A board must turn its attention to where it can make its greatest impact, given its environment, organisational history, knowledge, and skills. In so doing, trustees make assumptions, well-informed or not, about the depth and breadth of processes and knowledge that form part of a normal day to day operation.

Assurance is often assumed on the basis that there have been no contrary occurrences, or that informal communication channels are expected to identify concerns because long-held relationships are strong. There is a belief in the trust and confidence in delegated committees, executive leaders, and the wider workforce, to identify and report issues of non-compliance. This belief is not evidence of effective controls.

A risk register captures the organisational risks identified by the organisation's leaders and the actions named as mitigating the impact or likelihood of the risks occurring.

A Board Assurance Framework (BAF) does not replace risk management processes; they are an integral part of each other. What it does do is create a keener awareness of the strength of the assurance processes, actually in operation, throughout the organisation, that inform how risks themselves are identified and managed. It looks at the positive assurance already in place and identifies gaps or weaknesses. It shines a light on whether risk mitigation actions are effective.

This practice takes a positive perspective, i.e., what are the assurance processes that we have and can rely upon? This changes the conversation without discounting the problems or risks themselves. Once developed, a BAF can become a simple, sustained management tool that reduces the need to divert leadership and governance attention to identifying new actions that may ultimately have no impact.

What is a Board Assurance Framework?

We can transfer good practice and ideas between sectors, and, in the health sector, BAFs have been in place for many years. The Chartered Governance Institute, UK & Ireland, promotes BAFs as enhancing governance and risk processes across all sectors. Charities, academy trusts, and other non-profits are starting to adopt them and finding that their introduction leads to greater awareness and better conversations.

A BAF is a structured approach for ensuring that boards receive the right level of accurate, reliable, and timely information and that the source of that evidence has been assured. It is also a practical management tool that aids staff supervision and helps to challenge how risk mitigation actions are being effective in actually reducing risk and enhancing assurance.

A BAF helps to address the reason why, so often, risk registers become stale, with increasing numbers of actions and mitigations having no impact on assessed ratings of residual risk. If the action does not reduce the risk, then it is an ineffective action if done for that purpose.

Assurance may be through internal and/or external validation. A BAF facilitates the triangulation of information to enhance the level of confidence trustees have in each individual data source. A BAF therefore represents the consolidation of what goes on within an organisation to keep it safe and thriving, drawing it all together into a single document.

Board Assurance – turning assumptions into evidence.

What questions does a BAF help to address?

The development of a BAF introduces a common language into the organisation and invites everyone to ask:

  • What are the charitable, business, or educational activities that we need assurance on?
  • What is the source of that assurance – internal or external?
  • Is it the only source of assurance or are there other sources?
  • Is the level of assurance enough, given its associated complexity and inherent risk? Are multiple sources needed?
  • How useful is the timeliness of the assurance?
  • What is the purpose of this control or process? How does it actually contribute to enhanced assurance?

By answering these questions, systematically and objectively, trustees and management start to build a deeper understanding of the organisation itself. For employees, who typically perform most of the internal assurance processes, it gives meaning to their work and aligns their actions to the board's strategic and operational plans.

The 3 levels of assurance

All sources of assurance can be attributed to three levels (or lines) of assurance:

  • First level – the controls and checks performed by the individual/department undertaking the activity. These will typically be set in process or policy documents and the strength of the assurance will be determined by the rigour of the internal processes adopted and by the competence and professionalism of the individuals implementing them
  • Second level – the additional internal supervisory and quality checks and processes that the organisation puts in place to review or validate the accuracy and integrity of the first line controls.
  • Third level – assurances provided from outside the organisation through reviews/audits/inspections etc.

Board Assurance – turning assumptions into evidence.

