Three lines of defence: The Fortis Way
In April 2014, Festival Housing and Worcester Community Housing merged to create Fortis Living. The new Group owns and manages almost 15,000 homes, predominantly across the counties of Worcestershire and Herefordshire.
Both Registered Providers had previously developed effective risk registers that identified the key strategic and operational risks faced by both organisations. The registers for both organisations showed close similarity in the types of risk that had been identified. Festival produced a composite list of strategic risks by category or service, while WCH showed specific risks by directorate.
Risk management approach
In July 2014, Audit and Risk Committee were presented with the new Fortis Living strategic and operational risk registers. Angela Rodway (Risk Services Manager),
“The consolidation of the risk registers was relatively straightforward, the difficult part was introducing controls and assurances that were real and represented how the new organisation would work in the future.”
The Risk Management Review Group comprising senior managers and heads of service ensures that the risk registers are reviewed regularly and that all key risks are assigned to the most appropriate manager to be reviewed, assessed and for controls and assurances to be identified.
Fortis Living’s strategic risks are transferred onto the Clearview risk module which provides a high level view of risks aligned to the associated strategic objectives and goals. Clearview streamlines the risk management process and enables risk managers to track any outstanding actions against each of their risks on the Fortis Living Risk Plan. The system is also able to generate emails when target dates are close to breaching.
A new risk management policy has been developed in conjunction with Mazars that sets out Fortis Living’s approach and commitment to the management of risk. The policy introduces a framework and guidelines to identify, manage and mitigate risk, ensuring that a proactive risk management culture is embedded throughout the organisation, and risk assurance is an integral part.
With the aim of arriving at the most effective level of assurance and based on the assessed level of risk and required control, Internal Audit carried out a review of Fortis Living’s assurance framework and the review informed the Audit Strategy for 2015/16. This looked at the three lines of defence to ensure that the control systems used by managers were in place (first line), that there was corporate oversight (second line) and that there was assurance from Internal Audit or other external reviews (third line).
The level of assurance provided through internal audit reviews is dependent on the methodology followed, the scope of the work undertaken (high level or in-depth) and the knowledge and expertise of the auditor(s) in the subject area. Indeed other external consultants have been used to produce advisory reports and assurance in specialist areas. This type of external assurance is referred to as the third line of defence.
Mazars were appointed as Internal Auditors in April 2016 and introduced their Business Assurance Service. Neil Bullock, Director of Information, Risk and Business Support at Fortis Living,
“Assurance isn’t just about internal audit and external opinion. The three lines of defence introduced at Fortis Living provides a valuable part of our assurance framework. Working with Mazars we have developed a framework of Business Assurance Maps that cover areas of operational risk.”