and manage their financial risk, there were a number of reviews and developments in governance, focused on risk management.

While not applicable directly to public sector bodies, one of the main principles of The UK Corporate Governance Code (FRC, 2012) is that the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems. The relevant provision of the Code is that the board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls.

Given that the governing body owns and is responsible for the organisation’s objectives, it therefore has overall responsibility for risk management. The governing body may delegate management of risk and risk identification to officials or the executive, but it remains accountable and cannot avoid owning risk and the consequences of it not being effectively managed. This responsibility is best described as risk governance:

The leadership of risk management and the means by which it is successfully and effectively integrated into the governance arrangements of the organisation.

Source: Risk Governance: Risk Management Guidance Note 13,
CIPFA Better Governance Forum, 2011

Key features of effective risk governance are:

■a high-level mandate and commitment to risk management from senior managers and those charged with governance
■integration with the governance framework
■clear alignment with the organisation’s objectives and performance management framework
■accountability at all levels
■transparency of activities and key information
■a clear strategy for the management of risks when working in partnership and integration with wider partnership governance arrangements.

In overall terms, the governing body’s role is:

■to oversee the effective management of risks by officials
■to get involved in the identification of high-level, strategic risks and to understand their potential impact.

Its specific role in terms of risk management is:

■to gain a broad understanding of risk management and its benefits
■to require officials to develop and implement an effective framework for risk management
■to challenge officials to ensure risks are considered and documented in all reports
■to require that risk is formally considered at the start of major projects and re-evaluated throughout the life of the project
■to require officials to report significant risks on a regular basis.

It is also responsible for ensuring effective escalation processes are in place where there may be concerns that risks have not been properly addressed through the organisation’s risk management arrangements.

There have been number of high-profile failings where the adverse event has not been anticipated by the organisation. The governing body needs to be confident that issues and events happening outside the risk management environment can be quickly identified, controlled and dealt with. Part of this requires effective forecasting and anticipation based on the governing body’s understanding of the external environment the organisation operates in.

It is also important that the governing body is aware of the internal environment, for example by putting in place effective whistleblowing arrangements where people feel confident and able to express their concerns. Recent experience in the NHS demonstrates how harmful it can be if the culture of an organisation is not open to concerns expressed through whistleblowing or other means.

To summarise, here are some key questions all governing bodies should ask of themselves:

■How do we ensure that our focus is on managing the things that matter? Are we content that management’s assessment of risk is not overly optimistic?
■Are we clear about where we are prepared to tolerate differing levels of risk and, in turn, how this influences and drives the actions of management?
■How are we confident those risks are being managed appropriately and that we will be informed of the most significant risks to our business?
■What information do we need both to take decisions and to challenge the rigour with which risk is managed throughout the organisation?
■How do we ensure that our decisions are based on a clear and balanced evaluation of the costs and impacts associated with risks and mitigations?
■How do we learn from successes and failures both within our own and other organisations?

Source: Managing Risks in Government: Good Practice, National Audit Office, 2011

THE ROLE OF THE AUDIT COMMITTEE

Audit committees have become a key feature of public sector governance in recent years.

The purpose of an audit committee is to provide to those charged with governance independent assurance on the adequacy of the risk management framework, the internal control environment and the integrity of the financial reporting and annual governance processes.

Source: CIPFA Position Statement: Audit Committees in Local Authorities and Police,
CIPFA, 2013

This purpose is common across the public sector, as is an audit committee’s role in relation to risk management. There are three major areas.

First, assurance over the governance of risk, including leadership, integration of risk management into wider governance arrangements and the top-level ownership and accountability for risks. The specific actions this requires include:

■Overseeing the authority’s risk management policy and strategy, and their implementation in practice.
■Overseeing the integration of risk management into the governance and decision-making processes of the organisation.
■Ensuring that the governance statement is an adequate reflection of the risk environment.

