Why do you need a comprehensive Security Management Program?

Why do you need a comprehensive Security Management Program?

Before we address the question, it helps to provide context.

Undertaking the work to put together a Security Management Program requires planning.  It is a project in its own right and requires the time and commitment from a number of individuals to do well.  Any dilution or shortcutting will result in token and often ineffective solutions.  One of the challenges many security directors and managers have to deal with, is a lack of understanding about what security risk is.

A well-constructed Security Management Program and broad awareness of content will resolve the risk knowledge gap. Your program should be aligned alongside and within the internal control framework adopted by the Board of Directors as part of their corporate governance responsibilities.

Good risk management is difficult to implement, and failing to grasp that single fact may explain why many organizations, that take risk every day, get the management of risk wrong. There seven core reasons why this is the case are:

  1. The potential interaction of multiple risks was underestimated or disregarded
  2. Probabilistic modelling was over-emphasized; shortcuts were taken; scenario planning was underused; transparency into potential issues was absent
  3. Risk managers were isolated in silos
  4. Warnings were ignored; those who delivered them were dismissed as negative or criticized for not being team players
  5. A short-term perspective with a single-minded focus on making the quarterly financials
  6. Companies lacked a comprehensive approach to firm wide risk management; authority and responsibility were poorly controlled and defined
  7. Risk management often focused on compliance rather than performance, leading to inadequate assessments and responses

There are also misunderstandings regarding the distinction between security management plans and programs. It might seem like a transferable terminology but it is not. There are many references to security management plans when in actual fact the requirement in almost all circumstances is for a security management program. Plans are documented and sit on the shelf – only to be looked at in an emergency situation. Programs, on the other hand, are viewed regularly. They are always being practiced and tested.

  1. Plans are based on theory; Programs are based on results
  2. Plans are dormant; Programs are active
  3. Plans become obsolete; Programs evolve

Plans also have value and support programs. The plan is the objective and the vision, whereas the program is the content and steps taken to reach the goal.

A properly maintained Security Management Program gives you risk scores that are always current and will properly drive forward planning and all program activities. There should be no doubt why having a Security Management Plan is necessary, why the investment that could be required to implement it should be regarded as a priority, and why it should be included as part of the risk management framework used by an organization and monitored in an ongoing process, on an ongoing basis.

Your comprehensive Security Management Program will be the product of four comprehensive phases:

There is no doubt that the trend in risk management – irrespective of which risk – is towards greater maturity. One of the first steps is to establish the organization’s current maturity level, before incorporating maturity improvement in your security management plan.

risk management

That maturity level is the outcome of seven core questions under 3 categories.


  1. Do senior management support and promote risk management?
  2. Are people equipped and supported to manage risk well?
  3. Is there a clear risk strategy and risk policies?
  4. Are there effective arrangements for managing risks with partners?
  5. Do the organization’s processes incorporate effective risk management?

Risk Handling:

  1. Are risks handled well?


  1. Does risk management contribute to achieving outcomes as noted above?

The maturity levels between 1 and 5 on a rising sliding scale are:

risk management outcomes

The operating environment in all sectors is becoming more complex and requires the best possible risk management to be evident in an organization in order to satisfy the risk to reward expectations of an increasingly complex and interwoven Stakeholder environment.  Advancing your security maturity on the sliding scale your goal.

Speak to a risk management professional now!

Get in touch