SIMON CUNNINGHAM

Sometimes, I am accused of dreaming, particularly after a "healthy" lunch. So the following scenario could be the result of an early afternoon siesta or a realistic aspiration to derive real commercial advantage from that well-known cure for insomnia, "risk management".

"I'm supposed to be responsible for ensuring that our response to all these risks is satisfactory, that everything's okay," thinks the chairman of the audit committee.

"But the CEO says this is okay'; the CFO says that is okay'; the CIA says that isn't okay', and the CRO says it might be okay'. Meanwhile the FSA are saying that it's not okay for the CIA to say that what the CRO says is okay.

"All I want is for someone to tell me that 'everything is okay'."

Providing the big picture for those with ultimate responsibility for the success of an organisation - those charged with governance - has always been a challenge. It's not unusual for different parties to be willing to offer a piece of the big picture jigsaw, but often no-one is prepared to stake a claim to providing the final piece of this jigsaw, thereby presenting the entire big picture, joined up for the chairman of the audit committee to admire and breathe a deep sigh of relief.

But at long last, the issue of integrated assurance is rising to the surface. Different parties within an organisation are increasingly coming together to define the pieces of the risk-assurance jigsaw they each hold and to fit these together to present to the board and audit committee the complete big picture. And not before time.

However, there is still a problem with taking ultimate responsibility - who has determined what the complete picture will look like and who is putting all the pieces together and confirming they are all in place?

Assurance is all about being confident that things that could go wrong won't, and things that must go right will. But how does an audit committee chairman know what could go wrong and must go right?

To answer this, the organisation must develop a robust, but manageable and therefore, easily assimilated, risk-management framework that defines, describes and evaluates the critical risks facing the business.

This will define the parameters of the assurance jigsaw, and enable the source of each of piece to be identified. There must be a structured, ongoing process for identifying and evaluating risk, administered by a chief risk officer and team, but which is the responsibility of management and which is endorsed and adopted by the board.

Different functions within the organisation will be able to provide assurance with respect to different subsets of the critical risks.

In the three lines of defence model, management (as the first line of defence) will provide at least partial assurance on all areas - it ultimately is responsible for managing risks effectively in their respective areas of responsibility. Their reports and associated representations will offer audit committees significant assurance in well-managed organisations.

The second line of defence is made up of functions such as compliance, legal, health and safety, quality assurance and, indeed, the risk management team itself (if it exists), each able to provide significant assurance, or perhaps in some cases more accurately "reassurance", that management are indeed on top of the regulatory, statutory, environmental, ethical and quality requirements and associated risks that are critical to the ongoing and future success of the organisation.

But without co-ordination, duplication or overlap will occur, with assurance on the same risks being provided by more than one function.

Wasted use of resources is the only conclusion here, highlighting the value of a co-ordinator, someone who can stand back, look at the picture on the box, identify the missing pieces, locate them and slot them in and complete the big picture for everyone - and the audit committee in particular - to admire.

The third line of defence, and ideally placed to pull it all together and tell the audit committee chairman that "everything IS okay", is the chief internal auditor. Independent through internal audit's principal reporting line, accountable to the audit committee, and with the authority to require divisional management and other functions within the organisation to provide clearly defined assurance on their specific areas of responsibility, the chief internal auditor has the opportunity to deliver integrated assurance.

So, assign the task of providing this integrated assurance to internal audit, and specifically the chief internal auditor. Release management and each of the second line of defence assurance functions from providing anything other than the key pieces of the assurance jigsaw that only they can respectively provide. Free up their valuable resources to concentrate not on superfluous assurance reporting, but on identifying and implementing more effective, efficient and, in particular, economic means of managing risk and delivering success.

Celebrate for the first time the recognition that risk management is relevant to success, the confidence within the business to pursue opportunities sometimes into the unknown, the positive impact on profitability, and reflect on the audit committee chair's assertion that "everything IS okay".