Second, keeping up to date with the risk profile and the effectiveness of risk management actions by:

■Reviewing arrangements to co-ordinate and lead risk management. An example of such an arrangement is the existence of a group to examine, challenge and support the risk assessment process to ensure consistency.
■Reviewing the risk profile and keeping up to date with significant areas of strategic risks and major operational or project risks and seeking assurance that these risks are managed effectively and owned appropriately.
■Seeking assurance that strategies and policies are supported by adequate risk assessments and that risks are being actively managed and monitored.
■Following up risks identified by auditors and inspectors to ensure they are integrated into the risk management process.

Third, monitoring the effectiveness of risk management arrangements and supporting the development and embedding of good practice in risk management by:

■Overseeing any evaluation or assessment, such as a risk maturity assessment or risk benchmarking.
■Reviewing evaluation or assurance reports on risk management and monitoring progress on improvement plans.
■Making use of the assurance framework to identify gaps in assurances, challenging where there have been late or inadequate submissions by management, and obtaining assurance that emerging or worsening risks are adequately covered and that the internal audit plan responds to changes in risks.
■Monitoring action plans and development work in the field of risk management practice.

INTERNAL AUDITORS AND RISK MANAGERS

The developing role of internal audit clearly indicates that risk is the business of audit. It is essential that internal audit’s work is closely linked to the way in which risk is managed in the organisation. There are benefits from internal audit and risk managers working together:

■sharing knowledge about the organisation’s current and emerging risks and the mechanisms to manage risk
■audit findings will have a bearing on the way in which risks are managed and whether there are weaknesses that need improvement
■risk managers often have direct experience of services and work with them to identify and improve the management of their risks
■both functions have expertise in understanding risks and designing adequate controls to meet them.

Some organisations use workshops involving both auditors and risk managers to facilitate risk identification and management with service managers. There are also benefits in terms of planning the work of both functions, illustrated in the case study below.

Case study: Shropshire Council – planning the work of the risk and internal audit functions

In evaluating the risk management process and informing the planning process at Shropshire Council, the head of internal audit invites the risk and insurance manager to sit in on audit planning exercises with senior officers. This satisfies an audit and a risk management requirement with one meeting. This allows the risk and insurance manager to seek reliance on the robustness of risk assessments already completed and the mitigation in place or planned, and allows internal audit to benefit from this sense-check and receive reassurance or otherwise by audit identifying areas where risk management is mature and working.

In addition, the risk and internal audit functions meet monthly, during which meetings emerging risks are discussed to inform the audit planning process and learning from audit reviews is fed back to inform risk assessments and to triangulate with information being received from elsewhere.

A developing practice is to combine the internal audit and risk management functions organisationally; either heads of audit also manage the risk function or both the internal audit and the risk functions are managed by the same senior manager. This can have practical benefits in times of scarce resources and formalises the benefits of joint working. But a key factor to take into account is whether the activity raises any threats to the independence of internal audit and its objectivity. Any such arrangements must clearly meet the requirements of the PSIAS in terms of preserving the independence and objectivity of internal audit (PSIAS 1130) and ensuring internal audit’s ability to evaluate the effectiveness of the organisation’s risk management processes (PSIAS 2120).What is important is whether a combined approach is likely to improve the organisation’s risk management control and governance processes.

ASSURANCE

The concepts described in this section are illustrated in the following diagram.

Assurance concepts

Source: Mersey Internal Audit Agency

Assurance is defined as:

… an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.

Source: Assurance Maps, Institute of Internal Auditors Practice Advisory 2050-2, 2009

Assurance is being confident, based on sufficient, relevant and reliable evidence, that something is satisfactory, with the aim of giving comfort to the recipient. The basis of the assurance will be set out and it may be qualified if full comfort cannot be given.

Effective assurance brings together the right governance framework and risk culture for the organisation and a clear understanding of strategic objectives and risks, good internal controls and evidence that internal controls are operating effectively. It is not just about process, but making sure that the assurance framework is relevant to the organisation and is actually working in practice.

Assurance is about knowing what is actually going on and having strong evidence to prove it. It is not about having a cosy feeling based on little hard evidence that all is well within the organisation, or even worse, not really knowing what is going on but making assumptions. Recent experience shows how important it is not just to rely on trust; Mid Staffordshire NHS Foundation Trust certified that it was compliant with all Care Quality Commission standards except that relating to waste disposal, but it subsequently became clear that it was very far from providing safe, high-quality care.

