During the Asian Professional Security Association 22nd International Annual Conference, held in Shenzhen China last October, J .D & Associates Managing Director was invited as a subject matter expert and keynote speaker to share his knowledge from European operations with Asian Chapter Directors from China, Hong Kong, Macau, Japan, Malaysia, Singapore, Philippines and Indonesia . The original lecture under the title “ RISK MANAGEMENT IN THE MODERN BUSINESS WORLD ” is presented right below :
Our world is rapidly changing and has become more challenging than ever before. There are changes in the way work is accomplished that affect the ability to protect corporate assets. Operating within a global business environment with elements of a virtual workforce can create problems not experienced in the past.
2.NEW WORLD & MODERN CORPORATIONS
Understanding this global environment is vitally important , because those responsible for the protection of corporate assets- the managers, all employees and their Corporate Security Department and staff, are often too busy deep down in the trenches trying to just get the job done. They fail to look over the top of the trenches once in a while and see where the “enemies” are and what they are doing.
In today’s global marketplace environment, one must also understand the trends, incidents and changes in the world and their impact on assets protection. Today more than ever, what happens at the other end of the world can cause an assets protection crisis throughout your corporation, often in a matter of seconds.
Those who are responsible for the protection of corporate assets and everyone else in the corporation is in this together; everyone must know, accept the responsibility and act accordingly.
We usually spend so much time in reactive mode dealing with the daily tasks, crises, office politics and our jobs, that we fail to see what affects our working world. We fail to see that, what is happening a world away today will have an effect (usually adverse) on our ability to protect corporate assets tomorrow.
Planning for possible adverse events will affect our ability to protect corporate assets a day, a week or even a year or two from now. When we are not prepared , we do not have adequate contingency plans in place. Consequently, we react to problems in a crisis mode. When reacting in a crisis mode we can’t provide assets protection as quickly, as efficiently and as effectively as would have been the case if we were prepared in advance for the events that have taken place.
Today’s corporate employees must be able to understand and work in a global, fast paced, high technology environment. The world is changing and it seems to be changing faster and faster . Each passing year and has seen important changes like:
- The end of the Cold War
- A New World order in which the new competition is for global market share and pursuit of a market advantage
- Higher profile of global hackers, terrorists & espionage agents
- Theft of corporate information and the use of the Internet to conduct “netspionage”(network-enabled espionage) by techno-spies , netspionage agents and information brokers
- E-commerce or e-business is a growing part of modern business
- In the more modern nation-states, there is a shift from manual labor to “brain power”
- High technology & the Internet
One can compare high technology to the gun. It can be used as a tool to steal, assault and kill. It can also be used as a tool to protect or to provide food or as a hobby. It should be no surprise to see computers being used for fraud and other crimes and also as a tool to make our lives better and to defend our assets. To be successful and safe in this information age you must have at least general knowledge of:
- Various types of high technology
- How your corporation uses technology
- Threats, vulnerabilities and weaknesses of that high technology
- Reliability issues with its use
- Fallback positions when high technology devices or programs are compromised or just fail.
The Internet is having a major impact in our world and it is something that you must become intimately familiar with as your corporation use it for business marketing, financial transactions, communications, posting sensitive information on corporate web sites and so on. The “information age” has been the era with the most explosive growth in human knowledge. More has been discovered in the past 50 years in both science and engineering than in the thousands of years of recorded human history.
An important fact of supreme importance is that the Web is truly global in scope. Physical borders as well as geographical distances are almost meaningless in cyberspace. A distant target is as easily attacked as a local one! The security knowledge of information systems security (InfoSec) has been growing over the years. However, most of them seem to come from primarily an IT and not a security background. Therefore they are not trained in many of the human aspects of security, such as criminal motivations.
As we consider the potential for criminal actions directed against corporations, it is critically important to consider these factors. The same information technology we use to manage our corporate projects can well be used by savvy Internet robbers.
Due to the adverse publicity and the prospect of the lengthy criminal justice process, even those businesses and government agencies that have been victimized by Internet robbers frequently do not report similar incidents to the proper authorities. Here is a critical question:
– Do you believe that your corporation is adequately protected ? How do you know?
Your global competitors are at war with you and they aren’t taking prisoners. Some will use any means at their disposal, including stealing or compromising the valuable assets of your corporation to gain that competitive advantage. Many are doing so with the backing of their government.
3.THREATS TO CORPORATE ASSETS
Corporations are in business to make profits. Corporate Assets Protection is meaningless unless corporations can compete in the global marketplace. But which are those assets?
Corporate Assets are those assets (personnel, money, equipment, and supplies ) that support the ability of a corporation to conduct business for profit.
