How To Define Threats

Dec 1, 2002 12:00 PM, By E. ALAN PLATT

Twenty years ago, security often meant a small office headed by a retired police officer or FBI agent, staffed with a half dozen moderately trained security personnel. Security concerns often ranged from walking the halls at night, to escorting vagrants and trespassers and dismissing employees from the building. A job in corporate security was often a post-retirement second income, a reward for surviving a tour as a crime-fighter, or a fallback career for those who could not cut it in a more challenging career. That is no longer the case.

Today, we must not only be prepared for security breaches from outside the company, we must also be prepared for potential security problems from unhappy employees inside the company. With 3,300 different jurisdictions including the federal government, doing thorough background checks is difficult at best.

From cyber-crime to global terrorism, industrial espionage to professional kidnapping, the challenges to a company's security have been redefined. Top-notch corporate security is no longer viewed as an expense, but as a necessity — a cost-saving, asset-preserving investment that needs to be reviewed on an on-going basis. Everyone who has access to company facilities should be thoroughly evaluated. That includes line personnel as well as outside contractors who often are seen but not noticed.

Today's security personnel must be able to look for indicators that will prevent security problems from arising before they occur. They must also be prepared for the unexpected. No one could have foreseen Sept. 11. Today, no scenario, no matter how farfetched, should be overlooked. That's particularly important for publicly traded companies whose shareholders demand that the management protects their assets. Those assets include personnel, facilities, inventories and much more.

Today's publicly-traded global corporations face a wide-range of issues. Among them are:

• Duty of care — an employer's responsibility to provide a safe work environment;

• Exposure to litigation — an increased number of legal actions being brought against global corporations;

• Business continuity — keeping facilities up and running during times of strife. An ongoing flow of timely communications is a key element in maintaining business continuity;

• Protection of shareholder interests — as publicly-traded companies, global corporations must meet their production goals, be good corporate citizens, and provide employees and ex-pats with a positive work environment; and

• On-site management — with many HR and security departments managing global operations from corporate headquarters in the United States, the need for on-site security expertise is an economic necessity.

For those companies that rely on overseas manufacturing, expatriate employees on-site, nation-hopping executives and international partnerships, global security issues can be critical to the success or failure of the companies. Boards of directors should ask themselves the following questions:

Does my company have a program in place that will:

• turn information into knowledge?

• analyze and flag the knowledge?

• provide an actionable response to the knowledge?

• ensure the protection and security of valued company assets?

Has my company thought out, and instituted, policy on what it would do if:

• IT infrastructure were sabotaged?

• a globetrotting executive were kidnapped for ransom?

• offshore factories were shut down because of local natural disasters or civil unrest?

• local offices were lost to fires or terrorism?

Does my company have a rapid response drill that ensures:

• safe and rapid evacuation of personnel?

• protection of valuable corporate assets (cash, documents, software, etc.)?

• a predetermined site for regrouping, head counts, and reestablishing chain of command?

• A means to maintain communications between the affected site and corporate headquarters?

• written and distributed checklists delineating each individual's role and/or responsibility in times of crises?

• clear understanding of the new chain of command if any individual is lost due to a crisis?

• regularly scheduled crisis drills (at least once a year) to keep security plans updated?

Does my company have contingency plans for:

• the death or infirmity of each office or plant manager?

• loss or corruption of on-site electronic data or corporate records?

• interruptions in communication?

• kidnappings for ransom of employees?

Does my company practice, review and revise its security contingency plans to ensure effectiveness of implementation?

Does my company undergo regularly updated risk assessments by outsourced experts to ensure the company's plans are keeping up with its ever-evolving challenges?

A proper risk assessment has three components: threat analysis, evaluation of probability, and mitigating strategy. To explain a risk assessment, a useful visual is the shark — deadly, silent, an efficient and powerful engine of destruction, but only for those who venture into the water.

Under “threat analysis,” we can all agree that venturing within the shark's reach could be devastating. Under “evaluation of probability,” we can determine that a company that functions exclusively on dry land is most likely unaffected by the shark's existence, while a company involving underwater diving would be exposed to danger. Under “mitigating strategy,” a company would develop and post a plan to avoid or reduce shark-related risks, if any.

A proper risk analysis should be followed up with the development of an Emergency Response Plan (ERP). What makes an effective ERP? Based on our experience, there are three main elements of a good ERP: a contingency evacuation plan, a physical security site survey and a business continuity plan (off-site crisis center).

The contingency evacuation plan is a customized plan written for the client by a security specialist that covers all concerns and considerations that need to be addressed prior to a crisis, in order to get the client's employees to a designated point of departure with a minimum of risk, panic or injury. Savvy security directors are re-evaluating their security needs to include developing an emergency response plan that takes into consideration reliable communications, intelligence and rumor control, crisis management, evacuation logistics including transportation to embarkation points, aircraft and airport facilities, and local resources, contacts and pre-positioned materials.

No matter where a company does business, it is necessary to have the kind of in-depth information that will allow operating teams to make informed decisions. That information can be best obtained by company executives visiting each country in question and retaining the services of a security assistance company that has had on-the-ground experience in that country.

One of the results of Sept. 11 was a re-examination of how companies do business. Many companies did not have a continuity component in place and had to scramble for real estate to continue/reopen their business operations.

Then there were the companies that planned ahead. For example, immediately after Sept. 11, a spokesperson for a major German banking company whose offices were destroyed in the WTC disaster, mentioned that he had often wondered why the bank had been leasing an empty warehouse in New Jersey. “Now I know,” was his comment when a television news crew visited the once empty facility and did a segment on how that company was effectively doing business again, only days after the disaster.

In a recent survey of HR executives, published in Crain's New York Business magazine, the effects of post-Sept. 11 trauma appear to be quite severe. Expectations, or evidence, of lower employee morale was reported by 34 percent of respondents, 25 percent cited lower productivity, and 19 percent saw increased absenteeism.

As responsibilities increase, and the nature of the challenges evolve, the demarcations of corporate responsibilities are rapidly blurring. Finance, information, human resources, purchasing and security all have a stake in creating and maintaining the best possible risk aversion and crisis response plans. They must develop a robust partnership of integrated team leadership and coordination.

E. Alan Platt is vice president, Global Security and Intelligence, International SOS, Philadelphia.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue