1. Home
  2. Insights
  3. Turning actions into assurance: Obtaining assurance from your actions

Turning actions into assurance: Obtaining assurance from your actions

Elsiarc - Board meeting

Do you have effective governance? Are risks being effectively assessed, monitored and mitigated? How do you ensure regulatory compliance? Where do you get your assurance from?

These are key questions for those responsible for corporate governance and the assurance framework to ask. Actions from assurance reviews are key information in highlighting areas where action is needed to strengthen an organisation’s governance framework. And so, another essential question to ask is: Are actions being effectively implemented and embedded across your organisation?

Actions of any kind, including those from assurance reviews or audits, need to be implemented to be of use. The first step is to ensure that actions are SMART and have buy in from management and staff. In this blog we will look at how to increase the likelihood of actions being implemented to ensure that an organisation obtains the assurance from reviews undertaken.

A structured approach to action tracking

Governance Boards, Audit Committees and the main Board should be engaged with ensuring that actions arising from any assurance review are implemented and that there is a robust framework in place for monitoring.

The likelihood of actions being implemented is greatly increased if there is a structured approach in place providing visibility of, and accountability for, progress.

Below we look at some key elements that we believe provide robust tracking of actions.

Documenting actions: all actions should be documented in full alongside the owner(s) and implementation date to give a clear picture of what action is required, by who, when.

An app or system can be used to ensure that reminders are sent to owners (and others if required) at set intervals before an action becomes due to allow time for implementation.

 
Elsiarc - Compliance Solutions
 

Making changes: An action tracking process should allow for controlled flexibility in changing implementation dates as well as owners and potentially the actions themselves. Whilst actions may have resulted from an assurance review, they are owned by management and management should have the ability to revise them to ensure that they are implemented in the best way for the organisation.

It is crucial that there is an agile response to where actions are not being implemented, seeking to understand why and taking steps to address any underlying issues. Actions are not set in stone and need to remain relevant and feasible to remain useful.

Where a change is made the organisation should consider why it is required:

  • Are additional resources such as funds and/or people required? Can these be provided? If not, can the risk be tolerated?
  • Is the action clear?
  • Is ownership of the action clear and appropriate? Does anybody else need to be involved?
  • Is there sufficient working together where the action requires input from multiple teams or departments? If not, how can this be addressed? This is one example of where assurance reviews can point to broader considerations for organisations, in this case whether there is a culture of working together across the organisation.
  • Have circumstances changed so that the action is no longer required or needs to be adapted to remain relevant?

To make changes without compromising the original action and the assurance required it is key that changes are approved, which can be formalised within an action tracking app or system. Any changes should be justified as well as any impact on the risk documented and why this can be accepted.

Reporting actions: The who, what, when, why, how approach is useful here:

Who: Who needs to see the progress in implementing actions to ensure that assurance is being obtained? As a minimum this should be the Board who are responsible for the organisation’s governance and risk management frameworks. There may also be other audiences such as individuals who report to regulators or managers of staff responsible for implementing actions.

What: It is key to determine what information gives the Board and management assurance. What do they need to see to have a clear, accurate view of what is happening on the ground? Is the information easy to understand and pull the key points from. Has feedback been obtained on whether recipients are happy with the information that they are receiving and how it is being used effectively to make decisions?

The Board may also wish to consider any additional information they would like to see to support the action taken, for example verification that the action has been implemented by review of the revised processes.

The Board should also consider what lessons have been learnt as a result of the actions undertaken that can be applied to other areas of the business. This will ensure that action is taken to address all relevant assurance gaps and strengthen the assurance framework in all areas required. It can also facilitate joined up working across the organisation and assist efficiency in reducing the likelihood of duplication.

Why: Actions are important because they highlight weaknesses in the control environment where assurance is required; the Board need to receive information that this is being done so that, coming full circle, they can use the information in their decision making and take action where required.

It is useful for an organisation to consider implementation of actions at a consolidated as well as an individual level. If there is a theme of actions not being implemented this can point to factors such as a lack of engagement with or understanding of the process or inability to deliver due to unclear ownership, insufficient resources or competing requirements. These are areas where the Board may decide to act and where information on action tracking is more than the sum of its parts.

When: A key aspect of information is having it available in real time. Information can then be provided to formal settings such as Board meetings but is also available for monitoring on an on-going basis.

How: A standard process should be used to ensure consistency of information. Action tracking apps and systems are available which provide structure and functionality such as multiple owners to facilitate collaboration and reporting suites to facilitate effective reporting. Regardless of what system is used a clear, documented process should be in place and communicated.

A dynamic approach and confirming implementation

Above all, action tracking requires a dynamic approach of continuous management. Implementing actions is, and should be seen by management as, part of continual risk management by an organisation.

Actions raised as part of an assurance review start a chain of actions tracking implementation:

 
Elsiarc - Chain of actions
 

The final box above can be an area where organisations fall at the final hurdle and have a false sense of security that actions have been implemented and gaps in assurance addressed. It is not enough to rely on an action being signed off and a further key question for Boards to ask is: What confidence do the Board have that the actions have been implemented as reported?

There may be management information that the Board can review which evidences implementation. The Board may also wish to use peer reviews (reviews undertaken by subject matter experts within the organisation who are not directly involved in the process) or independent follow up reviews to confirm that the action has been fully completed and that any revised processes have become embedded as business as usual.

Elsiarc - Internal Audit, Risk and Compliance Services

At Elsiarc we are experienced in helping organisations and their Boards establish an effective system for monitoring the implementation of actions including effective reporting as part of a robust governance framework and assisting organisations in the implementation of peer reviews.

Our experience covers actions arising from:

  • Internal Audit reviews
  • Internal Quality reviews
  • Whistleblowing and other investigations
  • Fraud reviews
  • CQC inspections
  • Other regulatory inspections i.e. HSE

Please contact us for further information on the above or to discuss whether the introduction of an action monitoring application would help streamline the manual process you have in place and provide greater visibility.

Contact Us

If you would like a discussion about any of our services or are looking for a bespoke package, please complete our enquiry form or call 07837 883732.