Organisations therefore need assurance, based on strong evidence, that their risk management and operations support their ability to achieve their objectives. They also need to be able to respond effectively where assurance is negative; where the evidence indicates that controls are not operating to deal adequately with a risk. Actions then need to be identified and the risk score updated.

Risk management and performance management have the same objective – supporting the achievement of organisational objectives – but many organisations run the two systems in parallel tracks and do not link them. This could result in, for example, an emerging service failure risk being identified through worsening performance against an indicator which is not identified in the organisation’s risk register or risk management framework.

Organisations need to take care that they are not taking assurance from performance management systems where the underlying internal control is inadequate.

Assurance frameworks and assurance mapping

Assurance frameworks have developed across the public sector, with a substantial amount of specific guidance for local government, the NHS, central government and other bodies. Across the sector, there is now a generally shared understanding of the meaning of assurance and of its key elements. An assurance framework is a structured means of identifying and mapping the main sources of assurance in an organisation, and co-ordinating them to best effect.

It is essential that there is an effective and efficient framework in place to give an organisation sufficient, continuous and reliable assurance on stewardship and the management of the major risks to success and to the delivery of improved, cost-effective public services.

This assurance framework should be structured to provide reliable evidence to underpin the assessment of the risk and control environment for the governance statement, supported by independent appraisal from internal audit. Assurance frameworks need to be used to identify gaps in controls or assurance, as illustrated below.

The assurance cycle

Source: NHS London Audit Consortium

There are many sources of assurance in an organisation available to evidence the management of risk and internal control. Understanding the sources of assurance and their scope means internal audit can focus most effectively on the riskier areas and those where gaps in assurance exist. Annex 2.2 to this chapter provides more detail on assurance sources.

Assurance mapping is a mechanism for linking assurances from various sources to the risks that threaten the achievement of an organisation’s outcomes and objectives. The structured mapping of assurances is one of the fundamental steps in building an assurance framework. An overview of the process is presented below.

Assurance mapping

Source: Risk Management in Higher Education: A Guide to Good Practice,
HEFCE/PwC, 2005

Annexes 2.3 and 2.4 to this chapter provide further examples of assurance mapping.

One way of bringing risk management and compliance into a common framework is to use the three lines of defence approach.

Three lines of defence

The first line of defence is front-line staff and management. Front-line staff are responsible for understanding their roles and responsibilities and carrying them out properly and thoroughly. Controls are designed into systems and processes, so, assuming the design is sound, compliance should mean the internal control environment is sound. Other staff within a department, usually undertaking administrative roles, are responsible for routinely verifying compliance with policies and procedures, in respect of both service delivery and decision-making processes. These staff are also responsible for providing information on key risk and control indicators to the second line of defence.

The second line of defence is a corporate governance framework, incorporating compliance and risk management functions. This is made up of a range of executive functions or committees which set and police policies, define work practices and oversee the operation of the first line of defence. Typically this would involve holding the first line of defence to account for the effectiveness of their risk management and compliance arrangements but, for particularly high-risk matters, they would also routinely inspect for compliance with policies and procedures.

The third line of defence is independent review, which is used to monitor the operation of the overall compliance and risk management system and examine the operation of the first and second lines of defence. This is the role of internal audit but there are other sources of independent review that can be used. Sources of independent review need to collaborate, for example internal audit liaising with external inspection to ensure there are no gaps or duplication and that there is a shared understanding of compliance and risk issues. Review findings are considered by the audit committee, which can then ensure that the executive is addressing identified weaknesses properly.

Finally, although not in itself part of the defensive lines, external audit is responsible for reporting externally on the adequacy of the organisation’s arrangements for managing assurance.

Another way of looking at assurance is to consider the nature of the evidence being sought for assurance. The nature of the evidence will vary in terms of its currency, independence, expertise and scope. Governing bodies’ needs will vary, as set out in the table below.

Tell me	Show me	Prove it to me
The governing body needs evidence to support a statement or source of assurance; for example a report from management that an action has been taken	The governing body needs a stronger source of evidence; for example performance information that a key target has been achieved	The governing body needs to be assured that there is proof that actions have been undertaken to support an assurance or a statement they rely upon; for example, independent inspection or audit

Annex 2.2 to this chapter sets out the detailed steps required to build an effective assurance framework.

