Many organisations of all sizes invest heavily in risk management. The benefits of identifying and managing strategic and operational risks, within the boundaries of the organisation’s risk appetite, are widely recognised.

For a small start-up this may be as simple as investing executive time in assessing and weighing the risks. Larger organisations often implement Enterprise Risk Management systems to expand the reach of their risk assessment and control. Boards, management executive groups and audit committees receive regular risk reports which set out the key controls and mitigations strategies in place to manage these risks along with additional mitigations proposed to bring the risks to level compatible with their risk appetite.

When sound risk management practices are in place a key question is for all organisations is: How do we get assurance regarding the effectiveness of these controls and mitigations?  

Assurance can of course come from a variety of sources, and the number and complexity of these also changes as an organisation grows. Boards and senior management can be overwhelmed by the number of reports from different sources providing assurance over different aspects of risks and issues leading them to think that associated risks are being controlled effectively when they may, in fact, not be. This is because the assurances are frequently not well coordinated, and there can be gaps and cracks, as well as overlaps. Even worse, some of the assurances may not match well against the underlying risk leading to inappropriate reliance.

As technology allows organisations to monitor risks and develop controls in increasingly sophisticated ways, the job of getting the right assurance in the right place must also become more sophisticated.

Assurance maps are designed to help businesses overcome these weaknesses and can create considerable value for the organisation.

Assurance is an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organisation. An assurance map is a structured means of identifying and mapping the main sources and types of assurance in an organisation across the four lines of defence, and coordinating them to best effect.

In a smaller or less complicated organisation, a full assurance map will not be needed. However, the same principles apply and the assurance mapping approach can still be a useful guide for thinking through the connection between risk management and assurance.

While good risk management practices will help an organisation to identify and focus well on its major risks, good governance also requires effective management and mitigation of those risks. An effective and efficient framework is needed to give sufficient, continuous and reliable evidence of assurance on organisational stewardship and the management of the major risks to organisational success and delivery of improved, cost effective services. An assurance map is the tool that enables this evidence to be assembled. It also provides the evidence that may be needed to support:

• management confidence in their assertions;
• audit committee assurances to the board on the state of internal controls; and
• public statements by the board as to the state of internal control.

An assurance map shows:

• Key elements over which assurance is required. This will change depending on the type and size of organisation.
• The 'four lines of defence'. The details of who provides what can vary for each organisation.
• Any gaps where no assurance is provided.
• Further useful information can be added to enhance the example given, such as the quality of assurance provider and the outcome of the assurance.

An example of a simple assurance map

An assurance map can provide a basis on which to communicate with stakeholders and begin quality conversations. This is because there are benefits for each of the groups (or the four lines of defence) that may make use of the map. Together they should enable the board to make more reliable and robust reports to its stakeholders about the organisation’s state of internal control.

The benefits of assurance maps for each group are set out in the presentation designed to promote the concept to senior management.

To support the creation of useful and relevant assurance maps, we have idenfitied 10 key steps to follow: 

• Read more detailed guidance on the 10 steps
• Watch our webinar providing practical guidance on the 10 steps.
• Read our summary of how to develop an assurance map

An assurance map is a live document that should be constantly reassessed and updated. At a minimum, it should be reassessed and approved annually, following the 10 steps to determine if there are new or changed elements, assurance providers or assurance activities. The desired or required amounts of assurance may also change for a variety of reasons, which would also lead to a new assessment of the map and updated action plan.

 Failure to embed the maintenance process in your organisation will waste much of the effort committed in creating the Map for the first time. Accordingly, the embedding process should start during the preparation of the assurance map itself.

• Read our summary of How to make your assurance map live

Get started on following the 10 steps and preparing an assurance map for your organisation, by downloading a template assurance map.

• Download the template assurance map