Illustration of a person leaning into the open hood of a blue car, with only their legs visible outside as they work on the engine

Lifting the Bonnet: Why Assurance Frameworks Need More Than Good Architecture

Experts Unplugged GRIP
May 12, 20263 min read

Most compliance and risk leaders I work with can describe their assurance framework in detail. Controls libraries, governance structures, management information, accountable executives, and board and committee oversight. The architecture is well established, and, in many firms, it was built thoughtfully.

That is not where the challenge lies. The challenge is in what happens to that architecture over time, particularly in firms where the framework has been in place long enough that it has stopped being actively questioned.

Assurance frameworks require sustained operational discipline. They need regular attention not because they are fragile but because the environment around them is constantly shifting: regulatory expectations evolve, business models change, people move, and technology scales. A framework that was fit for purpose eighteen months ago may still be structurally sound but operationally misaligned. The question is not whether the framework exists or whether it was well designed. It is about whether the balance between what is documented and what is genuinely operational has shifted and whether anyone has noticed.

Why the balance shifts

In my experience, the drift is rarely deliberate. It happens because assurance work competes poorly for attention. When regulatory deadlines press, when remediation programmes demand resources, and when the business needs an answer today, the routine discipline of testing whether the framework is doing what it was designed to do gives ground. Not permanently, not dramatically, but incrementally. And incremental drift is difficult to see from inside it.

The areas where this plays out are the familiar ones: resilience, controls assessment and the currency of controls libraries, governance documentation, surveillance, conflicts of interest and the related incentive structures, and technology oversight. These are well-understood domains. Firms are not struggling with what good looks like; however, they are struggling with sustaining the operational rigour across all of them simultaneously, particularly when attention and resources are being pulled toward whatever is most urgent this quarter.


What it looks like in practice

There are practical markers that tend to reveal where the balance has moved.

Management information is one. Most firms have MI in place, but the questions worth asking are whether it is showing trends over time and whether it is reviewed at genuinely regular intervals (typically four-weekly or monthly for risk-sensitive areas) and whether it would surface a change in risk direction before that change becomes a problem. MI that confirms the status quo without challenging it is not assurance; it's comfort.

Accountability structures are another. Where remediation is underway, the accountable executive should be able to describe not just the plan but the current known gaps, the delivery milestones with time commitments, and who has independent oversight of that progress. That means not only the accountable executive but also board committee visibility and third-line scrutiny. Where those layers are not connected, accountability becomes nominal rather than functional.

Then there is the challenge register. It is a concept that has been around for decades and tends to go in and out of fashion, but it remains one of the clearest indicators of whether a governance framework is genuinely dynamic. When challenges from the first, second, and third lines are being captured, reviewed, tracked through to resolution, and generating lessons learned, the framework is alive. When the register exists but sits untouched between audit cycles, it tells you something about the operational culture around assurance, regardless of what the governance documentation says.

The question worth asking

None of this is new, which is rather the point. These are established disciplines, and most firms have invested in them properly at some stage. The risk is not that the framework was never built, however, but that it was built well enough to create confidence, and that confidence has quietly reduced the scrutiny it receives.

If it has been a while since you considered where that balance sits across your own framework, it may be worth lifting the bonnet before someone else does. The answer is usually not that everything needs rebuilding. More often, it is that a few areas need the operational attention they were designed to receive but have not had recently.


assurance frameworksoperational disciplinecompliance culturerisk managementgovernancecontrols effectivenessassurance driftmanagement informationGRC leadership
Back to Blog