Governance statements

It is now common practice for the results of assurance review to be made public in a governance statement. The governance statement is published separately but usually with the organisation’s annual report and accounts. It covers the organisation’s corporate governance, risk management and internal control arrangements. The statement should incorporate an evaluation of how well the arrangements have operated in practice, based on the ongoing assessment processes. The exact format of the governance statement will vary across the public sector, but the following extract from Department of Health guidance provides a good summary:

The governance statement records the stewardship of the organisation to supplement the accounts. It will give a sense of how successfully it has coped with the challenges it faces and of how vulnerable the organisation’s performance is or might be. This statement will draw together position statements and evidence on governance, risk management and control, to provide a more coherent and consistent reporting mechanism.

The governance statement should be a ‘live’ document reflecting the organisation’s governance procedures and systems. It should not be produced through a process designed solely for the annual report and accounts.

The governance statement should refer to the [governing body]’s committee structure; the [governing body]’s performance, including its assessment of its own effectiveness; and to ensuring that required standards are achieved. This should make reference to performance against the national priorities set out in the NHS Operating Framework 2011/12.

Source: Annual Governance Statements – Guidance, Department of Health letter to strategic health authority directors of finance, February 2012

For further guidance on completing governance statements and the role of internal audit as a source of assurance, see the Further Reading section.

RISK MANAGEMENT AND GOVERNANCE ROLES AND RESPONSIBILITIES

Risk management and governance roles and responsibilities are summarised in the following table.

Roles and responsibilities

Role/function	Senior management/governing body	Audit committee	Non-executives	Internal audit	External audit
Setting strategy and objectives	✓
Achieving strategy and objectives	✓
Identifying risks to strategies and objectives and managing risks	✓
Ensuring risks are controlled mitigated or managed (4Ts)	✓	✓	✓
Evaluating whether controls are sufficient to control or mitigate risk	✓	✓	✓	✓
Maintaining a sound system of internal control	✓	✓
Evaluating the system of internal control	✓	✓	✓	✓
Managing the assurance framework	✓
Reporting on the assurance framework		✓	✓	✓	✓
Scrutiny/evaluating the assurance framework		✓	✓	✓
Providing independent assurance		✓	✓	✓	✓
Improving the assurance framework	✓	✓	✓	✓

Chapter Summary

Forms of governance vary across the public sector, but all organisations need robust and effective risk management processes. The governing body is responsible for ensuring that risk management is adequate, that it has the appropriate risk appetite and that there is an embedded risk culture throughout the organisation.

The audit committee plays a vital role in seeking assurance that the governing body is managing risk well, and in challenging assurances about how the organisation controls and manages risk. A robust assurance framework is required to give confidence to an organisation’s risk management and governance processes. Internal audit is one of the key defences in providing assurance.

CHECKLIST FOR AUDITORS

Do you fully understand your organisation's governance and risk management arrangements?	□
Are you confident that the governing body and audit committee perform their roles effectively?	□
Are you able to contribute to the identification of risk and to improving risk management?	□
Are you valued as part of the assurance framework?	□

ANNEX 2.1: MANAGING RISK – A PRAGMATIC EXAMPLE

This example brings together the issues covered in the previous chapter in a clear and pragmatic way.

Lancashire County Council’s approach to managing risk is to use knowledge the council already has of its key issues to identify and understand risks. Rather than documenting each and every risk (which can be time-consuming and resource-intensive), it draws upon what is in place already – corporate strategies, senior management team agendas, discussion and actions around emerging issues, new projects and ongoing service delivery – to identify the risk environment.

Some key strategic issues are already well known and well managed and do not require any further layer of risk management documentation, whereas new projects or developments require a more structured risk approach. Day-to-day operations and service delivery receive assurance through internal audit activity and other forms of assurance.

Lancashire County Council: a revised approach to risk management

The council already manages its risks well in practice. In the past it had not always documented risks in the ways demanded by the external regulator, but action being taken by management teams across the council amounts to an effective ongoing process of risk identification, assessment and management.

