Are you on Board?

Hype or hyperbole? Hardly a week passes by without an official exhortation to companies to pay more attention to security, and to mitigate the terrorist threat. Even so, the topic only appeared for the first time at last year’s Confederation of British Industry Conference when the subject of terrorism was deemed so important that a KeyNote Address on the topic by MI5 director general Eliza Manningham-Buller grabbed the headlines.

Currently, there are huge inconsistencies in the corporate world’s attitude, awareness and reaction to the need for increased security and appropriate levels of crisis management capability. Some commentators feel that the security industry is at fault for exaggerating the threat in order to protect steadily increasing and often (as in the case of armed protection) overpriced services. There’s also the feeling that revenue streams are being closely guarded.

That said, a recent survey of 500 British companies (all of those questioned being members of the Institute of Directors) highlighted that nearly 25% spend virtually nothing on security. This same survey showed that, while company directors take security pretty seriously, and agree that more needs to be done, a startling 49% of those businesses surveyed have no contingency plans in place to help them cope with crisis events. Appalling.

Why wait for an incident?

Clearly, there is a requirement for balance, and this highlights the often reactionary ‘trending’ that dominates investment and attitudes to corporate security and crisis management.

Typically, security and crisis management are at the top of the agenda in the wake of major incidents – be that an act of terror affecting companies globally or a more localised event impacting on a company’s reputation (faulty products being a good example). Events such as the Madrid train bombings – and, more recently, the suicide car bomb in Qatar – merely refocus attention on security issues, and serve to reinforce the vulnerability of many potential targets.

However, the passage of time tends to reduce concerns until the next major event. Unfortunately, this often results in the need for a costly retro-fit of security measures rather than a more cost-effective and concurrent approach to security risk management. Security and crisis management should therefore be viewed as business enablers and as a function of business continuity, not merely as an impact on the bottom line.

Whether one believes that the world is a more dangerous place in the post-9/11 era is, fundamentally, a moot point. However, in a time of ever-changing environments and threats this issue can be expressed in another way. What is the cost to the corporation of doing nothing to adapt and prepare for the contemporary threat environment? It is widely accepted that the demands of stakeholders (employees, families, regulatory bodies, shareholders and insurers, to name but a few) are evolving, with corporations and their executives now expected to be fully committed to risk mitigation and the effective management of crises.

Therefore, in an effort to – statistically – answer the question regarding the cost of doing nothing, surveys conducted by the London Chamber of Commerce show that nearly half of those companies experiencing a security (or some other form of) crisis event never recover. 90% of those businesses that lose valuable data as a result of such a disaster close within two years.

The Duty of Care

Risk mitigation and crisis response require a system of management that has an effective security champion, sufficient managerial support, adequate budgeting and quantifiable results. In addition, with regard to the external environment, employers have to demonstrate a clear Duty of Care with respect to the management of risk to personnel and assets.

Alas, Duty of Care and how it should be fulfilled is not yet truly definable, either from an empirical, ethical or legal standpoint. That said, in an effort to provide a practical benchmark for the reduction of liability and the fulfilment of Duty of Care, it’s suggested that in the aftermath of a major security event two important questions will be directed at the senior management and the company’s Board of Directors:

l could the possibility of such an occurrence be foreseen, and were reasonable precautions taken to prevent such an incident from occurring in the first instance?

l was the company prepared to respond with proper protective actions for its people?

If the answer to both of these questions is ‘No’, then the corporation must be able to demonstrate why not. And the answer ought to be based on sound threat and vulnerability assessments.

Following a recent Court case involving a French naval shipbuilding company, it’s readily apparent that mainland European countries are much more aware of their responsibilities relating to Duty of Care.

Some commentators feel that the security industry is at fault for exaggerating the threat in order to protect steadily increasing and often (as in the case of armed protection) overpriced services. There’s also the feeling that revenue streams are being closely guarded

Nine of the French firm’s employees, all of them French nationals, were killed when a bomb destroyed the bus in which they were travelling to work on secondment in Karachi. In Court, the company concerned was found to have failed to adequately assess – and prepare for – the risks faced by its overseas employees. In the end, the Court found that the consequences were “foreseeable”.

In light of the ongoing liability exposure faced by corporations operating in the global market, out-of-Court settlements are occurring on an increasing basis wherein corporations are avoiding the possibility of being subject to legal precedent and case law.

One exception was the case of four American employees of a large oil company who were murdered while on business in Pakistan. The bereaved families brought a multi-million dollar action against the company, alleging that there was no pressing reason why the employees should have been sent to Pakistan at a time of strong anti-American sentiment, and also that it had not provided the required level of security once the employees were inside Karachi.

The Jury found that the murders were unforeseeable, and that the company had provided reasonable security. The Jury heard evidence that the company had employed a specialist private risk management consulting group to advise on security in Pakistan.

