Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Can security managers also be risk managers?

August 2015 Editor's Choice, Security Services & Risk Management

By Andrew Seldon.

In the business world, security is a necessity, the infamous grudge purchase. However, as more company leaders realise the importance of protecting their businesses effectively, they realise they need more than a security manager. Today’s corporation needs a risk manager with a portfolio of responsibilities that stretch further than that of the traditional security manager.

Nico Snyman, CEO of Crest Advisory Africa explains that the job descriptions of risk and security managers clearly show there are two separate fields requiring different skills and knowledge. As South Africa (and the world in general) comes to terms with risk management in documents such as the King III report and legislation such as the Companies Act, it becomes clear that risk management is a field on its own with its own set of demands, priorities and responsibilities.

For example, the traditional security manager is responsible for three basic objectives: physical security of the premises, asset security and the protection of resources – to simplify the job. A corporate risk manager, on the other hand, needs to understand the standards governing risk that all the departments within the company must comply with.

Local and international standards

Locally, the King III report is held by all to be the leading corporate guide to good corporate governance, including risk management (chapter 4), and this is further supported by international standards, ISO 73: 2009 (Risk Management terminology & vocabulary), ISO 31000:2009 (Risk Management Guidelines and Principles) and ISO 31010:2009 (Risk Management Analysis Techniques) and most recently, ISO 9001: 2015, with an added focus area of risk management (see related article in this issue).

There are other standards too, depending on the area of business the company operates in. TAPA, for example, has a set of standards that applies to the logistics industry. The reality is risk managers need to understand these standards and apply and tailor them to their organisations.

Snyman notes this means creating the appropriate risk management frameworks, policies and measurement criteria, and then implementing policies and processes to ensure the company is compliant. The risk manager must be able to conduct risk assessments in all areas of the business, from IT to HR, and develop processes to handle the risks that occur. This requires a budget and, possibly more importantly, the authority to implement and enforce these processes in the organisation.

The different responsibilities that the security manager and the risk manager are measured on therefore means that one person can’t realistically do both jobs. That’s not to say a security manager can’t be a good risk manager, but the individual concerned needs to understand what is expected of a risk manager as well as the relevant standards without losing track of his security responsibilities.

They must also be able to effectively divide their time between the two tasks. The question is: what time is devoted to each and will the company respect that division? Will a dual-responsibility job allow the individual to pay the required attention to the 50 risk definitions in ISO 9001, or the frameworks in ISO 31000? Will he have the time to implement all these changes, down to developing and maintaining a risk register for the company?

Two in one?

Given the severity and the recent increases in crime in South Africa, the answer will most likely be no. Your security manager works a full time job and companies can’t allow them to divert their attention away from their goals. And when you consider that risk management today incorporates all aspects of the organisation, including cyber risks, your traditional security manager is unlikely to have the required skills.

In addition, the ISO standards are changing from being compliance driven to being objective driven. This will place additional responsibilities on the risk manager and require a keen understanding of the risks a company faces, as well as the development of a well-defined strategy to address them. Snyman says this will require the corporate position of a Chief Risk Officer (CRO), or someone on the board that has the authority to make and enforce decisions, something not usually associated with the security manager.

Snyman again notes that this does not exclude security managers from becoming risk managers, but he stresses that the two jobs are different, with different priorities and standards to maintain. Mixing the two distracts the responsible individual from fulfilling the demands of both and leaves the company in a vulnerable position that can potentially cost far more than the salaries of the two positions.

Nico Snyman is the Chief Executive Officer (CEO) of Crest Advisory Africa, specialising in risk management, corporate governance and advanced technologies. For more information, contact +27 (0)76 403 4307, nico@crestadvisoryafrica.com, www.crestadvisoryafrica.com





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

What is your ‘real’ security posture?
BlueVision Editor's Choice Information Security Infrastructure AI & Data Analytics
Many businesses operate under the illusion that their security controls, policies, and incident response plans will hold firm when tested by cybercriminals, but does this mean you are really safe?

Read more...
What is your ‘real’ security posture? (Part 2)
BlueVision Editor's Choice Information Security Infrastructure
In the second part of this series of articles from BlueVision, we explore the human element: social engineering and insider threats and how red teaming can expose and remedy them.

Read more...
IQ and AI
Leaderware Editor's Choice Surveillance AI & Data Analytics
Following his presentation at the Estate Security Conference in October, Craig Donald delves into the challenge of balancing human operator ‘IQ’ and AI system detection within CCTV control rooms.

Read more...
Onsite AI avoids cloud challenges
SMART Security Solutions Technews Publishing Editor's Choice Infrastructure AI & Data Analytics
Most AI programs today depend on constant cloud connections, which can be a liability for companies operating in secure or high-risk environments. That reliance exposes sensitive data to external networks, but also creates a single point of failure if connectivity drops.

Read more...
Toxic combinations
Editor's Choice
According to Panaseer’s latest research, 70% of major breaches are caused by toxic combinations: overlapping risks that compound and amplify each other, forming a critical vulnerability to be exploited.

Read more...
Syndicates exploit insider vulnerabilities in SA
Information Security Security Services & Risk Management
Today’s cyber criminals do not just exploit vulnerabilities in your systems; they exploit your people, turning trusted team members into unwitting accomplices or deliberate collaborators in their schemes.

Read more...
Continuum launches centralised access and identity management
Editor's Choice Access Control & Identity Management Integrated Solutions Facilities & Building Management
Continuum Identity is a newly launched company in the identity management and access control sector, targeting the complexity of managing various Access and Identity Management (AIM) systems.

Read more...
SABRIC Annual Crime Statistics 2024
News & Events Security Services & Risk Management Residential Estate (Industry)
SABRIC has released its Annual Crime Statistics for 2024, reflecting a significant decline in financial crime losses, but also warning of the growing threat posed by artificial intelligence (AI) in fraud schemes.

Read more...
Health, safety, and environmental eLearning
Training & Education Security Services & Risk Management
SHEilds is a global leader in health, safety, and environmental eLearning, delivering internationally recognised qualifications such as NEBOSH, IOSH, IEMA, and ProQual NVQs.

Read more...
See crime stopped in seconds
Products & Solutions Security Services & Risk Management
Fog Bandit, a leader in security fog, is bringing its instant crime-stopping technology to Securex Cape Town 2025. Experience the innovation trusted worldwide to protect retailers, warehouses, and high-value sites.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.