Managing Director & Partner
Berlin
By Katharina Hefter, Adrian Schulte Steinberg, Jan Philipp Bender, Julia Gebhardt, and Malgosia Zegar
Risk, compliance, and assurance functions are under increasing pressure to support companies confronted with rapidly evolving regulatory and industry requirements. The complexity and intensity of these demands are particularly acute in process industries, such as mining, metals, or chemicals, where firms must wrestle with a unique set of challenges arising from their global operations. Efficiently maintaining operations around the world in the face of unique local circumstances often requires carefully threading the needle.
These challenges are driven by the need to manage varied operational risks, such as environmental impacts and safety, across worldwide operations while navigating evolving regional regulations. Balancing global standards with local realities adds complexity, often exacerbated by unclear governance structures that blur roles and responsibilities. The resulting redundant assurance activities cause unnecessary costs and inefficiencies.
To address these issues, companies need to simplify their risk assurance practices—the processes and governance systems that help organizations proactively identify and mitigate risks. This encompasses auditing, compliance, standards setting, monitoring, reporting, and aiding operations teams in standards adherence.
A targeted approach to simplifying assurance entails five sets of actions that simultaneously decrease complexity, boost efficiency, and enhance risk management. Leading process industry companies have used this method to alleviate burdens on day-to-day activities, unlocking valuable resources and promoting cost efficiencies. At the same time, they can comprehensively manage risks to achieve safer, more efficient operational outcomes. In addition to these gains, organizations are equipped to mitigate their risks more effectively, contributing to enhanced regulatory compliance, improved stakeholder trust, and greater resilience.
In this article, we explain the challenges driving the complexity of assurance and describe the five actions that make up the targeted simplification approach. We also outline several immediate steps to promote simplified and value-adding assurance.
A variety of challenges cause companies to increase assurance activities without adding real value. Indeed, these challenges often lead to significant financial costs owing to inefficiencies and excessive resource requirements.
Diverse Operational Risks and Compliance Requirements. Many companies manage varied environmental impact and workplace safety requirements across global operations. For example, mining firms face diverse issues, such as dealing with the environmental impacts of mine tailings and water pollution, addressing the high risk of workplace accidents, and navigating the ethical complexities of sourcing conflict minerals. Similarly, chemical companies must ensure the safe handling and disposal of hazardous materials, comply with stringent environmental regulations, and manage the reputational risks associated with the production and use of potentially harmful substances. All these challenges vary significantly by country.
Proliferating Standards and Assurance Activities. Through well-meaning efforts to ensure safety and compliance, firms in process industries have increased the number of standards and assurance activities. This expansion, while aiming for thoroughness, introduces complexity and can lead to broad policies that do not address a company’s unique needs or risks across its operations. It also adds to the challenges of auditing risk management systems and processes.
Global Standards Misaligned with Local Realities. Many companies have adopted a worldwide standard—combining the strictest local guidelines—across all operating areas. Although this approach aims for the highest safety and compliance, it can inadvertently escalate costs and shift focus away from other essential operational needs. Businesses need to replace this well-intentioned “gold-plating” of standards with a more nuanced approach that balances rigor in managing the risk appetite with practicality and cost-effectiveness.
Unclear Governance. These challenges are exacerbated by unclear governance. The sheer volume of assurance and standards-related activities, coupled with complex global operations, creates ambiguity about roles and responsibilities. Moreover, excessively stringent standards can produce a ripple effect: as compliance becomes increasingly difficult, the number of exception requests grows, further complicating the auditing process. Additionally, each operations team may interpret requirements differently, leading to uncoordinated steering approaches and decision-making processes for managing risks.
Redundant Activities. This misalignment is frequently compounded by the vague orchestration of tasks among operations teams; risk, compliance, and assurance functions; and auditors—the entities that make up the first, second, and third lines of defense in risk assurance. (See the exhibit.) The resulting duplication of process steps and activities creates unnecessary burdens for operations.
To successfully navigate today’s complex demands, companies must develop risk assurance strategies that are not only comprehensive but also align with their business objectives. Such a strategic alignment is critical to minimize risk exposure and enhance compliance while ensuring operational efficiency.
To develop a resilient and high-performing risk assurance approach, organizations should focus on five sets of actions.
Apply a structured approach to identify and prioritize risks. Implement a comprehensive process to thoroughly recognize and assess potential risks, such as those related to environmental impact and workplace safety. Develop a risk taxonomy to facilitate the understanding of various risks and their relationships, thereby supporting informed decision making. To prevent misinterpretations, ensure that the risk taxonomy is clear and relevant to all operations teams.
