Management, risk management and assurance

May 2017 Security Services & Risk Management

Ever wondered why we can’t get a handle on fraud and why it keeps occurring? It’s actually simple to understand, but it’s also one of the largest issues many companies face.

Colin Hill.
Colin Hill.

Consider this scenario. A thief manages to get through a business’s security door while the guard is on a break. He dodges the surveillance cameras, sidesteps an unlocked security gate, forces open the safe and makes his getaway with thousands in cash. Or imagine a hacker breaks into your valuable private database and obtains access to all your customers’ account information. Criminals are experts; if they fail during the first hacking attempt, they will keep changing their attack methods until they are successful.

There are two ways to prevent fraud. One is to have a proactive fraud prevention system in place that uses a hybrid of analytical methods; the second is to make your fraud prevention strategy part of your risk management strategy.

Consider the fraud or hacker scenario

Fraud or hacking occurs when someone evades a security control or when a control is not working effectively. In the above example, an unlocked security gate made it easier for the robber to reach the money. In the online world, security controls include firewalls, anti-virus systems and network security programs, among others. A weakness in one control affects all other controls and opens a business up to possible fraud and other crime. Ensuring all controls are implemented correctly and are working effectively through continuous monitoring, forms part of risk management.

An effective risk management approach incorporates three levels, collectively known as combined assurance. This model ensures risk management processes are working effectively and that risks are being managed acceptably by incorporating three lines of defence – management, risk management and assurance – which can be a control department or internal audit. Crucially, the three layers must be coordinated effectively with clearly defined roles and responsibilities for all stakeholders.

Management

Managers are responsible for defining a business’s goals and implementing strategies to achieve them. Along with this comes the responsibility to outline and enforce policies and processes to overcome risks that stand in the way of achieving those goals.

Management must be informed on and understand the risks to their business. They should ask the right questions to get the right information that will empower them to react quickly and make effective decisions on risk responses. Ultimately, management forms the first line of defence against business risk and should take accountability for risk management. They should establish a culture of risk management, in which staff understand the risks and are trained on how to respond to threats. To assist them with this process, management should be updated daily on the level of risk for the organisation. They should have a daily view of the risk profile of their business and act on failing controls.

Risk management

A risk department, appointed by management, will develop, implement and oversee risk management methodology, policies and processes to ensure that risk is managed at acceptable levels. The team is responsible for identifying and monitoring risks and must proactively respond to any changes in the threat landscape.

The compliance department is tasked with ensuring the business meets all compliance requirements with applicable laws and regulations. The risk department consolidates the compliance effort and impact of non-compliance with the risk management efforts. They support and report back to senior management on risk, governance and compliance issues and ensure management is kept up to date, while staying on top of staff training and championing the risk management culture within the business.

Assurance

This is mostly provided by an internal audit and serves as an independent, objective assurance of the management of all risk management and compliance requirements. It provides assurance on risk management processes, the management of key risks and the effectiveness of controls in place, and delivers a reliable assessment of risks and reporting of risks.

Auditors evaluate whether management has identified key risks and has developed and implemented techniques and controls to address these. They provide assurance that risks are being managed and that processes and controls are in place and working efficiently. Auditors also oversee the implementation of risk management processes and advise on new developments.

Not only does combined assurance integrate the lines of defence to provide management with a complete view of governance and the risk management process, but it also assists with the making of strategic decisions based on a complete view of how risk and compliance is being managed throughout the organisation. A business that does not adopt this three-line defence model is immediately at risk of breaching regulations such as the Protection of Personal Information (PoPI) Act.

Risk is an unavoidable part of doing business today. More processes are driven by technology, business is increasingly conducted online and the trading landscape changes at breakneck speeds. All this presents new risks while existing threats evolve and take on new forms. What we have learnt from the past is that companies that foster cultures of combined assurance, understand risk and take the necessary steps to address and prevent them, are more likely to weather a tough business climate.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Boost revenue streams for MNOS
News & Events Security Services & Risk Management Financial (Industry)
ReveNet has introduced its new solution, designed to safeguard and potentially boost revenue streams in an increasingly challenging landscape for MNOS. The new platform combines advanced analytics and is built on trust, transparency, and sustainability principles.

Read more...
Risk-IO manages mining security risks
Security Services & Risk Management Mining (Industry)
[Sponsored] A local mining company with three large operations experienced increased security costs. The liability included no standardised risk assessment, poor management of the efforts to mitigate hazards, and unauthorised access with subsequent theft. The reactive approach to security was not only expensive but also wasteful in the sense that the costs were poorly managed, and there were no metrics to show improvement or trends in incidents.

Read more...
NIS2 compliance amplifies skills shortages and resource strain
Information Security Security Services & Risk Management
A new Censuswide survey, commissioned by Veeam Software reveals the significant impact on businesses as they adapt to this key cybersecurity directive, with 95% of EMEA businesses siphoning other budgets to try and meet compliance deadline.

Read more...
SA company develops world-first safe K9 training for drug detection
Editor's Choice News & Events Security Services & Risk Management Government and Parastatal (Industry)
The Braveheart Bio-Dog Academy recently announced the results of its scientific research into training dogs to accurately detect drugs and explosives without harming either the dogs or their handlers.

Read more...
Understanding South Africa’s Cybercrimes Act
Information Security Security Services & Risk Management
The Cybercrimes Act No.19 of 2020 is a comprehensive legislative response to the evolving landscape of cyberthreats in South Africa. Its effectiveness, however, relies on enforcement, which relies on implementation, international cooperation, and collaboration between the public and private sectors.

Read more...
Partnership addresses fire hazard mitigation
Brigit Fire (a Division of Hudaco Trading) Elvey Security Technologies Fire & Safety Security Services & Risk Management
Brigit Fire has partnered with the Elvey Group. The collaboration will see Brigit Fire distributing both the advanced C-TEC addressable fire detection systems (CAST Technology) and GreenMist lithium extinguishers.

Read more...
Fire protection for a solvent extraction plant in Africa
FS Systems Fire & Safety Security Services & Risk Management Mining (Industry)
A prominent mining site operates a state-of-the-art solvent extraction (SX) plant, integral to separating and purifying metals from ores, which pose significant fire risks, as SX processes involve highly flammable organic solvents and elevated operating temperatures.

Read more...
Taking fire safety seriously
G2 Fire Editor's Choice Fire & Safety Security Services & Risk Management
To gain insights into how fire systems must be designed, installed and maintained, SMART Security Solutions asked Nichola Allan, MD of G2 Fire, for some insights into the local fire market.

Read more...
New data privacy trends increase large cyber claims
Security Services & Risk Management News & Events
Frequency and value of sizeable cyber insurance claims up 14% and 17% year-on-year in the first half of 2024, with a growing trend in the US for litigation against large corporations related to privacy violations.

Read more...
Streamlining and securing enterprise risk management
Security Services & Risk Management
[Sponsored] A new enterprise risk management web app from Zulu Consulting, called Risk-IO, is designed to automate and streamline the enterprise risk management process, ensuring no steps are skipped and everything is securely documented.

Read more...