Managers should therefore continue to be encouraged and supported to consider the potential threats and opportunities involved in any new service developments and improvements, and to monitor ongoing performance. Documentation of risks, related controls and mitigating action plans should be considered where this is helpful and appropriate and, where this is the case, risk registers should be prepared. This is likely to be appropriate for specific service development projects, when project risk registers should be monitored closely by the lead project manager and sponsor. Individual directorates should also consider risk specifically as business plans are prepared and monitored.

The management team will obtain assurance annually that risks are being adequately identified, assessed and managed by an annual snapshot of the issues being addressed by management across the council. The audit committee has also expressed a desire to periodically review a statement of the council’s key risks.

Assurance over specific risk areas will continue to be provided by the internal audit service through the annual internal audit plan. Internal audit work is designed to provide assurance over the management not only of changing risks, but also of those that may be significant but relatively constant while services remain stable. Such risks may not therefore be identified through a snapshot of management discussions but will be highlighted through directors’ discussions with the internal audit service and the resulting annual audit plan.

Principles

The county council generally manages risk effectively within the course of its normal operations through its management structure and governance arrangements:

■Managers have a good understanding of their services and service developments, and are able adequately to identify the risks involved.
■Managers understand the limits that the organisation places on the action that can be taken by any individual officer. There is a general awareness of what management action is appropriate and where further consultation and approval are required with colleagues and more senior managers. The organisation therefore recognises its risk appetite in relation to the decisions it takes.
■There is a good level of understanding of what risk it is acceptable to take during the normal course of work and the organisation recognises its risk appetite in relation to its ongoing activities.
■Managers’ workloads should not be increased through unnecessary bureaucracy, in particular by preparing documentation solely to demonstrate (rather than support or enhance) effective management. The cost (in terms of the time involved) relative to the benefit gained by defining every possible risk in detail and assigning impact and likelihood scores to each risk associated with every planned or current activity is deemed too great to be generally worthwhile. However where there are known concentrations of risk, such as in new service developments, managers understand that they should document, monitor and manage these risks using the council’s scoring framework.
■The internal audit service works with individual directors and executive directors to consider the council’s assurance needs, and makes its own assessment of the internal audit work required to provide this assurance. Priority is given to providing assurance over the controls that reduce the greatest inherent risks to the greatest degree.

It is therefore considered unnecessary and an inappropriate use of resources to attempt to document and individually score each risk arising across the whole of the council’s business. Instead, an assessment of the risk management arrangements is made; for example:

New projects and service developments

Management control	Evidence of management
Directorate management teams, with cascade down to service teams as the issues develop, and up to management team for information	Corporate strategy or equivalent Directorate strategy/business plans Directorate management team agendas and papers Project risk registers

Management control

Evidence of management

Directorate management teams, with cascade down to service teams as the issues develop, and up to management team for information

Corporate strategy or equivalent

Directorate strategy/business plans

Directorate management team agendas and papers

Project risk registers

ANNEX 2.2: BUILDING AN ASSURANCE FRAMEWORK

Benefits

The following are some of the benefits of a planned assurance process:

■It provides an evaluated opinion, based on evidence gained from review, on the organisation’s risk and control framework, particularly the management of key risks and the achievement of objectives and targets.
■It informs the components of the governance statement and the ongoing assessment and positioning of risks on the corporate risk register.
■It supports the demonstration of governance arrangements.
■It is a means of rationalising assurances. Focusing on key assurance needs may identify some efficiency savings. Undertaking a whole service delivery assessment of assurance needs provides opportunities to streamline the existing review, monitoring and reporting requirements.

The assurance process can also be used as a means of communication, enabling management and others to focus on key assurance needs:

■for directors and divisional heads, in informing them in a graphic way of their assurance responsibilities as risk owners, and in turn informing year-end stewardship declarations
■for audit committee members, as a useful training aid on the key assurance needs of the organisation; how these are obtained, evaluated and co-ordinated into an overall opinion on risk, control and governance
■for the external auditor, in informing the annual certification audit of accounts that the key issues have been thought through.

