When it comes to meeting obligations the assurance function needs to provide more than just a feeling of confidence. It must provide a measure of certainty that obligations will be met based on real estimates of uncertainty and risk.
In the following examples, folks thought that everything was on-schedule, on-target, on-plan, in-compliance until it was not and then it was too late.
These all involve complex systems with many factors to consider.
However, what we can say is that systems used to provide assurance (level of confidence that objectives will be met) failed miserably as evidenced by the surprise and shock afterwards.
ROGERS
On Friday July 8, Rogers experienced a disruption in service from coast to coast affecting millions of Canadians, and disrupting government services and payment systems.
"We don't understand how the different levels of redundancy that we build across the network coast to coast have not worked," said Kye Prigg, Rogers' senior vice-president of access networks and operations”
SUNCOR
On July 8th, 2022 CEO resigns after latest fatality at a company facility.
"Suncor Energy Inc. chief executive officer Mark Little resigned following another death at one of the company’s worksites, sending shockwaves through the Canadian oil and gas sector."
This is the second fatality at the Fort McMurry site this year and the latest incident in a string of workplace injuries and fatalities at Canada’s largest integrated oil company.
Suncor was hoping they were turning a corner on safety and reported to have had a scheduled presentation in the upcoming week on safety improvements which was now cancelled.
Phoenix Pay System
In 2009 the Canadian government initiated the Phoenix project which rolled out in 2016. The original budget of $309m increased to $954m expected to rise to $2.3b by 2023 in unplanned costs.
The Governor General Auditor in 2019 reported,
“How could Phoenix have failed so thoroughly in a system that has a management accountability framework; risk management policies, program evaluations, internal audit groups, departmental audit committees; accounting officers; departmental plans; departmental performance reports; pay-per-performance compensation; and audits by The Office of the Auditor General?”
Each respective assurance system failed to provide leadership with the information needed to properly evaluate and respond to risk.
The alternative is that management simply ignored the information and hoped for the best.
Either way the result was the same – failure. Failure to provide, failure to protect, and failure to deliver.
Ignoring or not properly contending with risk in the final analysis amounts to gambling which is unwise and unnecessary.
Organizations that choose not to gamble apply risk-based principles and practises to drive down risk or guard against it if not reducible.
