07 Feb Trends in Enterprise Risk Management and Implications for Security Audits & Due Diligence Investigations (an overview comment)
SSC Legacy, South Africa’s oldest privately owned investigations and security consultancy company (Established 1962) has for many years been conducting security audits and security related due diligence investigations on the continent of Africa. The basic approach and procedures applied changed very little over the years although SSC has always ensured compliance with in date methodologies tailored to suite the specific circumstances being addressed.
Emerging Situation & Trends
However, it has become quite obvious over the last five years or so that audits focussed on or restricted to purely physical security together with its related strategy has been overtaken by the need for a holistically viewed overall Risk related audit approach as this includes other risk integrated and inter related disciplines installed – albeit often fragmented at this stage except in leading “technology” focussed companies… And this requirement continues to be more and more necessary as companies adopt further risk related policies and procedures to keep abreast of emerging risk related trends which inevitably overlap and impact the efficacy of the physical security policy, procedures and strategy in place.
There is no question that executives responsible for risk mitigation procedures, especially in well run companies – and particularly when driven by digitisation and digital transformation, cyber, big data, the cloud, the Internet of Things (IoT) issues and the imperative need to plan for “Black Swan Events’ and business continuity- -increasingly understand that the various risk mitigation components of the overall risk challenge facing the enterprise are never isolated from one another. They converge and interact with each other and can and often do cause interrelated problems across the enterprise risk spectrum. It is increasingly difficult if not impossible, to audit one component of the total risk profile in total isolation of the others even though the emphasis may be on only one component.
When relevant to an enterprise, the adoption of AML (Anti Money Laundering), ESG (Environmental, Social& Governance and SHE Q (Safety, Health, Protection of Environment & Quality) policies and procedures very often impacts, unless carefully planned, the efficiencies of the other components of the overall risk profile of the enterprise and in SSC’s experience, quite definitely impact the intended proper functioning of the mitigation features of the overall risk procedures in place..
ESG policy in particular has, since about 2005, become almost an essential component of a responsible company’s overall risk profile. Initially not an integral part of investment and valuations decisions it has now become a standard tool by which investors, analysts , pension funds and insurers assess the overall risk involved with a specific company i.e. ESG data is increasingly important to identify those companies that are well positioned for the future and to avoid those which are likely to underperform or fail. For individual shareholders and customers the lack of adherence to ESG disciplines now rings warning bells about uncertainty relating to business continuity.
Ramifications for Business Leaders & Audit Practitioners
For business leaders at board room level, the rapidly emerging requirement to correctly structure or plan to structure the organisation, manage convergence of risk components and the interests of different stake holders and asset owners and appoint qualified executives with support managers and staff to manage the overall risk situation now calls for a new breed of multi skilled/experienced Risk Manager. Quite obviously this new breed executive will need to be experienced or at least knowledgeable across all the components and disciplines of the risk procedures in place i.e. an appropriately qualified executive to head the enterprise Risk Department with individual discipline experts (Physical Security, ESG, IT/CYBER, SHE with dotted line access to HR and Internal audit) reporting in to him/her.
For SSC and others in the auditing of risk situations, the same problem presents itself. Depending upon circumstances, very rarely will any audit of a modern full risk situation be efficiently conducted by a single person – a blend of skills will most often be required. And no physical security audit can be done without some reference at least to the other over lapping components in the overall risk procedures in place.
SSC intends, in future articles, to unpack and discuss in more detail some of the various components of a modern risk structure e.g. to enlarge on how and why each selected component overlaps with and impacts the other components or disciplines installed and how this requires amended audit approach features.
If you would like to find out more about our Investigative Services, contact:
Howard Griffiths, MD