Sources of assurance

Assurance can be derived from all aspects of work that deliver feedback; that is, management information in the form of reviews, quality control and the oversight of deliverables. For example:

Sources of assurance

Challenging assurance

Management governing bodies and audit committees receive assurance in various forms throughout the year on their risk management and delivery frameworks. They need to question the relevance, reliability and completeness of the assurance received:

■Is there sufficient evidence to support the conclusions reached on key risks and key delivery targets?
■Where does the assurance come from and is it relevant to the key concerns and the key risks?
■How competently has the work on which it is based been undertaken?
■Is too much assurance being obtained?
■Are there opportunities to streamline the whole process and make efficiency savings?

In order to answer these questions and to be able to place reliance on the assurances received, the governing body must first have determined its assurance needs and assessed from where the assurance is to be derived.

This assurance is based on a number of principles.

Principle 1 – Planning to gain assurance

Assurance strategy

Reliable, relevant and complete assurances will only be gained if the top of the organisation decides to obtain them, and this requires a dialogue reported through the various layers of management to the governing body about what is required. This is a key stage in the process.

It may be necessary to map the assurance needs of the organisation against the key risks/delivery targets and to describe how the assurance needs are to be met, including the sources of the assurance providers. This may initially be quite a resource-intensive exercise, but could be carried out by a workshop of key players. Without it the organisation will never be absolutely sure it is getting reliable, relevant and complete assurance – and that in itself is a risk the organisation needs to assess.

Assurance process

The processes for obtaining assurance should be embedded into existing management processes (see the diagram below). Some organisations, for example, require their divisional heads to complete periodic and annual stewardship/assurance statements. These confirm that they understand the risk management systems they have in place, including where risks are transferred to a partner or third party organisation, and that they have provided assurance on those key risks identified by the assurance strategy.

It is very important that the assurance process is seen as integral to the normal risk management and delivery chain.

The assurance process

Maintenance

Departments need to plan how the assurance framework is going to be reviewed and maintained, who is going to do it and how often it needs to be done.

Principle 2 – Making the scope of the assurance boundaries explicit

In order to arrive at an overall opinion, the scope of the processes required for obtaining assurance needs to encompass the whole of the organisation’s risk and performance management lifecycle. This does not mean that every risk, every measure and every control has to be reviewed in order to obtain assurance. Corporately, assurance may only be needed on key risks and controls and enough of the other risks to support the overall conclusion. However, the review that takes place will need to provide:

■assurance on the risk/performance management strategy – ascertaining the extent to which all line managers review the risks/controls within the ambit of their responsibility and maintain dynamic risk and performance management arrangements
■assurance on the management of risks/controls – encompassing the key risks and enough of the other risks to support the overall opinion reached, and incorporating the extent to which the position of a risk might change on the risk register based on the assurances received
■assurance on the adequacy of the review/assurance process – quality assured to engender confidence in the review process.

Principle 3 – Evidence

The evidence supporting assurance should be sufficient in scope and weight to support the conclusion and be:

■relevant
■reliable
■understandable
■free from material misstatement
■neutral/free from bias
■such that another person would reasonably come to the same conclusion.

Principle 4 – Evaluation

The objective is to:

■evaluate the adequacy of the risk and performance management policies and strategies to achieve their objectives
■evaluate the adequacy of the risk management processes designed to match residual risk to the risk appetite
■evaluate the adequacy of the performance management processes to support the achievement of targets and goals
■identify limitations in the evidence provided or in the depth or scope of the reviews undertaken
■identify gaps in control and/or over-control, and provide the opportunity for continuous improvement
■support preparation of the annual governance statement.

The organisation will need to bring together and evaluate the various assurances. Internal audit has a key role in this process and its audit programme should allow it to:

■Understand what is actually going on and to make a judgment about whether improvements are necessary. (Is there sufficient evidence to support the conclusions reached in relation to key risks/outcomes achieved?)
■Measure the effect of control against the effect intended in relation to the delivery of objectives. (Are risks relating to all business operations actively managed and responded to, so as to prevent control failures or the undesired exposure to threats to the achievement of objectives?)
■Know whether the organisation is living within its risk appetite. (Is the organisation exposed to risks beyond its risk appetite and/or has the nature of a risk changed such that its position changes on the corporate risk register?)
■Know whether the performance management framework and processes to measure achievement against targets and goals accurately inform management of progress towards the achievement of objectives.
■Take opportunities to progress through continuous improvement. (Is there a plan to address weaknesses where these exist, and to ensure continuous improvement to risk management and control?)
■Report and evaluate the assurance evidence in order to form an overall opinion. (Are there gaps in the assurance provision or in risk/performance management leading to control failures?)

