Building a board-level controls framework fit for the modern era

Building a board-level controls framework: The roles, RACI, and evidence attached to one of the most crucial responsibilities in the modern boardroom. 

The most recent shifts in the corporate governance landscape put a lot of new pressure on directors. Where they might have just been required to sign off on ready-made plans in previous decades, now, the picture has changed. The director role has evolved into one of active, evidence-based assurance. They now need to be able to stand by any element of strategy and confirm it has been questioned, tested, and maintained through rigorous monitoring.

This evolution is driven by a sophisticated reimagining of the board’s role in systemic risk management. The challenge is, ultimately, to demonstrate robust-control. The tick-box mentality won’t suffice any longer.

A controls framework is the blueprint used to design, implement, and evaluate all the policies and processes that safeguard a company against key risks. 

Without this clearly defined structure, a board’s oversight can only ever be reactive. Directors end up chasing issues as they arise, always on the back foot, always forced into rushed decision-making because there’s no other option. 

Modern monitoring systems are designed to prevent that, and give directors firm control over the sheer volume of metrics and data, from finance to cybersecurity to operational resilience to ESG.  

A good example of where this shift has translated to on-the-ground reality is the list of revisions UK Corporate Governance Code. In Britain, boards are now required to report on the effectiveness of their risk management and internal control framework, not just on whether they exist and tick all the boxes they’re supposed to tick. 

Crucially, the board cannot delegate accountability this effectiveness reporting. They can use committees as an “engine room” towards the final result if they want, but the final sign-off must rest with the board. but theydeclaration; while committees may act as the “engine room” for detailed reviews, the full board must sign off on the final statement.

In this rigorous environment, the rules demand a thorough internal controls framework – one that acts as a strategic enabler instead of just a vague plan. With a proper framework, boards can always contextualizse risk, insuring they are calculated, and guaranteed to let companies seize opportunities with confidence.

Ambiguity is the enemy of strong internal frameworks, which need extensive details on who is responsible for what at all stages. While the Institute of Internal Auditors (IIA) “Three Lines Model” provides a theoretical basis, a detailed Responsible, Accountable, Consulted, and Informed (RACI) matrix is essential for board-level clarity.

The board (accountable): The board of directors needs to strike a careful balance:

• Their role is oversight, not execution. Directors (especially non-executive directors) should not be involved in designing internal controls because they risk compromising their independent judgment. 
• However, the board is ultimately accountable and responsible for sign-off. So, while they don’t develop systems, they must question and critically evaluate those systems in order to present a strong front. 

Management (first line): This group – particularly the CEO and CFO – are the ones responsible for the internal controls design. 

Risk and compliance (second line): Led by a Chief Risk Officer (CRO) or equivalent position, this team will act under management as the “control architect,” providing the frameworks and policies to ensure consistency across the business.

Internal audit (third line): This is everyone’s way of being sure that all work is subject to fair assessment. There is a danger that this element can get too close to, and thus be influenced by, management. To counter this, whoever leads the internal audit must have a direct reporting line to the audit committee chair.

The main point of modern governance is this second pillar: engagement with the framework. Boards should always be asking themselves, “How do we know the controls work?”. 

For this, there’s no point in relying solely on verbal reassurances or vague dashboards that only feed the tick-box attitude. Instead, there’s a hierarchy of evidence you should pay attention to. 

• Level 1: Independent assurance (highest reliability): Direct testing from internal audit, external audit reports, or regulatory inspections.
• Level 2: Automated monitoring (high reliability): Continuous monitoring scripts in ERP systems and Key Risk Indicators (KRIs) that provide objective, real-time data.
• Level 3: Management oversight (medium reliability): Aggregated data from risk committees and tools like the Assurance Map, highlighting coverage gaps.
• Level 4: Management self-assessment (lowest reliability): Control Self-Assessments (CSAs), which are necessary for accountability but are inherently biased and should never be the sole basis for a board declaration.

Your goal should be to “triangulate” this evidence, comparing and contrasting against each other for a clearer picture.

• UK Corporate Governance Code 2024 – Financial Reporting Council
• The IIA’s Three Lines Model
• What are Key Risk Indicators (KRIs) in Enterprise Risk Management (ERM)? – Metricstream
• Assurance Mapping – KPMG agentic corporate services