Can security managers also be risk managers?

August 2015 Editor's Choice, Security Services & Risk Management

In the business world, security is a necessity, the infamous grudge purchase. However, as more company leaders realise the importance of protecting their businesses effectively, they realise they need more than a security manager. Today’s corporation needs a risk manager with a portfolio of responsibilities that stretch further than that of the traditional security manager.

Nico Snyman, CEO of Crest Advisory Africa explains that the job descriptions of risk and security managers clearly show there are two separate fields requiring different skills and knowledge. As South Africa (and the world in general) comes to terms with risk management in documents such as the King III report and legislation such as the Companies Act, it becomes clear that risk management is a field on its own with its own set of demands, priorities and responsibilities.

For example, the traditional security manager is responsible for three basic objectives: physical security of the premises, asset security and the protection of resources – to simplify the job. A corporate risk manager, on the other hand, needs to understand the standards governing risk that all the departments within the company must comply with.

Local and international standards

Locally, the King III report is held by all to be the leading corporate guide to good corporate governance, including risk management (chapter 4), and this is further supported by international standards, ISO 73: 2009 (Risk Management terminology & vocabulary), ISO 31000:2009 (Risk Management Guidelines and Principles) and ISO 31010:2009 (Risk Management Analysis Techniques) and most recently, ISO 9001: 2015, with an added focus area of risk management (see related article in this issue).

There are other standards too, depending on the area of business the company operates in. TAPA, for example, has a set of standards that applies to the logistics industry. The reality is risk managers need to understand these standards and apply and tailor them to their organisations.

Snyman notes this means creating the appropriate risk management frameworks, policies and measurement criteria, and then implementing policies and processes to ensure the company is compliant. The risk manager must be able to conduct risk assessments in all areas of the business, from IT to HR, and develop processes to handle the risks that occur. This requires a budget and, possibly more importantly, the authority to implement and enforce these processes in the organisation.

The different responsibilities that the security manager and the risk manager are measured on therefore means that one person can’t realistically do both jobs. That’s not to say a security manager can’t be a good risk manager, but the individual concerned needs to understand what is expected of a risk manager as well as the relevant standards without losing track of his security responsibilities.

They must also be able to effectively divide their time between the two tasks. The question is: what time is devoted to each and will the company respect that division? Will a dual-responsibility job allow the individual to pay the required attention to the 50 risk definitions in ISO 9001, or the frameworks in ISO 31000? Will he have the time to implement all these changes, down to developing and maintaining a risk register for the company?

Two in one?

Given the severity and the recent increases in crime in South Africa, the answer will most likely be no. Your security manager works a full time job and companies can’t allow them to divert their attention away from their goals. And when you consider that risk management today incorporates all aspects of the organisation, including cyber risks, your traditional security manager is unlikely to have the required skills.

In addition, the ISO standards are changing from being compliance driven to being objective driven. This will place additional responsibilities on the risk manager and require a keen understanding of the risks a company faces, as well as the development of a well-defined strategy to address them. Snyman says this will require the corporate position of a Chief Risk Officer (CRO), or someone on the board that has the authority to make and enforce decisions, something not usually associated with the security manager.

Snyman again notes that this does not exclude security managers from becoming risk managers, but he stresses that the two jobs are different, with different priorities and standards to maintain. Mixing the two distracts the responsible individual from fulfilling the demands of both and leaves the company in a vulnerable position that can potentially cost far more than the salaries of the two positions.

Nico Snyman is the Chief Executive Officer (CEO) of Crest Advisory Africa, specialising in risk management, corporate governance and advanced technologies. For more information, contact +27 (0)76 403 4307, [email protected], www.crestadvisoryafrica.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Background checks: risk levels and compliance
iFacts Access Control & Identity Management Security Services & Risk Management
Conducting background checks is a vital step in the hiring process for employers or when engaging service providers; however, it is crucial to understand the legal framework and regulations governing these checks.

Read more...
Federated identity orchestration
Technews Publishing SMART Security Solutions Editor's Choice Access Control & Identity Management Security Services & Risk Management AI & Data Analytics
Understanding exactly who resides at the end of a digital device is key, and simple identity number verification by the Department of Home Affairs is no longer a viable solution on its own.

Read more...
Balancing security and ease-of-use
Technews Publishing SMART Security Solutions Access Control & Identity Management Security Services & Risk Management
Fraud incidents have financial repercussions and erode consumer trust, leading businesses to become more aware, though this awareness does not necessarily translate into confidence in their identity authentication processes.

Read more...
Identity and authentication
Technews Publishing SMART Security Solutions Access Control & Identity Management Information Security Security Services & Risk Management
Identity authentication is a crucial aspect of both physical security and cybersecurity. SMART Security Solutions obtained insights into the topic and the latest developments from three companies.

Read more...
Boost revenue streams for MNOS
News & Events Security Services & Risk Management Financial (Industry)
ReveNet has introduced its new solution, designed to safeguard and potentially boost revenue streams in an increasingly challenging landscape for MNOS. The new platform combines advanced analytics and is built on trust, transparency, and sustainability principles.

Read more...
Here’s to a SMART 2025
SMART Security Solutions Editor's Choice News & Events
This is the final news brief from SMART Security Solutions for 2024, and the teams would like to take this opportunity to thank our readers, advertisers and partners and wish everyone a safe and secure festive season.

Read more...
NIS2 compliance amplifies skills shortages and resource strain
Information Security Security Services & Risk Management
A new Censuswide survey, commissioned by Veeam Software reveals the significant impact on businesses as they adapt to this key cybersecurity directive, with 95% of EMEA businesses siphoning other budgets to try and meet compliance deadline.

Read more...
SA company develops world-first safe K9 training for drug detection
Editor's Choice News & Events Security Services & Risk Management Government and Parastatal (Industry)
The Braveheart Bio-Dog Academy recently announced the results of its scientific research into training dogs to accurately detect drugs and explosives without harming either the dogs or their handlers.

Read more...
Understanding South Africa’s Cybercrimes Act
Information Security Security Services & Risk Management
The Cybercrimes Act No.19 of 2020 is a comprehensive legislative response to the evolving landscape of cyberthreats in South Africa. Its effectiveness, however, relies on enforcement, which relies on implementation, international cooperation, and collaboration between the public and private sectors.

Read more...
AI-powered automation for an operational efficiency edge
Editor's Choice AI & Data Analytics IoT & Automation
In the fast-moving world of digital transformation, businesses are under immense pressure to accelerate their operations and adapt quickly to stay competitive in an era dominated by AI and technological advancements.

Read more...