Management, risk management and assurance

May 2017 Security Services & Risk Management

Ever wondered why we can’t get a handle on fraud and why it keeps occurring? It’s actually simple to understand, but it’s also one of the largest issues many companies face.

Colin Hill.
Colin Hill.

Consider this scenario. A thief manages to get through a business’s security door while the guard is on a break. He dodges the surveillance cameras, sidesteps an unlocked security gate, forces open the safe and makes his getaway with thousands in cash. Or imagine a hacker breaks into your valuable private database and obtains access to all your customers’ account information. Criminals are experts; if they fail during the first hacking attempt, they will keep changing their attack methods until they are successful.

There are two ways to prevent fraud. One is to have a proactive fraud prevention system in place that uses a hybrid of analytical methods; the second is to make your fraud prevention strategy part of your risk management strategy.

Consider the fraud or hacker scenario

Fraud or hacking occurs when someone evades a security control or when a control is not working effectively. In the above example, an unlocked security gate made it easier for the robber to reach the money. In the online world, security controls include firewalls, anti-virus systems and network security programs, among others. A weakness in one control affects all other controls and opens a business up to possible fraud and other crime. Ensuring all controls are implemented correctly and are working effectively through continuous monitoring, forms part of risk management.

An effective risk management approach incorporates three levels, collectively known as combined assurance. This model ensures risk management processes are working effectively and that risks are being managed acceptably by incorporating three lines of defence – management, risk management and assurance – which can be a control department or internal audit. Crucially, the three layers must be coordinated effectively with clearly defined roles and responsibilities for all stakeholders.

Management

Managers are responsible for defining a business’s goals and implementing strategies to achieve them. Along with this comes the responsibility to outline and enforce policies and processes to overcome risks that stand in the way of achieving those goals.

Management must be informed on and understand the risks to their business. They should ask the right questions to get the right information that will empower them to react quickly and make effective decisions on risk responses. Ultimately, management forms the first line of defence against business risk and should take accountability for risk management. They should establish a culture of risk management, in which staff understand the risks and are trained on how to respond to threats. To assist them with this process, management should be updated daily on the level of risk for the organisation. They should have a daily view of the risk profile of their business and act on failing controls.

Risk management

A risk department, appointed by management, will develop, implement and oversee risk management methodology, policies and processes to ensure that risk is managed at acceptable levels. The team is responsible for identifying and monitoring risks and must proactively respond to any changes in the threat landscape.

The compliance department is tasked with ensuring the business meets all compliance requirements with applicable laws and regulations. The risk department consolidates the compliance effort and impact of non-compliance with the risk management efforts. They support and report back to senior management on risk, governance and compliance issues and ensure management is kept up to date, while staying on top of staff training and championing the risk management culture within the business.

Assurance

This is mostly provided by an internal audit and serves as an independent, objective assurance of the management of all risk management and compliance requirements. It provides assurance on risk management processes, the management of key risks and the effectiveness of controls in place, and delivers a reliable assessment of risks and reporting of risks.

Auditors evaluate whether management has identified key risks and has developed and implemented techniques and controls to address these. They provide assurance that risks are being managed and that processes and controls are in place and working efficiently. Auditors also oversee the implementation of risk management processes and advise on new developments.

Not only does combined assurance integrate the lines of defence to provide management with a complete view of governance and the risk management process, but it also assists with the making of strategic decisions based on a complete view of how risk and compliance is being managed throughout the organisation. A business that does not adopt this three-line defence model is immediately at risk of breaching regulations such as the Protection of Personal Information (PoPI) Act.

Risk is an unavoidable part of doing business today. More processes are driven by technology, business is increasingly conducted online and the trading landscape changes at breakneck speeds. All this presents new risks while existing threats evolve and take on new forms. What we have learnt from the past is that companies that foster cultures of combined assurance, understand risk and take the necessary steps to address and prevent them, are more likely to weather a tough business climate.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Identity recovery matters most
Security Services & Risk Management
As cyberattacks grow more targeted, more destructive, and increasingly aimed at the very fabric of trust within the enterprise, the ability to restore identities has become just as critical as restoring data.

Read more...
ISO 27701 helps demonstrate privacy compliance beyond POPIA
Security Services & Risk Management
ISO 27701 include privacy-specific controls and provides a structured way to manage Personally Identifiable Information (PII) throughout its lifecycle, giving organisations a way to demonstrate how privacy is managed.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
Increase in cyberattacks on the manufacturing sector
Security Services & Risk Management News & Events Industrial (Industry)
According to a new Kaspersky ICS CERT report, in the first quarter of 2026, the percentage of industrial control systems (ICS) on which malicious objects were blocked reached 19,6% globally.

Read more...
Next-generation cash-in-transit vehicle
News & Events Security Services & Risk Management
Fidelity Services Group has unveiled a new, purpose-engineered Cash-in-Transit (CIT) vehicle designed to redefine crew protection, deter threats, and enhance operational resilience in an increasingly complex criminal environment.

Read more...
The risk at the edge of South Africa’s agriculture supply chain
Security Services & Risk Management Agriculture (Industry) Logistics (Industry)
Research from ESET has found that a significant number of South African agritech operators and farmers continue to believe their companies are not attractive targets for cybercriminals. Unfortunately, that belief is precisely what makes them one.

Read more...
AURA partners with Discovery to launch Discovery 911
News & Events Security Services & Risk Management
AURA has announced a partnership with Discovery Insure to power the security-response component of its new Discovery 911 virtual panic-button offering, which is available through the Discovery Insure app.

Read more...
Break the silence on fraud
Security Services & Risk Management
We are entering a new era of fraud, one defined by groups that operate across borders, using advanced digital tools and impersonation tactics to deceive victims and wear down communities' trust and financial security.

Read more...
Africa’s white-collar crime landscape
Security Services & Risk Management
White-collar crime in Africa is no longer a predominantly domestic concern; it has expanded onto the international stage, and so too has the corporate exposure that accompanies it.

Read more...
Global security in 2026
Editor's Choice News & Events Security Services & Risk Management Industrial (Industry) Mining (Industry)
The World Security Report 2026 states: “In a world of increasing volatility, physical security has evolved. It is no longer just a defensive measure; it is a critical driver of corporate value.”

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.