Threats to corporate assets can take many forms and is only limited to the imagination of the attacker. There are 2 basic types of threats:
a) Natural threats (fires ,floods, earthquakes, winds, hurricanes etc)
b) Manmade threats (fire by arson, accidental or intentional damage, unauthorized information modification, thefts etc)
The working environment plays a significant role when you want to identify what constitutes a threat for your corporation. When a corporation is having financial difficulty in maintaining its competitive edge, usually the first cost-cutting is done by decreasing the number of corporate employees. When employees are given notice that they will be downsized, fired, laid off, or otherwise let go, there is a shock . After that, there is often the attitude of “get even” (disgruntled employee) .
Attacks by people against corporate assets require 3 things:
c) Rationalization ( one needs an excuse to act)
With regards to motivation of attackers and potential threat agents, criminologists and others have had theories for years as to why people commit crimes and the types of attackers you might encounter in the modern business world:
- Revenge for not getting a promotion
- Furthering a political agenda
- Greed (wanting material wealth)
- Economic pressures
Type of attackers you might encounter:
- Organized crime
- Political activists
- People in debt
- Outside auditors
- Industrial espionage agents
- Vendors & suppliers
- Business partners
- Foreign government agents
4.RISK MANAGEMENT IN DAILY ROUTINE
There has been a need for security in one form or another ever since someone wanted to take something of value away from its owner. If the owners were not capable of protecting the item of value, they would hire someone who was willing for some form of compensation, to protect it for them. This historically was a guard , a night watchman; however, the protection of assets gradually became the highly specialized profession it is today. The need for security coverage and successful risk management, is rapidly growing and security experts must be always flexible and capable of providing quality and smart solutions.
We must be ready to respond to complicated client requests that most likely will include a variety of security measures, on – site evaluations, and specialized personnel training to achieve a decent level of protection.
With that said, we must consider some security key elements to perform, succeed and survive. Successful companies learn and change to maintain their competitive edge in the marketplace. The security professionals who protect them, must do the same- they must be learners-if they do not, their efficiency and effectiveness will degrade eventually. Problems elimination and risk mitigation require planning and an understanding of security needs, conditions, threats and vulnerabilities.
Physical security is the most fundamental aspect of protection. It is the use of physical controls to protect the premises, site, facility, building or other physical assets belonging to the corporation. It is also the process of using layers of physical protective measures to prevent unauthorized access, harm or destruction of property.
In general , physical security includes protection of:
- Buildings & offices
The majority of corporations focus on security measures to safeguard their property and facilities thus creating security gaps in other important assets till the day that something unusual or unexpected occurs.
This is unfortunately the decision day; this will be the reason for the Management to start taking security more seriously. We must consult them and be aware to detect vulnerabilities and potential risks before threat agents take action.
In essence, we must always be one step ahead not once in a lifetime but constantly – from routine and daily functions to the upcoming corporate events and future business plans implementation. Which consequently means, that the use of a risk management expert has become necessary more than ever.
5.ELEMENTS OF EFFECTIVE CORPORATE ASSETS PROTECTION
Τhis is the point we get into the equation; We must be able to recommend to our clients besides physical security, solutions for:
- Prevention of workplace violence
- Corporate Events Security
- Information Assurance
- Executive Protection & Travel Security
- Contingency Planning & Crisis Management
- Security Awareness Training (basic & advanced)
6.PREVENTION OF WORKPLACE VIOLENCE
The success of a corporation depends on the performance of capable and trustworthy employees operating in a safe and secure environment. Having a pre-employment background investigation process improves the odds that trustworthy people will be hired.
Workplace violence can be perpetrated by employees, visitors, customers or those who choose to engage in criminal behavior. It is not limited to acts of physical violence – threats of violence or the fear that one may be subjected to violence, are also forms of violence.
Companies for the sake of all employees and all stakeholders , have an obligation to deal with this phenomenon. You need to have in place a policy concerning the prevention of workplace violence – this is zero tolerance policy. Any violation will lead to the termination of employment for the violator.
7.CORPORATE EVENTS SECURITY
We must discuss also the major concerns associated with providing security during special events . Many companies particularly publicly held are involved in high-profile events like :
- Annual shareholder meetings
- Trade shows
- New product introduction events etc
During these events protection of personnel, information and physical assets can become very complicated, particularly when they occur in a foreign environment.
Some are held in high-profile locations, in major convention centers, in large cities, while others are not held in international venues.
What is common? Very simple: Large numbers of people converging on a single site with local and national Media often involved.
For the event to be successful, interruptions MUST be prevented! And this is a key task! Advance work, pre-event planning coordinations and physical security controls are some of the basic duties of the Corporate Security Manager. Moreover, he or she must identify the need for executive protection and prepare for likely contingencies.
Last but not least, protecting information systems (e.g computers, cellular phones, tablets etc) at a special event is just as important as protecting these systems in the work environment. At special events there is generally so much activity and movement of people that it is easy to lose control of information systems and sensitive information as well.
The loss or theft of information critical to a corporation’s products methods or processes maybe devastating. The consequences of not properly classifying corporate information could lead to the loss of that information and thus the competitive advantage and profits.
