64 Virtual Brochure – March 2025 Risk and assurance • Integrating risk management. With the objective that the risk management process supports and adds value to other institutional activities, whilst avoiding duplication, the risk management process should be aligned, linked and integrated with other activities. For example, from a planning process perspective. From a portfolio, programme and project risk perspective - developing a risk register that captures risks across the strategic projects. From a compliance / assurance perspective - capturing institutional mandatory requirements from HESA, the OfS and others, and linking them to the management of the related strategic risks. • Risk assurance framework. A risk assurance map which highlights for each key risk the extent of assurance across the three lines of defence, as well as the effectiveness of these sources of assurance, which can be used to identify areas where risk assurance may need strengthening. • Integrated assurance approach / lines of assurance. Over recent years (across sectors), institutions have been discussing and exploring integrated assurance models. In doing so, it is vitally important that the development is logical, consistent and proportionate – with a consensus on what the hoped benefits will be and what is involved. Development of the ‘three lines’ flows from an assessment of how a risk is being managed. For example, having established the main related controls, it is important to understand the assurance framework in place – to give confidence that the controls are working effectively. Hand in hand with this is the development of KPIs, which can be viewed in tandem with the success / effectiveness of controls and the work of the lines of defence. Once fully articulated, an assessment can be made as to the effectiveness of the management of the risk across the three lines. From an Audit and Risk Committee perspective, clarity on key controls (and actions) linked directly with the target risk score, i.e., what needs to happen / be successful for the risk score to be acceptable (plus how assurance is being gained that the controls are working effectively) – will mean that there is an integrated risk and assurance process in place. • Integration with internal audit. The development of internal audit programmes and discrete audits (third line of assurance) should be considered in the context of the two other lines of assurance. The work of the first two lines of assurance give institutions, including Audit and Risk Committees, sight and greater confidence that there is clarity of controls, responsibilities and oversight and there is therefore potentially less need for third line assurance. Where internal audits (or other independent assignments) are agreed / commissioned, there is greater clarity as to why the work is being undertaken and what the scope / focus should be.
RkJQdWJsaXNoZXIy NTI5NzM=