printer friendly version

Management, risk management and assurance

Ever wondered why we can’t get a handle on fraud and why it keeps occurring? It’s actually simple to understand, but it’s also one of the largest issues many companies face.

Colin Hill.

Consider this scenario. A thief manages to get through a business’s security door while the guard is on a break. He dodges the surveillance cameras, sidesteps an unlocked security gate, forces open the safe and makes his getaway with thousands in cash. Or imagine a hacker breaks into your valuable private database and obtains access to all your customers’ account information. Criminals are experts; if they fail during the first hacking attempt, they will keep changing their attack methods until they are successful.

There are two ways to prevent fraud. One is to have a proactive fraud prevention system in place that uses a hybrid of analytical methods; the second is to make your fraud prevention strategy part of your risk management strategy.

Consider the fraud or hacker scenario

Fraud or hacking occurs when someone evades a security control or when a control is not working effectively. In the above example, an unlocked security gate made it easier for the robber to reach the money. In the online world, security controls include firewalls, anti-virus systems and network security programs, among others. A weakness in one control affects all other controls and opens a business up to possible fraud and other crime. Ensuring all controls are implemented correctly and are working effectively through continuous monitoring, forms part of risk management.

An effective risk management approach incorporates three levels, collectively known as combined assurance. This model ensures risk management processes are working effectively and that risks are being managed acceptably by incorporating three lines of defence – management, risk management and assurance – which can be a control department or internal audit. Crucially, the three layers must be coordinated effectively with clearly defined roles and responsibilities for all stakeholders.

Management

Managers are responsible for defining a business’s goals and implementing strategies to achieve them. Along with this comes the responsibility to outline and enforce policies and processes to overcome risks that stand in the way of achieving those goals.

Management must be informed on and understand the risks to their business. They should ask the right questions to get the right information that will empower them to react quickly and make effective decisions on risk responses. Ultimately, management forms the first line of defence against business risk and should take accountability for risk management. They should establish a culture of risk management, in which staff understand the risks and are trained on how to respond to threats. To assist them with this process, management should be updated daily on the level of risk for the organisation. They should have a daily view of the risk profile of their business and act on failing controls.

Risk management

A risk department, appointed by management, will develop, implement and oversee risk management methodology, policies and processes to ensure that risk is managed at acceptable levels. The team is responsible for identifying and monitoring risks and must proactively respond to any changes in the threat landscape.

The compliance department is tasked with ensuring the business meets all compliance requirements with applicable laws and regulations. The risk department consolidates the compliance effort and impact of non-compliance with the risk management efforts. They support and report back to senior management on risk, governance and compliance issues and ensure management is kept up to date, while staying on top of staff training and championing the risk management culture within the business.

Assurance

This is mostly provided by an internal audit and serves as an independent, objective assurance of the management of all risk management and compliance requirements. It provides assurance on risk management processes, the management of key risks and the effectiveness of controls in place, and delivers a reliable assessment of risks and reporting of risks.

Auditors evaluate whether management has identified key risks and has developed and implemented techniques and controls to address these. They provide assurance that risks are being managed and that processes and controls are in place and working efficiently. Auditors also oversee the implementation of risk management processes and advise on new developments.

Not only does combined assurance integrate the lines of defence to provide management with a complete view of governance and the risk management process, but it also assists with the making of strategic decisions based on a complete view of how risk and compliance is being managed throughout the organisation. A business that does not adopt this three-line defence model is immediately at risk of breaching regulations such as the Protection of Personal Information (PoPI) Act.

Risk is an unavoidable part of doing business today. More processes are driven by technology, business is increasingly conducted online and the trading landscape changes at breakneck speeds. All this presents new risks while existing threats evolve and take on new forms. What we have learnt from the past is that companies that foster cultures of combined assurance, understand risk and take the necessary steps to address and prevent them, are more likely to weather a tough business climate.

Share this article:

Further reading: