Understanding the Distinct Roles: Service Provider, Risk Manager, Security Manager, In-House Security, and Independent Security Risk Assessor.
We have found that many people do not fully understand the five distinct roles in security. To address this, we hosted a highly successful workshop in Pretoria, Gauteng, South Africa, where we clearly explained the differences between these roles. Every participant left with a clear understanding of each role and who is responsible for what.
If you would like to attend a future workshop,
Please contact us and share the topic you would like to discuss. If you prefer the information in article form, email us at andre@alwinco.co.za, and we will create an article addressing your chosen topic.
We recently conducted an independent security risk assessment for a retail store in Rustenburg, identifying vulnerabilities that are frequently overlooked in standard assessments. This allows us to recommend practical solutions that significantly improve the safety and security of the site.
If you would like to learn more about our assessments or have specific topics you would like us to cover, please email your suggestions to andre@alwinco.co.za. We will create and publish articles on our website tailored to your interests.
Below, we explain the distinct differences.
In the security industry, roles are often misunderstood, and assumptions frequently lead to major gaps in protection. Many clients believe that buying the latest hardware, hiring a security company, or appointing someone internally to oversee operations is enough to cover their risks. This assumption is not only dangerous but also often the root cause of serious security failures or breaches.
Understanding the clear differences between a service provider, risk manager, security manager, in-house security personnel, and an independent security risk assessor is essential for any individual, company, or estate that takes security seriously. Each role has a unique function. They are not interchangeable. Each serves a particular purpose, and when one is mistaken for another, the consequences can be severe. Below is a breakdown of each role and why distinguishing between them matters.
The Service Provider:
A service provider is a third-party security company contracted to deliver specific services such as security guards, alarm installations, armed response, patrol vehicles, or control room operations. Their job is to implement a system that has usually already been selected by the client, often without a formal risk assessment. This includes installers. There are two types in the market: those who only install for someone else and those who both sell security hardware and handle the installation.
They do not investigate or identify risks. Their role is to provide what the contract outlines. If guards are required, they provide guards. If patrols are needed, they schedule patrols. They do not assess whether the system is effective or necessary. Most service providers operate with sales targets and focus on client retention. It is not in their interest to highlight areas where their offering might be ineffective. Service providers cannot conduct a security risk assessment because they would have to assess themselves and the client’s management, which is never a good idea.
Expecting a service provider to conduct a thorough, unbiased investigation into risk is a fundamental mistake. Their role begins when the risk assessment ends.
The Risk Manager:
A risk manager typically works within an organization and is on the company payroll. In some cases, a risk manager may be employed through a service provider, where the focus can shift from assessing risk objectively to securing the contract to providing risk management services.
Regardless, risk managers cannot objectively assess themselves, their company’s management, or the client’s management. They address a broad range of risks, including financial, operational, legal, reputational, and sometimes physical. Their role typically begins after the independent security risk assessment has been completed. Security is just one part of their broader portfolio.
They operate strategically and administratively, often dealing with documentation, compliance reports, and data analysis. While they might identify trends or raise red flags, they are not trained or equipped to physically assess sites for opportunities.
Their input is high-level and theoretical. They may highlight that a property is exposed to risk, but they will not walk the site, assess entry points, or observe behavior patterns to understand how that risk can be exploited. Their contribution is essential in the context of governance and risk management but limited when it comes to designing or correcting security measures.
The Security Manager:
Security managers are on-site personnel responsible for maintaining daily security operations. They manage guards, monitor access control, ensure systems are functioning, and handle security-related complaints or incidents. Their focus is operational, not investigative. Security managers enforce existing systems but are not responsible for independently assessing or redesigning them. Most clients and directors rarely heed the security manager’s advice, seeing him as a non-essential professional regardless of the advice’s importance.
They usually operate under constraints such as tight budgets, outdated systems, or unclear mandates. They are not trained in independent security risk assessment, and their observations are often based on experience rather than investigative insight. Although security managers are a critical component in daily safety, their role is confined to what has already been implemented. They lack the objectivity and distance needed to uncover foundational flaws.
There are two types of security managers.
The first is the client/company security manager, who is directly employed and gets a salary from the client, company, or estate.
The second is the security manager employed by a service provider.
In South Africa, when a company or client refers to a security manager, they are often referring to the one provided by the security service provider. This is especially common in small and medium-sized companies and state-owned companies, as well as in residential estates.
If the security manager is not on your payroll, then he is not your security manager.
He belongs to the security service provider, which pays his salary, and his primary responsibility is to look after the service provider’s portfolio. Even if he genuinely wants to be completely transparent with the client, he cannot act independently. He must follow his company’s chain of command before communicating with the client. He also cannot say or do anything that would bring his own company into disrepute or damage its reputation. Every employment contract includes a clause forbidding employees from bringing their company’s name into disrepute, with dismissal as a consequence for violations.
Therefore, when referring to a security manager, ensure it is your security manager, not the service provider’s.
In residential estates, businesses, state-owned companies, and corporations, there should be two security managers: one appointed by the client or company and one from the service provider. These two individuals communicate with each other. This explains why a security manager cannot conduct an independent risk assessment. He cannot objectively assess himself, his company’s management, or the client’s management when they represent the service provider. As a result, the assessment is incomplete.
In-House Security:
In-house security refers to personnel employed directly by the company, estate, or institution. Unlike contracted service providers, they are part of the internal structure. They may handle physical security, access control, and even liaise with external vendors.
Their proximity to the organization can be both a strength and a weakness. While they often have a better understanding of the culture, routines, and challenges on-site, they may also become blind to long-standing issues. Familiarity can result in complacency.
In-house teams, like security managers, cannot conduct unbiased, risk-focused investigations.
They may monitor systems and enforce policies but are often not equipped or encouraged to question the system’s design. Their loyalty to the organization can limit their ability to view the security posture objectively. Internal politics, personal relationships, and fear of repercussions can further restrict their effectiveness. Just think about it this way. Expecting in-house security to conduct a proper security risk assessment is like a person who creates a test, writes the test, and then grades it themselves. It cannot produce a fair outcome. Assessing the management team that pays your salary is unwise.
In-house security plays an important operational role, but their perspective is not independent. Independence is key.
Risk Assessment and Security Providers
An independent security risk assessment cannot be conducted on behalf of a security company. The key factor is independence. Equally important is who pays for the assessment.
If the security company or service provider pays for the assessment and you are employed by them, you lose your independence. In that situation, you cannot carry out a truly independent security risk assessment because you ultimately work for and are accountable to the party funding the assessment.
The company that employs you will expect the assessment to align with its own interests, as this falls within its normal business scope. Like any other security provider, the findings will likely favor the company rather than provide an unbiased assessment of the security risks.
In the security risk assessment market
It is common for security providers to approach so-called independent assessors with requests to submit low-priced proposals. These assessors often underbid to secure the contract, which undermines the integrity of the process. Instead of delivering thorough, unbiased evaluations, the focus shifts to simply winning the job. As a result, the assessment often does not reflect the true level of risk and tends to favor the security provider. The security provider requests that the assessor submit a low-price proposal to serve as an independent assessor. The assessor agrees, aware that the second payment will be made only after the assessment is completed.
This arrangement means the assessor effectively has two paying clients, the security provider who instructs them and a second payment source, while a genuine independent assessor would have only one. Ultimately, the assessor is paid twice for the same work and is motivated to produce an outcome favorable to their original client, compromising true independence. A genuine independent security risk assessment must rest on two non-negotiable foundations: independence and truth. Without these, the assessment loses its credibility and fails its essential purpose. Exercise caution regarding low-price risk assessment proposals.
The Independent Security Risk Assessor:
An independent security risk assessor operates outside the organization without ties to service providers, vendors, or internal staff. They do not sell security products, do not manage guards, and are not bound by internal politics or contractual obligations. Their sole responsibility is to uncover opportunities for crime and report the truth without fear or favor. The closest way to describe a security assessor is as an investigator who identifies risks. Remember, an independent security risk assessor is neither a security manager nor a risk manager.
This role is investigative by nature. The assessor physically assesses the property, walks the perimeter, identifies blind spots, analyzes entry points, observes movement patterns, examines routines, and studies behavior. They also assess security policies, management’s security decision-making, and standard operating procedures.
The independent security risk assessor views the environment as a criminal would.
Looking for loopholes, inconsistencies, and exploitable weaknesses. Unlike other security professionals who visit a property for one, two, or three days, an independent risk assessor spends extended time on-site to fully understand the area. Every detail is examined with one goal: to uncover what can go wrong and how it could be exploited and to provide tailored, risk-specific solutions. These findings are presented in a structured report that gives clients a clear, actionable roadmap to address each security risk.
Independent assessors are not trying to justify staffing, support a budget, or defend past decisions. Their findings are based on evidence, not assumptions. They see what others overlook because they are trained to question everything. Their objectivity makes them the only party capable of delivering a truly comprehensive, independent security risk assessment.
Why Clarity in These Roles Is Crucial
Confusing these roles leads to ineffective security strategies. Hiring a service provider without first conducting an independent security risk assessment is like buying medicine without a proper diagnosis. Asking a risk manager to physically secure a property is like assigning a lawyer to fix a broken lock. Expecting a security manager or in-house team to conduct an independent security risk assessment is like asking a driver to build your house. It’s like asking a pharmacist to perform a heart transplant. Both wear white uniforms, but their skills are entirely different.
Each role contributes to the security ecosystem.
But only one role (the independent security risk assessor) is trained and positioned to uncover real, often hidden, threats before they become incidents. Security systems should not be built on assumptions. They should be built on facts. That begins with an objective, independent assessment. Until then, no matter how much is spent or how many people are hired, the risks remain real and unresolved.
If your security decisions have not started with a proper, independent assessment, you are building on the wrong foundation with more guesswork.
Article written by Andre Mundell. Independent Security Risk Assessor at Alwinco.
The Biggest Security Myth That’s Costing You More Than You Think