Assurance vs. Risk Management

One of my current hot button is the over-emphasis of assurance with regards to risk management. I recently was given visibility to a risk management framework where ‘management assurance’ was listed as the goal of the framework. However, the framework did not allow for management to actually manage risk.

Recently at BSidesLA I attempted to reduce the definitions of risk and ‘risk management’ down to fundamental attributes because there are so many different – and in a lot of cases contextually valid – definitions of risk.

Risk: Something that can happen that can result in loss. It is about the frequency of events that can have an adverse impact to our time, resources and of course our money.

Risk Management: Activities that allow us to reduce our uncertainty about risk(s) so we can make good trade off decisions.

So how does this tie into assurance? The shortcoming with an assurance-centric approach to risk management is that assurance IMPLIES 100% certainty that all risks are known and that all identified controls are comprehensive and effective. An assurance-centric approach also implies that a control gap, control failure or some other issue HAS to be mitigated so management can have FULL assurance regarding their risk management posture.

Where risk management comes into play is when management does not require with having 100% assurance because there may not be adequate benefit to their span of control or the organization proper. Thus, robust risk management frameworks need to have a management response process – i.e. risk treatment decisions – when issues or gaps are identified. A management response and risk treatment decision process has a few benefits:

1. It promotes transparency and accountability of management’s decisions regarding their risk management mindset (tolerance, appetite, etc.).

2. It empowers management to make the best business decision (think trade-off) given the information (containing elements of uncertainty) provided to them.

3. It potentially allows organizations to better understand the ‘total cost of risk’ (TCoR) relative to other operational costs associated with the business.

So here are the take-aways:

1. Assurance does always not equate to effective risk management.

2. Effective risk management can facilitate levels of assurance, confidence as well one’s understanding of uncertainty regarding loss exposures they are faced with.

3. Empowering and enabling management to make effective risk treatment decisions can provide management a level of assurance that they are running their business they way they deem fit.


One Response to Assurance vs. Risk Management

  1. Chris,

    You’ve probably left this thought thread in the distant past by now. I’m a bit behind on my reading and just visited your post. If I could reflect what your post brought to mind regarding assurance as a facet of risk management overall. Among the factors of risk evaluation is the consideration of controls reducing risks either through the reduction of impact, the frequency of occurrence or the probability that the negative outcome would occur. So in that regard, assurance of implemented controls helps determine on an ongoing basis how effective the controls are at providing their objective. But the assurance model is only a part of the process and needs to include the additional components of ongoing threat modeling and the monitoring of other factors such business and opportunity costs as well as changes in the internal and external environments. Risk management helps in the decision process that is required when control assurance detects less than 100% protection (constantly) and as other variables and factors cause the potential for loss to vary. How much value provided by assurance is relative to the effectiveness of the assurance model itself.

%d bloggers like this: