Establishing the right level of assurance and independent review
Trust is essential for the conduct of most human interactions. Every time citizens access information, use services, respond to emails, buy things, and make payments etc., they implicitly trust it is accurate, legitimate, safe, and secure to do so. It is our default mindset.
New Zealanders trust that everyone will be diligent at work and honest in behaviour unless proven otherwise. We also think that organisational systems and process designed to deliver, monitor, and regulate our interactions won’t fail us. But they invariably can; and sometimes do.
When things go wrong, trust and confidence are often disproportionately eroded; more so than if we did not expect better. It matters greatly to Aotearoa New Zealand simply because our national ethos would not accept anything less.
Four things to consider
Four things for governors and executive management to consider about trust.
Identify key trust areas
First, what are the activities that your organisation must get right first time, upon which trust and confidence of your customers, stakeholders and the wider public critically depend? These will be myriad and interrelated, and entail core services, hygiene factors, and a wide range of customer / public facing activities.
Collating an inventory of activities that could put trust and integrity at risk will inform your priorities. Anchoring these against your organisation’s purpose and objectives will help keep them front of mind.
Know your vulnerabilities
Second, what are the vulnerabilities for each of these critical activities and how could their failure manifest in reputational consequences.
We know management is responsible for managing risks and implementing controls, which is a medium-to-long term investment. But we also know they could be incentivised for short term performance. In the context of delivery in a fast-changing and increasingly connected interactions, the human tendency for optimism bias is a vulnerability not to be underestimated.
It is instructive to understand the cascading effects of failure, systemic or random, so that these risks can be prioritised for mitigation.
Calibrate assurance to risk tolerance
Third, the nature and extent of assurance should be calibrated to the risk tolerance of the entity and whether such failures are likely to be damaging.
For example, procurement probity is critical in the public service. Agency chief executives and governors will want assurances that organisational process and systems for disclosing conflicting interests are not left to chance or goodwill. In this instance, assurance attestations from line management may not be sufficient. Independent and periodic assurance from the Internal Auditor or an external probity reviewer could be warranted – particularly for high-stakes or high-value supply.
Assurance should be layered such that higher priority trust and integrity risks are safeguarded by multiple lines of defence.
How you respond can make all the difference
Fourth, recognising that it is nigh on impossible to control for every risk (and remain a viable business), how organisations respond when things go wrong can make all the difference. Affected customers and other stakeholders rightly expect an explanation of what happened, and reassurance that it won’t happen again.
Often, a statement is provided by the part of the organisation responsible for the issue, which may be a proportionate response for minor issues. But for major or systemic issues, a higher degree of independent assurance is invariably required to avoid any appearance of disingenuity or lack of transparency. In such instances, it is helpful to have an assurance capability that is independent, and not mired with other management responsibilities.
Trust is hard earned and easily lost
Trust and integrity are hard earned, and easily lost. Unless we have had first-hand experience of reputational damage, our national psyche that “she’ll be right” could cloud executive judgement. I hope this article encourages healthy scepticism and increases the appreciation of independent assurance to protect and strengthen confidence in your organisations.