Corporate security: what kind of risk management?

Safety, which complements security, aims to protect companies from malicious acts (attacks, cyber-attacks). Safety is a major issue, and is governed by the French Labor and Criminal Codes, with specific provisions for Seveso sites.

Marie Faucon
EHS Consultant
Update : 
12.09.2025
Publication: 
04.12.2020
Contents
Example H2
Request a demo

The attack on the Saint-Quentin-Fallavier site (Isère) on June 26, 2015, and the two criminal explosions at the Berre-l'Étang petrochemical site (Bouches-du-Rhône) on July 14, 2015, are all regrettable accidents that should raise awareness of the central role of safety-related risk prevention in the workplace. Where do we start? What are the regulations on this subject? Here's a quick overview...

Safety or security?

SAFETY involves implementing measures to prevent human and technical failures (sprinklers, traffic plans, evacuation drills, etc.). SAFETY, on the other hand, aims to prevent deliberate acts of malevolence (attacks, intrusions, occupation of premises, industrial espionage, cyber-attacks, theft of goods, kidnapping, vandalism, verbal and physical aggression, etc.).

Any company, whatever its activity or size, is a potential target for malicious acts.

Corporate security, aimed at guaranteeing the company's survival and the protection of its employees, is a real challenge for company directors. It is essential to implement a security risk management system designed to reduce threats and malicious acts.

Corporate safety risk management systems

In the same way as security risk assessment, it's the role of every company to identify its security needs, evaluate internal and external threats, and develop policies, plans, procedures and means of protection to control these threats.

What are the benefits of a corporate safety policy of this kind?

1- Protecting employees;
2- Protecting data and brand image;
3- Protecting the environment (air and water pollution, etc.).

What are the key points for implementing a risk management system?

1- Carry out a risk assessment: what are my company's targets? what are the potential malicious intent scenarios?...
2- Deploy protective measures: human resources (e.g.: security guards), technical resources (e.g.: video surveillance), procedures, staff information and training, containment drills, etc.
3- Maintain a permanent safety watch and regularly monitor the protective measures in place.

What are the safety figures?

According to CNPP's "Traité Pratique de Sûreté Malveillance" (2018):

77% of malicious accidents involve fire;

7,816 metal thefts were recorded in 2015, in France;

67% of companies in 2018 were affected by cyber events

Corporate security: what do the regulations say?

The Standard

Unlike safety, corporate security is not yet standardized... but this is set to change very soon with the ISO 22342 draft management standard on security planning.

The Labor Code

The latter provides a framework for the measures to be implemented by companies as part of their obligation to ensure the safety and security of their employees (article L. 4121-1 of the French Labor Code).

The penal code

If an employer fails to respect his duty to protect by failing to comply with the safety and security rules laid down in the French Labor Code, and this failure causes harm, he may be liable to criminal penalties (fines and imprisonment).

For Seveso sites

Regulations concerning the protection of Seveso-classified sites are more precise, notably with the July 18, 2016 agreement on health, improved working conditions, safety and security, which addresses the notion of a "safety file" that all external companies providing services on Seveso-classified sites will have to provide.

In the case of cyber attacks

To meet this challenge, regulations have set up an organization grouping together operators of vital importance (OIV), both private and public.

These are operators whose activities, in the event of a cyber-attack, could endanger the population or paralyze France (e.g. health, water, electricity and gas, food, hydrocarbons, transport, telecommunications, industry, finance, nuclear, etc.).

If a company is classified as an OIV, it is informed by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), and must therefore meet its obligations in terms of IT security.

In addition, article 22 of the French military programming law (law no. 2013-1168 of December 18, 2013), requires OIVs to strengthen the security of the critical information systems they operate: vital information systems (SIIV).

Faced with the multiple threats of malicious acts that companies face, it is becoming increasingly important to anticipate and control the risks of malicious acts in order to limit their consequences. In the same way as for security, companies need to set up an organization to prevent corporate safety risks.