Mitigation through avoidance

The case clearly illustrates that it is essential for employers to take precautionary measures, and to ensure that employees have been fully prepared – both individually and collectively – to mitigate risk through avoidance and effective response. Direction must come from the top down. Similarly, there must be governance, policies and procedures in place at the Home Office to assist employees should a threat source or capability be realised.

Evidently, these plans should be developed by the company security director and discussed – or, at the very least endorsed – at Board level, with a commitment to action through constant review. All-too-often, company Boards view security as a function that drains further on the bottom line rather than as a business enabler and continuity tool that ultimately protects it.

These are but a few examples. The range of crises that can affect a company spans serious injury or death to employees or dependents, serious and credible threats to property and key assets, the potential for substantial loss, the possible impact of legal action, harm to the environment and terrorism. Any one of these can do immeasurable damage to a company’s ability to continue operating.

Given the financial and human impacts of security crises, executives responsible for managing all of the risks for their organisations are increasingly being faced with a host of new challenges. Corporations based in Australia and Egypt have recently been subject to litigation prompted by accusations of failure in their Duty of Care. The consistent message in all of those actions is that any failure to plan will result in culpability, with out-of-Court settlements at the very least. Even then, the damage to a company’s reputation may be severe.

All of this is avoidable given proper planning, investment and commitment. Such endeavours should be enshrined in corporate security policy and governance, and endorsed at least at the Executive Committee level. Again, it is suggested that all organisations need to be prepared for the effect of crisis events regardless of the cause, as the organisation’s crisis management capability will be enabled at some point (either through training or as a result of practical need).

In such circumstances, decisions are made quickly. The wrong decision can undermine a company’s value and, in the very worse case, endanger peoples’ lives.

An organisation’s preparedness to respond to incidents like those listed is often measured by the speed and effectiveness of that response. Failure to act quickly can precipitate further crises. Speed and effectiveness will both be increased by the employment of a dedicated security professional.

Monitor the risks faced

What, then, do companies’ Boards of Directors need to be thinking about?

First of all, they must comprehend – and monitor – the risks they face. This entails an understanding of the intent and capability of threat sources, and thus the ability to prioritise the measures required to mitigate the same. This will then enable the cost-effective implementation of a security plan designed to protect the organisation’s assets, as well as enabling the management of crises in accordance with the company’s priorities.

Risk mitigation and crisis response require a system of management that has an effective security champion, sufficient managerial support, adequate budgeting and quantifiable results

In other words, the protection of:

• employees from death or injury;
• property and assets from damage and destruction;
• reputation (both locally and nationally);
• the local population and the environment.

Any crisis management plan should not create a separate communications plan. Instead, it ought to be built around the existing organisational structure and information flows so that the employees are familiar and comfortable with the crisis management team’s structure.

Lastly, a plan is only as good as those people trained to use it. Annual training and testing should be a feature of the crisis management plan and built-in to the budget. This should not only be theory-based to introduce all managers to crisis management doctrines and procedures, but also review scenario-based crisis simulations.

Simulations offer a medium to put theory into practice, ensuring that managers have the opportunity to rehearse their response to a realistic crisis that may impact upon the company at some point in the future. Such exercises ensure the readiness of the crisis management teams, and provide the opportunity to incrementally improve crisis management practices and procedures.

Despite their high profile, terror attacks are relatively rare in this country. Even so, companies may have to contend with bomb threats, suspect items being sent through the mail (‘Affecting deliveries’, SMT, December 2004, pp23-24) and e-attacks on vital information or communication systems designed to cause disruption and economic damage. This being so, there are obvious reasons why companies should plan to avoid such threats or minimise their impact.

Businesses should ensure that they are able to cope with an incident or attack and return to normality as soon as possible. If organisations do not plan adequately they may well find themselves paying much higher insurance premiums or, at the other end of the scale, being unable to arrange cover. Conversely, comprehensive crisis management plans and risk management methodologies can actually lead to a reduction in insurance premiums.

Where should security sit?

Where should the security professional sit in the corporate hierarchy? In the Human Resources Department alongside Health and Safety professionals? As a stand-alone unit reporting to the Executive Committee or directly to the Board? As part of the risk management team? Or should the post of security manager be a Board level position reporting directly to the chief executive?

Many of the multinational oil and gas companies – as well as those organisations operating in the pharmaceuticals industry – position their head of security at vice-president level as a member of the Executive Committee.

However, of the respondents to a recent Confederation of British Industry survey, just 7% hold the title of ‘director of security’. 19% were listed as ‘other director’ and 24% ‘manager of security’ or ‘head of security’.

Surely now’s the time for every blue chip company to populate its Board of Directors with a security professional? In this way, security will always be on the agenda, and perhaps a little more will end up being allocated to the discipline when it’s time for the annual budgets to be decided.

The ‘fit’ companies are those who take security seriously, rather than wait until an incident occurs and then try to do something about it by way of remedial action.

By then, of course, it may well be too late.