What is a Combined Assurance Matrix?

Introduction

A Combined Assurance Matrix (CAM) is a structured tool that aligns key organizational risks with the responsible stakeholders and tracks the progress of mitigation actions. Here’s a framework for designing a Combined Assurance Matrix that meets the outlined requirements:

1. Define Key Components of the Matrix

Each row in the matrix represents a specific organizational risk, with columns for each key aspect:

  • Risk ID: Unique identifier for each risk.
  • Risk Description: A clear description of the risk, outlining its impact and likelihood.
  • Risk Category: The area or department where the risk applies (e.g., operational, financial, compliance).
  • Risk Owner: The individual responsible for overseeing the risk.

Combined Assurance Stakeholders: Key stakeholders responsible for providing assurance over the risk. These may include:

  • Internal Audit: For independent assurance.
  • External Audit: For external validation.
  • Process Owner: The individual accountable for the process generating the risk.
  • Compliance: Ensuring adherence to policies, laws, and regulations.
  • Risk Management: Monitoring and managing risk levels.
  • Other Relevant Stakeholders (e.g., IT, Legal): Additional individuals or teams impacted by the risk.

2. Action Planning and Monitoring

Include columns to capture the details of the action plans, timelines, and monitoring requirements:

  • Action Plan: Detailed steps required to mitigate or manage the risk.
  • Action Owner: The individual assigned to complete each action item.
  • Due Date: The target date for completing the action.
  • Status: The current status of the action plan (e.g., “Not Started,” “In Progress,” “Completed”).
  • Last Review Date: The most recent date when the risk was reviewed.
  • Monitoring Frequency: How often the risk is reassessed (e.g., monthly, quarterly).
  • Comments/Notes: Space for additional observations or changes.

3. Sample Layout of a Combined Assurance Matrix

On the last page of this article, you will find a figure that explains the CAM in detail, with a practical example. For the Excel template of the CAM, please click here:

4. System Capabilities

A system capable of generating this matrix should include:

  • Data Entry & Storage: Centralized repository for risks, assurance stakeholders, and action items.
  • Mapping & Linking: Link each risk to relevant stakeholders and action plans.
  • Automated Reminders: For action due dates and regular review schedules.
  • Real-Time Updates: Track the progress of action plans, allowing for updates on risk status.
  • Customizable Reporting: Generate real-time reports for management on risk status, action progress, and audit findings.

This structured approach allows for a comprehensive and real-time view of risk management efforts, increasing transparency and accountability across the organization.