Assurance is a fundamental risk management tool and key principle of business and the basis of legislation in many industries. But an individual’s perspectives on what Assurance means can vary from person to person, with a lot of people and organisations missing the mark completely.
The principles of Assurance are simple, and once you understand the basics, it can help you understand your role in the process, what you need to do, and, more importantly, what you should not be doing.
Before going any further, I want to make clear that this article is meant for people managing Assurance activities in safety, engineering, or other technical disciplines, or as part of a project delivery process. It does not cover assurance in regulated financial services industries.
Whenever I am asked to explain what Assurance is, I always say start with Google. Type ‘assurance’ into your search bar and the first thing that Google shows is the following definition: “a positive declaration intended to give confidence”.
This definition really sums it up for me, and I’ll explain this further below.
I have summarised some of the main points in the next few sections and I will come back and revisit some of these in more detail in future articles.
The following example looks at the relationship between two different organisations, but the principles apply equally to employees or other internal arrangements.
In this transaction, one party gives Assurance, and the other party receives Assurance.
The party receiving Assurance usually has a legislative or commercial responsibility for an outcome, we’ll call them Client A. Client A engages another party to undertake some activities for them, we’ll call them Supplier B.
These engagements usually have a contract or agreement whereby Client A gives Supplier B delegated authority to undertake activities on their behalf. While Client A remains accountable for the outcomes, Supplier B will be accountable for the activity that they are undertaking and retain the liability if they get it wrong.
Client A should be confident, without getting too involved, that Supplier B is correctly undertaking doing the activity that they have been engaged to complete. This is where the Assurance transaction comes in: Supplier B gives Assurance to Client A, and if all is well, Client A accepts the Assurance from Supplier B.
For me, the simplest way to provide Assurance is by demonstrating that:
Supplier B should therefore be able to give Client A confidence that competent people are applying the approved processes.
For Client A, as the receiver of Assurance, it is OK to undertake some checks of Supplier B’s outputs or evidence, but extreme care needs to be taken when doing this.
Sometimes an Independent Assessor is engaged to undertake due-diligence on high-risk projects on behalf of Client A. The principles described in this article apply to the Independent Party as if they were the Client A.
For example: Supplier B has produced a large number of deliverables for the client, due-diligence could be randomly selecting one or two of those and doing a deep dive into the process and evidence. On the basis that these are acceptable, Client A can have confidence that the processes are being applied.
To Note: Reviewing and approving the outputs of Supplier B is not due-diligence. If Client A starts to review all of the outputs, providing comment on the documents, issuing instructions, and approving those prior to acceptance, Client A is taking on some of the liability (i.e. risk) for the work that they have engaged Supplier B to do on their behalf. This is no longer just Client A receiving Assurance, but them stepping into apply control & management over Supplier B.
This is the biggest mistake I see in Assurance. When a client becomes too hands-on and starts approving, or worse directing the supplier, then they are also taking on some of the risk. Not only is this a huge waste of time and money, but should something go wrong, then the Supplier B can simply state that Client A approved it, or even instructed it. The only thing that is going to happen here is a lot of lawyers are going to get rich.
This is a particular concern with safety, environment, or financial responsibilities and could even lead to criminal charges being laid on Client A following an incident.
Getting the right balance for due-diligence checks is without a doubt the most difficult thing about Assurance. Knowledge and industry experience is crucial when it comes to knowing when to undertake due-diligence checks, and more importantly when not to.
It is recommended that the client has a set of documented risk-based criteria to give a documented reason/s for their decisions (i.e. don’t leave it to the individual).
It is always worth going back to the delegated authorities in the contract, or maybe even clarifying legal duties, to work out who is accountable.
So here are my five takeaways for Assurance, get these right and you won’t be far off the mark when it comes to fit-for-purpose Assurance.
1. Know your role; are you a supplier providing Assurance or are you a client receiving Assurance?
2. As the client, are you clear what delegated authorities are provided to the supplier in the contract or law for the scope you have engaged them for?
3. As the supplier, can you demonstrate that you have competent people following the approved processes?
4. As the client, do you have a documented basis for the risk criteria you are using for due-diligence?
5. As the client (or Independent Assessor) make sure you are not undertaking detailed reviews, approving outputs, or providing direction and thereby taking on the liability for the risk.
Assurance should be simple. If you are in any doubt, find an expert to ask.
hashtag#ARCHArtifex hashtag#ARCHSESA hashtag#Assurance
Copyright 2020 ARCH Artifex
