Management, risk management and assurance

May 2017 Security Services & Risk Management

Ever wondered why we can’t get a handle on fraud and why it keeps occurring? It’s actually simple to understand, but it’s also one of the largest issues many companies face.

Colin Hill.
Colin Hill.

Consider this scenario. A thief manages to get through a business’s security door while the guard is on a break. He dodges the surveillance cameras, sidesteps an unlocked security gate, forces open the safe and makes his getaway with thousands in cash. Or imagine a hacker breaks into your valuable private database and obtains access to all your customers’ account information. Criminals are experts; if they fail during the first hacking attempt, they will keep changing their attack methods until they are successful.

There are two ways to prevent fraud. One is to have a proactive fraud prevention system in place that uses a hybrid of analytical methods; the second is to make your fraud prevention strategy part of your risk management strategy.

Consider the fraud or hacker scenario

Fraud or hacking occurs when someone evades a security control or when a control is not working effectively. In the above example, an unlocked security gate made it easier for the robber to reach the money. In the online world, security controls include firewalls, anti-virus systems and network security programs, among others. A weakness in one control affects all other controls and opens a business up to possible fraud and other crime. Ensuring all controls are implemented correctly and are working effectively through continuous monitoring, forms part of risk management.

An effective risk management approach incorporates three levels, collectively known as combined assurance. This model ensures risk management processes are working effectively and that risks are being managed acceptably by incorporating three lines of defence – management, risk management and assurance – which can be a control department or internal audit. Crucially, the three layers must be coordinated effectively with clearly defined roles and responsibilities for all stakeholders.


Managers are responsible for defining a business’s goals and implementing strategies to achieve them. Along with this comes the responsibility to outline and enforce policies and processes to overcome risks that stand in the way of achieving those goals.

Management must be informed on and understand the risks to their business. They should ask the right questions to get the right information that will empower them to react quickly and make effective decisions on risk responses. Ultimately, management forms the first line of defence against business risk and should take accountability for risk management. They should establish a culture of risk management, in which staff understand the risks and are trained on how to respond to threats. To assist them with this process, management should be updated daily on the level of risk for the organisation. They should have a daily view of the risk profile of their business and act on failing controls.

Risk management

A risk department, appointed by management, will develop, implement and oversee risk management methodology, policies and processes to ensure that risk is managed at acceptable levels. The team is responsible for identifying and monitoring risks and must proactively respond to any changes in the threat landscape.

The compliance department is tasked with ensuring the business meets all compliance requirements with applicable laws and regulations. The risk department consolidates the compliance effort and impact of non-compliance with the risk management efforts. They support and report back to senior management on risk, governance and compliance issues and ensure management is kept up to date, while staying on top of staff training and championing the risk management culture within the business.


This is mostly provided by an internal audit and serves as an independent, objective assurance of the management of all risk management and compliance requirements. It provides assurance on risk management processes, the management of key risks and the effectiveness of controls in place, and delivers a reliable assessment of risks and reporting of risks.

Auditors evaluate whether management has identified key risks and has developed and implemented techniques and controls to address these. They provide assurance that risks are being managed and that processes and controls are in place and working efficiently. Auditors also oversee the implementation of risk management processes and advise on new developments.

Not only does combined assurance integrate the lines of defence to provide management with a complete view of governance and the risk management process, but it also assists with the making of strategic decisions based on a complete view of how risk and compliance is being managed throughout the organisation. A business that does not adopt this three-line defence model is immediately at risk of breaching regulations such as the Protection of Personal Information (PoPI) Act.

Risk is an unavoidable part of doing business today. More processes are driven by technology, business is increasingly conducted online and the trading landscape changes at breakneck speeds. All this presents new risks while existing threats evolve and take on new forms. What we have learnt from the past is that companies that foster cultures of combined assurance, understand risk and take the necessary steps to address and prevent them, are more likely to weather a tough business climate.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Digital evidence handling in the cloud
Issue 5 2020, ET Nice , Security Services & Risk Management
Investigate Xpress is a free, cloud-based digital evidence management solution designed to make police forces more efficient and productive.

The evolution of security in residential estates
Residential Estate Security Handbook 2020 , Editor's Choice, Integrated Solutions, Security Services & Risk Management
Two large estates discuss their security processes and the ever-expanding scope of responsibilities they need to fulfil.

Bang for your security buck(s)
Residential Estate Security Handbook 2020, Alwinco , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions asks how estates can maintain a good security posture in the time of the ever-shrinking budget.

More efficient guarding through the effective use of technology
Residential Estate Security Handbook 2020, Technews Publishing, OnGuard, Stallion Security, Active Track , Security Services & Risk Management
Technology in its many forms can be used to optimise the efficiency and performance of on-site guarding.

Range of grid-independent power systems
Residential Estate Security Handbook 2020, Specialised Battery Systems , Products, Security Services & Risk Management
SBS Solar has a range of solutions to provide power, save on costs and above all provide peace of mind.

More than just compliance
Issue 5 2020, IACT-Africa , Security Services & Risk Management
SA is one year away from the Protection of Personal Information Act (POPIA) D-Day.

The benefit of thermal screening
Issue 5 2020, Technews Publishing, Sensor Security Systems , Security Services & Risk Management
How preventive screening with thermal cameras can help in the fight against COVID-19.

Resilience is critical for post-COVID business success
Issue 5 2020, ContinuitySA , Security Services & Risk Management
Of the many lessons we have to learn from the current emergency, perhaps the most crucial one is to ensure that business strategy and operations are founded on resilience.

Post-Coronavirus communications: kick start your small business
Issue 4 2020 , Security Services & Risk Management
In these uncertain times, how should small companies and startups in the business-to-business domain recommence their selling and communication processes?

The dashboard of the future
Issue 4 2020 , Security Services & Risk Management
Web-based Electronic Signature Dashboard offers quick access to eSignatures within the necessary legal parameters and incorporating advanced security.