Introduction
A Combined Assurance Matrix (CAM) is a structured tool that aligns key organizational risks with the responsible stakeholders and tracks the progress of mitigation actions.
Here’s a framework for designing a Combined Assurance Matrix that meets the outlined requirements:
1. Define Key Components of the Matrix
Each row in the matrix represents a specific organizational risk, with columns for each key aspect:
- Risk ID: Unique identifier for each risk.
- Risk Description: A clear description of the risk, outlining its impact and likelihood.
- Risk Category: The area or department where the risk applies (e.g., operational, financial, compliance).
- Risk Owner: The individual responsible for overseeing the risk.
- Combined Assurance Stakeholders: Key stakeholders responsible for providing assurance over the risk. These may include:
- Internal Audit: For independent assurance.
- External Audit: For external validation.
- Process Owner: The individual accountable for the process generating the risk.
- Compliance: Ensuring adherence to policies, laws, and regulations.
- Risk Management: Monitoring and managing risk levels.
- Other Relevant Stakeholders (e.g., IT, Legal): Additional individuals or teams impacted by the risk.
2. Action Planning and Monitoring
Include columns to capture the details of the action plans, timelines, and monitoring requirements:
- Action Plan: Detailed steps required to mitigate or manage the risk.
- Action Owner: The individual assigned to complete each action item.
- Due Date: The target date for completing the action.
- Status: The current status of the action plan (e.g., “Not Started,” “In Progress,” “Completed”).
- Last Review Date: The most recent date when the risk was reviewed.
- Monitoring Frequency: How often the risk is reassessed (e.g., monthly, quarterly).
- Comments/Notes: Space for additional observations or changes.
3. Sample Layout of a Combined Assurance Matrix
On the last page of this article, you will find a figure that explains the CAM in detail, with a practical example.
For the Excel template of the CAM, please click here:
4. 6 Levels of Assurance Providers
The below table indicates the 6 Levels of Assurance providers which must be implemented in every company.

You will see that we have a weighting allocated (positive & Negative) for each Assurance Provider. This is directly related to the risk it holds to the risk owner, the company and the financial management of the company.
5. System Capabilities
A system capable of generating this matrix should include:
- Data Entry & Storage: Centralized repository for risks, assurance stakeholders, and action items.
- Mapping & Linking: Link each risk to relevant stakeholders and action plans.
- Automated Reminders: For action due dates and regular review schedules.
- Real-Time Updates: Track the progress of action plans, allowing for updates on risk status.
- Customizable Reporting: Generate real-time reports for management on risk status, action progress, and audit findings.
This structured approach allows for a comprehensive and real-time view of risk management efforts, increasing transparency and accountability across the organization.