In evaluating evidence to arrive at an overall judgment or opinion, all of the evidence criteria need to be considered. However, it is important to recognise that:

■Not all evidence is of the same weight in deriving assurance. Evidence should be weighted according to its:
– independence – the more independent the evidence, the more reliance can be placed on it; however, circumstances may exist that could affect the reliability of the information obtained (eg for independent external evidence to be reliable the source of the evidence must be also reliable)
– relevance – in determining the overall assurance, there is a need to ensure that the evidence relates to those elements of the risk management lifecycle that are considered significant, and evidence relevant to the more significant risks is consequently of greater relevance to the overall assurance.
■Evidence may be flawed in terms of both quantity and quality where the evidence criteria are not met, leading to limitations in the assurance that can be provided. For example, merely obtaining more evidence will not compensate where the quality of evidence is low or where the source of evidence is not reliable.

Principle 5 – Reviewing and reporting

Assurances come from many different sources, both external (eg suppliers and contractors, third parties) and internal (eg management, practitioner review). The assurance strategy needs to define stages where assurances will be evaluated and opinions reported through the various layers of management to the governing body.

Assurance opinions need to be reported clearly, and worded so as to communicate clearly the scope and criteria used in arriving at those conclusions.

Annex 2.3: HM Treasury example assurance framework arrangements

Source: Assurance Frameworks, HM Treasury, 2012

ANNEX 2.4: NHS trust assurance framework extract

Strategic objective	Risk	Controls	Governing body assurance
Improve quality outcomes and patient satisfaction	We do not have in place effective arrangements for monitoring and continually improving the quality of healthcare provided to our patients, which have regard to: i) assessment against Monitor’s quality governance framework ii) Care Quality Commission information iii) trust metrics including information on serious incidents, patterns of complaints.	C1 – Executive accountability – all execs C2 – Organisational structure C3 – Performance management system C4 – Assurance committee (quality and safety) C5 – Governing body of directors C12 – External regulation	Quality strategy Assurance reporting: ■design of strategy, expected levels of performance and metrics ■risks to delivery and mitigation ■delivery: have we improved what we set out to improve? Performance dashboard: ■performance against goals (targets, clinical outcomes, patient safety and experience, cleanliness). Quality and safety assurance report: ■serious incidents and patterns of complaints, resolution. Audit assurance: ■audit of processes for escalation, resolution and data quality ■compliance with legislation ■governance systems. Triangulation assurance: ■staff satisfaction ■patient voice ■quality and other benchmarking data ■peer and external review ■readmissions.

Strategic objective

Risk

Controls

Governing body assurance

Improve quality outcomes and patient satisfaction

We do not have in place effective arrangements for monitoring and continually improving the quality of healthcare provided to our patients, which have regard to:

i) assessment against Monitor’s quality governance framework

ii) Care Quality Commission information

iii) trust metrics including information on serious incidents, patterns of complaints.

C1 – Executive accountability – all execs

C2 – Organisational structure

C3 – Performance management system

C4 – Assurance committee (quality and safety)

C5 – Governing body of directors

C12 – External regulation

Quality strategy

Assurance reporting:

■design of strategy, expected levels of performance and metrics
■risks to delivery and mitigation
■delivery: have we improved what we set out to improve?

Performance dashboard:

■performance against goals (targets, clinical outcomes, patient safety and experience, cleanliness).

Quality and safety assurance report:

■serious incidents and patterns of complaints, resolution.

Audit assurance:

■audit of processes for escalation, resolution and data quality
■compliance with legislation
■governance systems.

Triangulation assurance:

■staff satisfaction
■patient voice
■quality and other benchmarking data
■peer and external review
■readmissions.

Source: Mersey Internal Audit Agency

Previous | Next