Direct resources deliberately to significant threats, such as unstable mine conditions and changes to safety laws. Align risk prioritization with daily operations, including site safety inspections and compliance with environmental regulations. Last, apply a holistic risk management approach to provide a clear framework for addressing risks.
Simplify the policy hierarchy and associated documents. Start by establishing a clear policy pyramid structure that defines the placement and purpose of each document in the policy hierarchy. Each document should serve a distinct purpose so that end users can easily locate the necessary information. It is paramount that these documents contain mandatory requirements for mitigation controls to help each line of defense understand its appropriate risk mitigation activities.
Ensure that documents codifying policies and standards are up to date and well written. Establish a clear governance system that identifies a specific owner responsible for maintaining the quality of each document. (See “Maintaining Clear Governance and Up-to-Date Policy Documents.”)
At some global players in the process industries, the number of policy documents has ballooned to more than 200—far exceeding the 30 to 50 typically observed at peer companies. Additionally, various organizational levels have independently generated their own governance documents. This proliferation has led to a tangled web of requirements scattered across multiple repositories. Moreover, firms often lack consistent standards for their documents, causing variability in document quality and user-friendliness.
To remedy this problem, one leading company launched an initiative to revise its governance approach and simplify its policy pyramid. The aim of this effort was to align the organization’s governance approach more closely with relevant risks while ensuring that documents are clearly written and easily accessible to local teams.
Optimize and embed the three-lines-of-defense model. Set expectations for each team regarding which role in the model they will fulfill to ensure robust risk assurance and clear accountabilities. Define roles, responsibilities, processes, and activities within operations to facilitate the achievement of assurance objectives—from site safety to environmental management. Seek to identify and eliminate redundancies within and across the lines of defense to streamline assurance processes and boost efficiency.
Establish central coordination for the second and third lines to prevent overlaps in assurance activities or assessments, thus optimizing resource utilization and improving audit management. (See “Centrally Coordinating Assurance.”) Apply a risk-based audit approach for the third line, clearly specifying audit type, frequency, and depth for each site to ensure precise and relevant auditing practices.
At a global natural resources firm, multiple second-line teams operated independently to monitor assurance in areas such as safety and sustainability. The groups’ support, monitoring, and reporting activities often overlapped in some respects, creating duplicative evaluations of local site operations.
To eliminate redundancies, the company established a central team to coordinate assessments across topics and sites. The group convenes mid-year to determine the focus for the following year’s monitoring efforts. It lists all the risks to be assessed and which monitoring activities will be conducted at each site.
This central coordination allows the firm to identify and eliminate duplicate efforts. By clustering related monitoring activities, the company minimizes the frequency of assurance reviews, ensures that site operators are not subjected to redundant questioning, and enhances the overall efficiency of risk assurance.
Set global standards with “local top-ups.” To manage risk while accommodating diverse operational environments, adopt a base of global standards that reflect the enterprise-level risk appetite. These standards should not default to the strictest level across all jurisdictions but rather serve as a foundational benchmark that aligns with the business’s core objectives and values as well as its risk tolerance.
Empower local entities to adapt these global benchmarks with specific local top-ups—tailored enhancements that address unique regional risks, legal requirements, and operational challenges. This flexible approach allows for a more nuanced and efficient alignment between global risk management strategies and local operational realities. As a result, risk assurance is both universally robust and locally pertinent, without unnecessarily elevating baseline standards to the highest possible level.
Digitally enhance risk management. Initiate a digital transformation by augmenting the risk management system with digital tools and metrics to improve efficiency and responsiveness. Equip risk managers and board members with real-time data to facilitate rapid and well-informed decisions regarding essential site operations, such as equipment safety and compliance with environmental regulations.
Adopt a centralized monitoring system for critical controls to improve the organization’s capability to respond quickly to potential risks. Transition to an integrated, data-centric approach, which significantly strengthens the risk management strategy and its adaptability to changing conditions. Implementing such digital enhancements at scale across sites will strongly position companies to adopt cutting-edge AI applications that are coming to process industries.
Risk, compliance, and assurance leaders—including chief risk officers, assurance teams, and technical operations directors—should collaboratively take the following steps to simplify risk assurance while strengthening its value:
Companies in process industries should not view risk assurance solely as a compliance requirement. It is an opportunity to proactively mitigate key operational and strategic risks, ultimately boosting profitability. Policies must be robust enough to guide employees in addressing the challenges of global operations while granting the flexibility needed to respond to local conditions. Organizations that strike the right balance will reduce unnecessary complexity and build world-class operational resilience.