Where to start

Every organisation will approach the implementation of a BAF differently, and there are many methods for doing so. Here, we suggest one simple approach, followed by a practical example of one assurance area:

  • Ask a different question – 'what are the high-level assurances I need to give me confidence in the delivery of the strategic/ business objectives and key controls?' i.e., I need to know that
  • List all the sources of assurance that are in operation within the organisation. Include policies, processes, supervisory checks, performance appraisals, exception reporting, peer reviews, audits, inspections etc. Assign a line of assurance to each one (1-3).
  • Map those sources of assurance against the high-level controls and strategic objectives. You will then have a grid map of all the sources of assurance against the business objectives and key control areas.
  • For each assurance mechanism, judge its effectiveness in providing assurance, using a form of rating system. Questions: 'What is this mechanism serving? How does it provide assurance?'
  • Step back and repeat to different levels of detail, depending on what is most useful.
  • Identify any gaps, weaknesses, duplication of actions and, from there, prioritise activities that need targeted action to develop stronger assurance mechanism.
  • Re-visit the risk policy and register in the light of the detailed assurance framework that you have developed. What changes to risks and their assessments emerge from gaining a deeper understanding of the assurance system?

Board Assurance – turning assumptions into evidence.

An example: premises management

Strategic objective: That the organisation/group is fully compliant with all legislation and best practice.

1383484a.jpg

Board Assurance – turning assumptions into evidence.

This is an example of where a Board seeks to understand the processes in operation that provide assurance on specific areas of premises management process. The assurance table is populated with examples of responses that you may find in your organisation. The table can be interpreted as follows:

One

At Level 1, the Premises Manager has assessed the level of assurance operated by the Premises team as being Strong (Green), based on their monitoring of compliance checklists, service rotas, and contract monitoring. Senior management undertake detailed reviews of the work of the premises manager's compliance schedules and statutory test reports, and proactively undertake site visits and attend contract management meetings.

The senior manager also asserts that these higher- level management checks are detailed enough to provide a Strong assurance at Level 2. However, the senior manager, through her checks of statutory testing records is confident on the process design but is less confident that all relevant staff are trained and experienced in undertaking and analysing statutory tests. An Amber rating has therefore been given in this area, indicative of potential gaps in overall assurance.

In the area of building maintenance, the organisation engages reputable and accredited property management consultants and have a high level of confidence (Strong assurance) in the rigour of their work and reports.

Two

The IT Manager implements level 1 assurance processes in IT controls, and these are reviewed by a senior manager. The IT Manager is confident that the designed processes are implemented rigorously but is less confident on whether there any further controls that need to be implemented to protect against cyber risks. The senior manager is also unsure of his own skills and knowledge to provide assurance to the audit committee. Independent checks are undertaken as level 3 assurance mechanisms but only in specific areas. The lack of confidence on skills and knowledge at levels 1 and 2 undermines the assurance gained from the scope and breadth of the independent checks, hence the Amber rating.

When reviewing the overall assurance rating the board/audit committee decided that their risk appetite led them to conclude that further independent assurance would be needed to identify and improve gaps in the assurance processes in this area

Three

The COO and Audit Committee have identified gaps in their business continuity/ disaster recovery plans and therefore have prioritised an independent internal audit in this area to provide the assurance they need. Board Assurance – turning assumptions into evidence.

Board Assurance – turning assumptions into evidence.

Application

Once fully developed, the BAF would be typically reviewed by the leadership team and audit committee annually, with contributory BAFs being reviewed periodically by their respective owners. It will form the basis for systematically and objectively judging which assurance areas should be subject to independent review and where further training or support is needed for Levels 1 and 2 control owners.

In the premises management example above, the assurance framework gives permission for the senior manager to share her concerns and confidence level with colleagues and the board in a purposeful way. If, after an agreed period of time, she evaluates that the level of training and experience in the premises team remains inadequate, it is likely there would be a signal to the audit committee that an independent review of processes and skills in that area is required to understand where assurance gaps may be.

This is likely to have been an action anyway but, taking a risk approach is likely to have become necessary upon a risk crystallising and therefore being a reactive approach. By adopting an assurance evaluation, the action becomes preventative and therefore more useful as a management and governance tool.

Conclusion

There is no doubt that, having spent years developing a culture and process for risk management, many organisations may be reticent about developing an assurance framework and see it is duplicative. However, it is an inevitable evolution of risk processes for organisations that are becoming more complex, making it harder for trustees and executives to keep track of everything without having a systematic framework within which to do so. That is why it is being promoted as good governance practice.

The initial investment is in re-calibrating one's perspective from a risk to an assurance mindset to stimulate the new thinking. Once that is done, the implementation can become a rewarding and motivating experience for all.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.