HOW BOARDS CAN BENEFIT FROM AN INTEGRATED ASSURANCE MODEL AND FUNCTION IN CORPORATIONS
To effectively oversee enterprise risk and integrity management in corporations, boards need to rely on and foster sound information architecture and solid structures and processes in the company.
However, after decades of investment in risk and compliance management systems, corporations are still struggling with the complexity of the global risk landscape, ever-increasing regulatory activities, and a lack of trust by society in their ability to manage ethical dilemmas and crisis situations.
Recent laws on supply chain due diligence, human rights and environmental, social and governance (ESG) standards, along with responsible artificial intelligence (AI) advancement, pose challenges for boards. Despite receiving detailed risk and compliance reports from management, it is increasingly difficult for boards to understand the overall risk and integrity situation of the company they are overseeing. This issue arises from the traditional, siloed approach in companies of how to manage and structure crisis, risk and compliance topics.
Risk management is often detached from the strategy of the company and reduced to number-driven financial risks. Compliance is in many companies divided into different functions, such as anti-bribery, data privacy, quality, human rights, health and safety, trade sanctions and cyber security. But a siloed governance approach lacks the capability to offer comprehensive horizontal alignment for assessing risks and integrity challenges.
And crisis management is too often seen as a technical tool of the security department instead of putting it into the wider context of risk management, business continuity and constant monitoring. Given this situation, how can the board effectively assess the risks and integrity challenges of a company?
Integrated assurance as a new model for horizontal ethics, risk and compliance management
The term ‘assurance’ is frequently applied too restrictively within the context of audit and accounting. Horizontal alignment is achieved though integrated assurance, which involves unified, comprehensive and consistent taxonomy and accountability across the four dimensions of governance, risk management, compliance and internal controls, because these four areas are interconnected. Good governance sets the framework for integrated enterprise risk management, which informs an effective, risk-based compliance programme based on internal controls with clear accountabilities.
The four interconnected assurance areas are outlined below.
First, governance provides assurance that accountability within the enterprise is clearly defined, and that policies, controls and technology are well-structured and linked.
Second, risk management provides assurance that organisational risks are being identified and managed effectively, and that a crises and business continuity system is in place.
Third, compliance provides assurance that the organisation is complying with relevant laws, regulations and policies by applying a comprehensive prevent-detect-respond approach for all compliance risks.
And fourth, internal controls provide assurance that the organisation’s internal controls are properly designed, implemented and run within the risk and compliance framework.
To bring these four components together, some corporations (mainly from regulated industries) have combined ethics, enterprise risk management and compliance into one organisation. The aim is to get the often isolated and fragmented second line of defence functions out of their organisational and process silos. This provides executive management and supervising boards with an integrated solution on how to address and manage regulatory and reputational risks across the enterprise.
Of course, a pure organisational integration of various risk and compliance functions is not sufficient to deliver effective integrated assurance. It is of crucial importance that the organisational setup improves coordination and efficiency across the different assurance activities and controls by harmonising the policy and process landscape as well. Acknowledging that no single function within a corporation ‘owns’ ethics, an integrated assurance function also has the role of a ‘catalyst’ to foster an environment of integrity, using principled based decision making and behavioural science rather than over-controlling and over-regulating.
Last, but not least, the collaboration with the internal audit function is key to achieving the aim of a joint taxonomy and root cause analysis to enable management to exercise their duties. The independent audit function, which often has a formal reporting line into the board’s audit committee, is an important partner for an integrated assurance function – but is clearly distinct from it, as the third line of defence in a company’s governance model.
A functional and organisational approach toward integrated assurance requires a seat at the table of senior management, to make an impact across all business units and functions. If done well, it has the potential not only to increase the overall durability and effectiveness of the assurance level within the corporation, but also to avoid organisational fatigue or resentment caused by unnecessary complexity and duplication of a fragmented, decentralised assurance approach.
Board benefits of an integrated assurance model and function
The advantages for boards of adopting an integrated assurance model are evident. Rather than receiving detailed yet fragmented information derived from equally fragmented processes and structures, the board receives a comprehensive assessment from management regarding the status of integrity, risk and compliance. This allows the board to focus on strategic risks and important operational challenges, to better observe and make sounds decisions based on the interconnectivities between them.
By way of example, a dialogue on geopolitical risks between the board and management frequently remains on a too high a level to enable the board to comprehensively grasp the implications for strategy and business operations. But if linked to the overall risk and crisis management of the company in the sense of integrated assurance, it can be extremely valuable.
Very often, geopolitical risks are impactful amplifiers for a company’s existing strategic, operational and reputational risks; for example, the business of a multinational corporation with US and China, given the US-China tensions on trade and technology transfer. Specific mitigation measures, such as adopting an alternative sourcing strategy for supplies from China, can be more effectively evaluated and formulated within an integrated assurance model.
Setting up an integrated assurance model is unlikely to be straightforward. There will be pushback from individual management functions that fear losing power. There may be concerns about establishing a function within the organisation that is perceived as too powerful. The legal department may object, concerned about the creation of too much ‘non-privileged’ information in the company, with the risk of discovery proceedings. Given the benefits of such an organisation for effective ethics, risk and compliance management, these concerns should be manageable. It is evident that legal counsel needs to be involved in the assessment of certain pertinent risk areas that create legal exposure for the company.
Having the head of the assurance function and the chief legal officer as peers in executive management will help to foster a healthy collaboration on how to manage these interfaces. Furthermore, it may be advisable to keep some functions outside the organisational setup of the integrated assurance function in case their organisational complexity and required technical knowledge could be considered a differentiating factor.
An example within pharma industry is the ‘quality organisation’. To maintain an integrated assurance approach, a standalone organisation should, however, fully participate in the enterprise’s risk and crisis management and control activities, led by the integrated assurance function.
The role of the board in implementing an integrated assurance model and function
The decision to set up an integrated assurance model and organisation is of strategic relevance and changes the organisation of the company. Therefore, the board needs to take the initiative and ensure that the function is empowered and sufficiently resourced. To be impactful and visible, the function head should be a member of the company’s executive leadership team, which also requires a vote by the board. These decisions should not be taken against the will of the chief executive and the C-suite, but in close alignment between board and management.
An integrated assurance model and organisation has significant relevance for the functioning and organisation of the board itself. It is, however, advisable that the integrated assurance function does not report formally to the board or one of its committees. The function head, as part of management, should rather be a permanent attendee of relevant board sessions, especially of the audit (and compliance) committee and – if existing separately – the board’s risk committee. The integrated assurance function is the second line of defence, and distinct from internal audit as third line of defence.
The board may also consider mirroring the integrated assurance model in its own board committee structure. Instead of separate audit (and compliance), risk and sustainability committees, the board may consider bundling these committees into an ‘audit and assurance committee’. Considering the footprint and complexity of their business structures and operations, this may pose challenges for large multinational companies. However, it is worth exploring for smaller publicly listed corporations.
It is important to emphasise that the role and responsibility of the board does not stop with the decision to set up an integrated assurance function. The board – and its relevant committees – would need to ensure continuous oversight of the new model and must make time for reporting and discussion on the board calendar.
Beyond monitoring and reporting, the board should align on how input from the integrated assurance function feeds effectively into board decision making, and that it aligns with the company’s strategy as new risks and compliance challenges emerge.
Apr-Jun 2025 Issue
Klaus Moosmayer | Executive Committee Member & Chief Ethics Risk and Compliance Officer, Novartis
