search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
ngel Vankov PSP, Board Director for Education, Development & Training at ASIS, explores the differences between risk management and assurance; how they should not be considered separately but part of one loop: plan, act,


A check, improve.


It’s no surprise that “risk management” and “assurance” get thrown into the same bucket. They sound alike, they’re often used in the same meetings, and at first glance they look like they’re chasing the same goal: keeping people and assets safe.


But they’re not the same thing. Risk management looks forward. It asks what if, spots cracks before they widen, and sets up guardrails. Assurance looks the other way. It asks: did any of that actually work?


Here’s the thing. Risk management, done properly, is blunt. It doesn’t get starry-eyed over glossy brochures or the latest AI- driven gadget. You can spend a fortune on cameras, sensors, or fancy systems, but if people are still your weakest link and holding doors open for strangers, or if your policies are sitting in a binder nobody’s read since 2018, you’re exposed. Good risk work is about controls that make sense in the real world, that people can actually use, and that stand up when things get messy.


Assurance comes later. It’s the awkward mirror. Anyone can write a policy, anyone can tick a training register. But assurance is where you find out what really stuck. Did staff follow the rule on a wet Monday morning when the lobby was packed? Did the access control system stop unauthorised access, or just cause longer queues?


Sometimes


assurance means a penetration test or a red-team drill. Other times it’s as simple as asking a night guard over a coffee how things really play out when the boss isn’t around.


This side of the job has become sharper since the National Protective Security Authority replaced CPNI in 2023. Their CAPSS framework (Cyber Assurance of Physical Security Systems) makes the point clear: physical and digital security can’t be split apart anymore. An access control unit isn’t just a door lock. It’s a network device, and if it’s unpatched, it’s a weak spot. Assurance in that world isn’t a form-filling exercise; it’s checking firmware, prodding integrations, and treating physical kit as part of the cyber perimeter.


You can see this thinking out there already. The University of Warwick rolled out a Compliance and Assurance Framework in 2022 built on two plain questions: Do we have what we need? and is it working? Nothing fancy. But that stripped-back approach forces assurance into everyday practice instead of letting it vanish into an annual report no one reads.


The financial sector has been moving the same way. HSBC, for example, has fitted high-value sites with biometric access. But the test isn’t the hardware. It’s whether those systems hold up in practice red- team exercises to see if insiders can bypass them, drills to check if staff follow the procedure when things get stressful. Risk explains the spend; assurance shows if it was worth it.


Public transport offers another example. Transport for London (TfL) quietly runs covert exercises in its busiest stations: tailgating attempts, stepping into restricted zones, leaving bags behind to test responses. It’s not about


catching staff out. It’s about proving whether training and systems actually work when the concourse is jammed.


Then there’s National Grid UK. With the country’s energy supply at stake, risk drives the investment in perimeter defences and monitoring kit. But assurance is the proof: live simulations, cyberattacks against SCADA-linked equipment, resilience tests. When you’re dealing with power systems, theory alone isn’t enough.


Even in commercial property the culture is shifting. Canary Wharf Group, running some of the most advanced buildings in the UK, doesn’t just install smart systems and walk away. They push them through penetration tests, simulated failures, follow-up fixes. That’s how you turn shiny infrastructure into real resilience.


Put all of this together and the lesson’s obvious. Risk and assurance aren’t two separate boxes. They’re parts of one loop: plan, act, check, improve. Risk tells you where to act. Assurance tells you if it worked. If it didn’t, you adjust and try again. Without assurance, the security risk management process is just a guesswork.


Organisations aren’t judged by what they plan, they’re judged by what they deliver.


Angel Vankov PSP


Board Director for Education, Development & Training


www.asis.org.uk


© CITY SECURITY MAGAZINE – AUTUMN 2025


assurance evolution: >


The Modernising risk analysis in security www.citysecuritymagazine.com 14


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36