In South Africa the King III Report and Code was released just over a year ago. The Code talks to corporate governance and in this latest release places an emphasis on IT governance (which is good – we’ll come back to this later).
Another catch phrase to gain prominence from the Report is ‘Combined Assurance’. The concept isn’t new, but in these economic times when efficiencies are sought to manage costs, it is not surprising that the role of the assurance providers are being scrutinised. Those that don’t know better may feel that the likes of Internal Audit, Risk (Operational, Market, Credit, etc) and Compliance are fulfilling very similar functions, or at least appear to do so from an execution perspective. If business perceives this to be the case then they are most certainly going to ask more questions about alignment and avoiding duplication. Enter Combined Assurance. This is the phrase business has been looking for to tell the assurance providers that it is time to spend more time talking to each other and less time talking to their hard-working staff. Correct on one level, but risky on another. This example is oversimplified of course – I am setting the stage for future discussions on the topic to explore it from various angles.
From a pure risk management perspective the idea of Combined Assurance makes sense – collaboration is key to improving the effectiveness of a risk management model enabled by a clear definition of responsibilities, dependencies and relationships. In the IT space the concept a multi-layered line of defence (or ‘defence-in-depth’) strategy has been around for some time. The objective is less around efficiency and more around ensuring that in the event of a control failure, or if something falls between the cracks, then another control will be in place. This is vital when dealing with a constantly evolving threat landscape although may not directly address the issue of independence.
A risk is that too much focus on efficiency may ignore effectiveness. By concentrating on how better to avoid duplication something may be missed, or we an additional layer or monitoring could be removed that really needs to be there. Perception may be the only thing that needs to change, or not. But this topic is certainly worth exploring. Business asking questions should not be the only driver – it makes logical business sense.