Can security managers also be risk managers?

August 2015 Editor's Choice, Security Services & Risk Management

In the business world, security is a necessity, the infamous grudge purchase. However, as more company leaders realise the importance of protecting their businesses effectively, they realise they need more than a security manager. Today’s corporation needs a risk manager with a portfolio of responsibilities that stretch further than that of the traditional security manager.

Nico Snyman, CEO of Crest Advisory Africa explains that the job descriptions of risk and security managers clearly show there are two separate fields requiring different skills and knowledge. As South Africa (and the world in general) comes to terms with risk management in documents such as the King III report and legislation such as the Companies Act, it becomes clear that risk management is a field on its own with its own set of demands, priorities and responsibilities.

For example, the traditional security manager is responsible for three basic objectives: physical security of the premises, asset security and the protection of resources – to simplify the job. A corporate risk manager, on the other hand, needs to understand the standards governing risk that all the departments within the company must comply with.

Local and international standards

Locally, the King III report is held by all to be the leading corporate guide to good corporate governance, including risk management (chapter 4), and this is further supported by international standards, ISO 73: 2009 (Risk Management terminology & vocabulary), ISO 31000:2009 (Risk Management Guidelines and Principles) and ISO 31010:2009 (Risk Management Analysis Techniques) and most recently, ISO 9001: 2015, with an added focus area of risk management (see related article in this issue).

There are other standards too, depending on the area of business the company operates in. TAPA, for example, has a set of standards that applies to the logistics industry. The reality is risk managers need to understand these standards and apply and tailor them to their organisations.

Snyman notes this means creating the appropriate risk management frameworks, policies and measurement criteria, and then implementing policies and processes to ensure the company is compliant. The risk manager must be able to conduct risk assessments in all areas of the business, from IT to HR, and develop processes to handle the risks that occur. This requires a budget and, possibly more importantly, the authority to implement and enforce these processes in the organisation.

The different responsibilities that the security manager and the risk manager are measured on therefore means that one person can’t realistically do both jobs. That’s not to say a security manager can’t be a good risk manager, but the individual concerned needs to understand what is expected of a risk manager as well as the relevant standards without losing track of his security responsibilities.

They must also be able to effectively divide their time between the two tasks. The question is: what time is devoted to each and will the company respect that division? Will a dual-responsibility job allow the individual to pay the required attention to the 50 risk definitions in ISO 9001, or the frameworks in ISO 31000? Will he have the time to implement all these changes, down to developing and maintaining a risk register for the company?

Two in one?

Given the severity and the recent increases in crime in South Africa, the answer will most likely be no. Your security manager works a full time job and companies can’t allow them to divert their attention away from their goals. And when you consider that risk management today incorporates all aspects of the organisation, including cyber risks, your traditional security manager is unlikely to have the required skills.

In addition, the ISO standards are changing from being compliance driven to being objective driven. This will place additional responsibilities on the risk manager and require a keen understanding of the risks a company faces, as well as the development of a well-defined strategy to address them. Snyman says this will require the corporate position of a Chief Risk Officer (CRO), or someone on the board that has the authority to make and enforce decisions, something not usually associated with the security manager.

Snyman again notes that this does not exclude security managers from becoming risk managers, but he stresses that the two jobs are different, with different priorities and standards to maintain. Mixing the two distracts the responsible individual from fulfilling the demands of both and leaves the company in a vulnerable position that can potentially cost far more than the salaries of the two positions.

Nico Snyman is the Chief Executive Officer (CEO) of Crest Advisory Africa, specialising in risk management, corporate governance and advanced technologies. For more information, contact +27 (0)76 403 4307, nico@crestadvisoryafrica.com, www.crestadvisoryafrica.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Mining (Industry) Risk Management & Resilience
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Risk Management & Resilience
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Risk Management & Resilience
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Risk Management & Resilience
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Read more...
Entries to southern Africa OSPA Awards now open
Technews Publishing Securex South Africa Editor's Choice News & Events
The southern Africa OSPAs are part of a global awards scheme that recognises and rewards teams, individuals and organisations for their commitment and outstanding performance within the security sector.

Read more...
Securex has moved to June
Technews Publishing Editor's Choice News & Events
Following the formal announcement of the date for South Africa’s national election, 29 May 2024 , which happened to be in the middle of the planned dates for Securex South Africa, Securex will now take place from 11 – 13 June 2024 at Gallagher Estate in Midrand.

Read more...