The CORE Assurance Framework
As a board member, has this thought ever crossed your mind?
“The buck stops with me so I reserve the right to check what I want, ask for what I want, in as much detail as I want, at a time that’s convenient to me.”
An effective board member will always be keen to ensure that failure doesn’t happen on their watch or they were not responsible for the organisation becoming stagnant or losing its way.
As a board member, has this thought ever crossed your mind?
“The buck stops with me so I reserve the right to check what I want, ask for what I want, in as much detail as I want, at a time that’s convenient to me.”
An effective board member will always be keen to ensure that failure doesn’t happen on their watch or they were not responsible for the organisation becoming stagnant or losing its way. Preventing failure, identifying black swans or turning unknown unknowns into known unknowns is an aspect of their role that is not at all straightforward.
“… there is a growing understanding that robust assurance processes begin with the intrinsic motivation of the board to set, exemplify and monitor organisational values and fundamental standards and support staff to deliver them. External regulation should be seen as a ‘failsafe’ rather than a primary source of assurance.” The Healthy NHS Board 2013 Principles for Good Governance, NHS Leadership Academy
Obtaining adequate assurance around key performance areas is an area that they should always be keen to ensure that they achieve. Board members not only help to set strategic direction and monitor organisational performance by challenging and scrutinising management, they must also find a way to gain comfort that all is well. To that end, it is advisable that they gain assurance in the following categories: regulatory compliance, organisational effectiveness and long-term sustainability.
Board members and their boards should ensure that the organisations that they are accountable for are doing the right things, in the right way and at the same time have oversight of any potential risks.
Assurance can be obtained by developing processes, an interrogative culture and the discipline that provides enough evidence to comply with what I call the CORE assurance framework – Compliance, Organisation and Risk and Effectiveness. The framework is split into three areas and aims to provide a logical and transparent means of identifying the criteria that both the board and management will work with. Boards and their members can get this comfort by examining the evidence of each of the components identified below.
1. Compliance – the organisation complies with its own constitutional requirements, legal and regulatory standards and due care is exercised in maintaining the necessary internal control framework and proper fiscal oversight.
Outcome – the organisation is well governed and has an effective control framework.
2. Organisation and Risk – the organisation is achieving the best impact for its stakeholders within a pre-determined risk framework that ensures key organisational objectives are met and risks are appropriately identified and mitigated.
Outcome – the organisation is conscious and able to respond to external and internal elements of risk whilst ensuring that it maximises impact for its stakeholders.
3. Effectiveness – the organisation has a robust and relevant business-planning framework and is led by an able and proficient executive team who operate effectively against challenging and stretching performance indicators.
Outcome – the organisation is well run and with ambitious performance criteria being met.
The board will examine each of these areas and work with the executive team to ensure that they are provided with a rolling programme and evidence which satisfies them that the outcomes above are being met.
Getting the balance right in obtaining the correct amount of evidence to provide adequate assurance is never an easy task. In seeking to get too much evidence, board members risk interfering with the work of the executive team and seeking too little evidence leaves them exposed to criticisms of lack of control. In order to aid understanding this process, I have broken down assurance into three stages.
Stage One – the board seeks comfort. There is a certain amount of evidence primarily from the executive team to demonstrate that the board is achieving the CORE assurance framework identified earlier.
Internal forms of assurance – Management reports, management accounts, risk management reports, corporate reporting.
Stage Two – the board seeks confidence. There is a great deal of evidence from a variety of sources and the board have put systems in place to ensure that the organisation is achieving its CORE assurance framework.
Independent forms of assurance – Internal audit, external audit, regulatory review, inspections, quality accreditations and advisory services.
Stage Three – the board seeks conviction. The board challenge the management and where necessary carry out ‘deep dives’ in achieving adherence to the CORE assurance framework.
Combined forms of assurance – specific reviews, triangulation of evidence across a range of assurance and assurance mapping offer robust methods to gaining assurance.
It is worth noting that a board could never reach absolute conviction. The time and cost implications would be prohibitive and would also lead to a level of detail not appropriate for board involvement.
Having explored the CORE framework and the three stages of assurance, board members are equipped with a methodology to get the balance right in seeking assurance. If the board find that they have an area to consider that will have a critical or high impact they will look towards getting conviction i.e. stage three assurance. An item that is less critical or impacting will only warrant stage one or in other words, boards only need to feel comfortable.
In conclusion, boards need to be more sophisticated in how they undertake their role recognising that they should employ the appropriate style and level of scrutiny to the task at hand. The board should be clear on how they will get assurance on the key strategic risks and what type and level of assurance is appropriate. They should be careful to ensure that they maintain an oversight function and not stray into operational policy formulation and unnecessary detailed review particularly where the item is not critical. Equally boards should ensure that management are aware of the need for the board to receive accurate, timely and relevant information in a format that enables them to carry out their role.
Seeking assurance is a critical function of your role as a board member!
Until next time…