Coordinating risk management around risks that matter – The value of assurance maps

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Effective and appropriate risk management has never been more important

Stakes are high in risk management. The mere existence of the three lines of defense (“3LOD”) is not enough. While a variety of functions across a financial institution are responsible for assuring that risks are appropriately assessed, mitigated, monitored, and managed, no formally appointed coordinator centralizes the objectives of each of the assurance functions. Without centralized coordination, organizations are vulnerable to duplicative efforts or missed coverage—and the resource inefficiencies they create.

Ready to learn more?

Assurance maps provide a tool for centralizing risk identification and assessment. By mapping the various risk management and testing activities performed by the 3LOD in relation to priority risks, assurance maps help answer the question, “What are we missing?”

Key principles for success when considering the use of assurance maps

Executive-level ownership

Identify an executive sponsor who will support collaboration and coordination, and executive-level risk owners for each major risk category. The risk and assurance map should be “personal” to each owner, particularly if the successful execution of his or her strategic objectives is at risk.

Clear objectives

Determine the scope and desired level of assurance. Start small, targeting one key strategic objective, strategic risk, or emerging risk.

Timing and identification of providers

Identify the relevant assurance providers and agree on appropriate timing for constructing the assurance map.

Common tools

Agree on or build common tools. Leverage common terminology for defining products and services, processes, risks, and controls; employ a common risk assessment and issue rating methodology; and integrate or align platforms for workflow, data analysis, and reporting. Simplicity is important. Avoid jargon.

Plan early and think ahead

Identify the current and expected assurance activities and assess for quality (depth, frequency, etc.).

Address issues

Analyze the results and determine next steps to address any issues (gaps, duplication, etc.).

Meet often

Meet frequently to reassess the scope, coverage and risks.


Contact us

Rich Reynolds

Rich Reynolds

Controls Testing & Monitoring Leader - Financial Services, PwC US

Christopher Byllott

Christopher Byllott

Director, Risk and Regulatory, PwC US

Follow us