Integration of assurance functions

"The compliance department has failed", "The indications from risk management have been ignored", this or similar is how it sounds in the media when improper business conduct is uncovered. Analysis often shows that assurance functions were installed in the companies concerned, but that their enforcement power was limited. What could be the reason for this?

Requirements regarding the organisation of assurance functions
For banks and insurance companies, FINMA Circulars Corporate Governance 2017/1 and 2017/2 apply, which explain the requirements for the central assurance functions of risk management and compliance as elements of an effective ICS. While the supervisory authority specifically regulates the organisational embedding of the risk officer for the system-relevant banks (FINMA RS 2017/1, para. 68), there are no corresponding requirements in the circular relevant for the insurance companies.

In addition to the FINMA Circulars, there is further documentation such as auditing standard PS980 (EXPERTsuisse), which lists the key features of a (compliance) organisation such as the definition of roles and responsibilities, competencies and resources, and reporting lines.

What these requirements have in common is that they explicitly call for the objectivity and independence of the assurance functions (control elements), without however going into further detail on the organisational form that would be appropriate in this respect. In this respect, there is an opportunity to design an embedding adapted to the respective size and complexity of the company.

The model of the three lines of defence
The "three lines of defence" model has become established as a model for promoting the independence of assurance functions. This model is also mentioned by FINMA in its explanatory report on the two aforementioned governance circulars as an approach to defining roles and responsibilities in the governance system. The assurance

"The organizational structure of assurance functions depends on the size of the company."

Elements of risk management, compliance and ICS are thereby bundled in the 2nd line and separated from day-to-day business (1st line) in order to ensure independence. In addition to the aforementioned assurance elements, the areas of data protection, information security and quality management are often also considered as units of the 2nd line of defence. The 3rd line of defense includes the internal audit function. The lack of inclusion of the external auditors and the regulator in the model (e.g. in the sense of a 4th and 5th line of defence) is sometimes criticised in the doctrine.

While the above model illustrates the interplay of the three lines of defence and their reporting lines, it does not provide concrete instructions for their organisational embedding. Various studies show great heterogeneity in this regard. Assurance functions, for example, can

• be implemented as single items in different units;
• be bundled organisationally in a staff unit;
• be subordinate to a profit-oriented unit; or
• even be mixed with profit-oriented functions in terms of personnel.

The organisational form of assurance functions also depends on the size of the company. Above a certain number of employees, the functions of the second line of defence should be performed by persons who are independent of the day-to-day business. In small and medium-sized companies, all assurance functions can be combined in one person. In larger companies, on the other hand, it makes sense for the functions to be performed by different people. The smaller the company, the more likely it is that the functions of the 2nd line of defence are performed by operationally active persons. Especially in such situations it is important that the functionaries have the necessary personality and integrity or have internalized the constantly changing value system of the company in order to exercise their control activities objectively and independently.

An alternative is to outsource the control activities to third parties (e.g. auditing companies or law firms).

Due to the heterogeneity of the organisational forms, the objectivity and independence required by regulation must be assessed on a company-specific basis.

Measures to safeguard independence
What opportunities are there that favour a best-practice approach with regard to the organisational embedding of assurance functions and thus implicitly also the highest possible degree of independence?

Organizational merger
The assurance elements of risk management and compliance together ensure compliance with corporate governance as an effective ICS. In order to create synergies, it therefore makes sense to merge these areas into one organisational unit. There are overlaps between risk management and compliance in particular. Compliance risks, for example, are

"Assurance functions should be considered as part of risk-based governance."

ultimately operational risks, which form the basis for a risk-oriented internal control system (ICS). Furthermore, redundancies in reporting to the Executive Board and the Board of Directors can be avoided by integrally coordinating not only the timing of the publication of such reports, but also the content focus on the individual topics within the team. The management of such an assurance unit can also be given additional weight (tone-at-the-top) by having a seat on the Executive Board, e.g. without voting rights, in order to avoid conflicts of interest in the decision-making process.

Separation of personnel from 1st and 2nd line of defence
If possible due to the size of the company, assurance activities should be strictly decoupled from operational activities. At least the respective management of the 2nd line of defence should be independent of the 1st line of defence, especially in terms of personnel. In this way, potential conflicts of interest between actions as business partner versus gatekeeper (control authority) are avoided and control authorities do not become "risk takers".

Appointment and dismissal by a non-operating body
Whereas internal audit, as the third line of defence, reports to senior management (board of directors or committee), the assurance functions generally report to a profit-oriented unit. This also applies to a staff unit under the CEO. In order to maintain independence, the appointment or dismissal of a senior assurance function can be made dependent on the approval of the senior management (board of directors or its risk committee). Further options are, for example, a quasi-protection against dismissal, whereby the holder of an assurance function may not be removed for a certain period of time.

No incentives through variable, performance-related compensation
The non-inclusion of assurance functions in the case of monetarily compensated performance components has become established as a standard today and is also propagated by the regulator as a component for the selection of independence (cf. FINMA Circular Corporate Governance).

Conclusion
The embedding of assurance functions in corporate management can only be partially answered in terms of a best practice approach.

However, it is precisely under the aspect of the greatest possible independence that fields of development can be identified which make this approach possible.

Three aspects appear to be central:

• the organizational merger,
• the decoupling of personnel from operational decision-making functions,
• the delegation of personnel decisions to senior management, and
• the avoidance of incentives through variable compensation.

The extent to which these can be implemented always depends on the size of the company and the corporate culture. Assurance functions should always be seen as part of risk-oriented corporate management, but not as a reactive control instance.