Ever wondered why we can’t get a handle on fraud and why it keeps occurring? Actually it’s simple to understand but it is one of the largest issues many companies have to deal with, says Colin Hill, senior systems engineer: Risk Management Solutions, SAS.Consider this scenario. A thief manages to get through a business’ security door while the guard is on a break. He dodges the surveillance cameras inside, sidesteps an unlocked security gate, uses force to open the safe and makes his getaway with thousands of rands in cash. Or a hacker breaks into your valuable private database and obtains access to all your customers’ account information – such as when the Sony PlayStation Network was hacked.

Criminals are experts; if they fail during the first hacking attempt, they will change their modus operandi a second and third time until they are successful.

There are two ways of preventing fraud – one is to have a proactive fraud prevention system in place that uses a hybrid of analytical methods; the second is to make your fraud prevention strategy part of your risk management strategy. Let’s consider the fraud or hacker scenario.

Fraud or hacking occurs when someone breaks/evades a security control or when a control is not working effectively. In the above example, an unlocked security gate made it easier for the robber to reach the money. In the online world, security controls include firewalls, anti-virus systems and network security programs, among others.

A weakness in one control affects all other controls and opens a business up to possible fraud and other crime. Ensuring all controls are implemented correctly and are working effectively through continuous monitoring forms part of risk management.

An effective risk management approach incorporates three levels, collectively known as combined risk assurance. This model ensures risk management processes are working effectively and that risks are being managed acceptably by incorporating three lines of defence – management, risk management and assurance – which can be a control department or internal audit.

Crucially, the three layers must be co-ordinated effectively with clearly defined roles and responsibilities for all stakeholders.

Management
Managers are responsible for defining a business’ goals and implementing strategies to achieve them. Along with this comes the responsibility to outline and enforce policies and processes to overcome risks that stand in the way of achieving those goals.

Management must be informed on and understand the risks to their business. They should ask the right questions to get the right information that will empower them to react quickly and make effective decisions on risk responses.
Ultimately, management forms the first line of defence against business risk and should take accountability for risk management. They should establish a culture of risk management, in which staff understand the risks and are trained on how to respond to threats.

To assist them with this process, management should be updated daily on the level of risk for the organisation. They should have a daily view of the risk profile of their business and act on failing controls.

Risk management
A risk department, appointed by management, will develop, implement and oversee risk management methodology, policies and processes to ensure that risk is managed at acceptable levels. The team is responsible for identifying and monitoring risks and must proactively respond to any changes in the threat landscape.

The compliance department is tasked with ensuring the business meets all compliance requirements with applicable laws and regulations. The risk department consolidates the compliance effort and impact of non-compliance with the risk management efforts.

They support and report back to senior management on risk, governance and compliance issues and ensure management is kept up to date, while staying on top of staff training and championing the risk management culture within the business.

Assurance
This is mostly provided by an internal audit and serves as an independent, objective assurance of the management of all risk management and compliance requirements. It provides assurance on risk management processes, the management of key risks and the effectiveness of controls in place, and delivers a reliable assessment of risks and reporting of risks.

Auditors evaluate whether management has identified key risks and has developed and implemented techniques to address these. They provide assurance that risks are being managed and that processes and controls are in place and working efficiently. Auditors also oversee the implementation of risk management processes and advise on new developments.

Not only does combined risk assurance streamline the risk management process, but it also assists in complying with country law and regulations. A business that does not adopt this three-line defence model is immediately at risk of breaching regulations such as the Protection of Personal Information (POPI) Act.

Risk is an unavoidable part of doing business today. More processes are driven by technology, business is increasingly conducted online and the trading landscape changes at breakneck speeds. All this presents new risks while existing threats evolve and take on new forms.

What we have learnt from the past is that companies that foster cultures of risk management, understand risk and take the necessary steps to address and prevent them, are more likely to weather a tough business climate.