We are talking about business information and the protection from attacks and organized industrial espionage efforts. There must be a formal program to protect business sensitive information.
That information is considered vital to the corporation and must be protected at a level relative to its importance, regardless of the environment or form that the information took (hard copy, voice, pictorial, zeroes & ones etc)
Business Sensitive information types
- Technical or financial aspects of the corporation
- Business portion description
- Information that provides a competitive edge
- Future direction indicators
- Personal information of employees
The security consultant along with the IT department can work proactively to establish an Information Assurance Program within the corporation, to protect the business information against unauthorized disclosure, transfer, modification or destruction whether accidental or intentional.
9.EXECUTIVE PROTECTION & TRAVEL SECURITY
High – profile executives leading businesses in controversial industries may find themselves potential targets, since they are or at least they represent, what the leadership of that organization stands for.
Less powerful executives may find themselves at risk too. Threats to executives are a business risk and this makes executive protection part of any company’s risk management effort. The purpose of Executive Protection is to reduce the likelihood of an attack against our executives thus reducing the overall risk of the corporation. An Executive Protection Program is much like earthquake insurance:
“If you don’t have it when you need it consequences may be disastrous ”
3) Street violence
4) Injuries (including workplace violence)
5) Medical emergencies
6) Unexpected events
Are some of the most common threats & risks for corporate executives in their everyday life but more often than not while they are travelling.
With few exceptions today’s criminal gangs, whose sole aim is to extort money, monopolise the act of kidnapping prominent foreign business travelers.
Experienced gangs target business travelers visiting the country as they present themselves as an easier or “soft target ” with less “in country” knowledge back up or support.
In Latin America even the drug cartels are turning to kidnapping as an easier way of supplementing their income.
Some of the global hotspots for kidnapping are:
Due to the rapid expansion of foreign corporations into these places , it is expected that there will be an increasing stream of executives travelling there, inadvertently presenting themselves as soft target for criminal elements.
The security expert must be able to consult and brief the executives before their departure , to protect themselves effectively should the company take them to similar places.
10.CONTINGENCY PLANNING & CRISIS MANAGEMENT
The traditional role of security in the contingency planning process has been to develop emergency evacuation plans for the business and to respond to emergency or crisis situations. Depending on the size and complexity of a business the process of contingency planning can be quite extensive. The aims of contingency planning must be:
AIMS OF CONTINGENCY PLANNING
- Secure & protect people
- Minimize disruptions to the business
- Secure all information systems that affect supplier connections & customer relationship
Some of the hazards you must include in your contingency plans are:
- Medical emergencies
- Bomb threats
- High winds
- Power interruptions
- Snow & ice
- Storms /blizzards
- Hazardous material issues
- Aircraft crashes
- Civil disorders
- Terrorist threats & criminal attacks
- Workplace violence
- Explosions & tornados
- Corporate espionage
- Financial instability
- Loss of competitive edge & market share
Guidance for all employees on how to react in the event of an emergency and what their individual and collective responsibilities are, must be documented and distributed to avoid confusion or uncertainty.
Emergencies , contingencies , business interruptions and other unplanned events happen. Sometimes the event itself is a crisis, such as tornado directly striking a building or facility. In other cases an incident not immediately responded to or managed properly at the scene, may turn into a crisis.
If the incident escalates, becoming a crisis it is then necessary to have a different group, a Crisis Management Team a take charge. Each corporation needs a Crisis Management Plan.
A Crisis Management Plan will address the following activities & concerns:
- Crisis Management Teams (CMTs)
- Disaster Operations
- Media relations
- Damage assessment
- After action / post event assessments
Contingency planning may not be a traditional security process, but in today’s global business environment corporate security is assuming a much greater role and responsibility for its implementation. The consequences of not planning for contingencies can be catastrophic with many liability issues.
11.SECURITY AWARENESS TRAINING
The need for Security Education and Awareness Training is of huge importance. An understanding of how to protect corporate assets and also the motivation to do it, are learned only through internal educational programs, seminars and workshops. For regular employees it could be just a short Security Awareness Training to enable them participate in the risk management process of the company actively and properly. For security professionals, we must have a more sophisticated and advanced approach to training according to the business environment.
Security professionals and industry associations in a big country like China and in neighboring Asian states, must take the lead and start shifting to that direction so others may follow. There are so many corporations, domestic and international ones that are still wondering how to deal with risks that were described before. Feel the pulse and be innovative by offering them quality and flexible security solutions, contingency planning and specialized training.
As far as I am concerned, since China and the other Asian states are within my professional interests I would be more than happy and honored to support all APSA representatives and Chapter Directors to promote quality security services and risk management solutions in their countries and the modern business world.
THIS BLOG ARTICLE IS PROPERTY OF J.D & ASSOCIATES AND MAY NOT BE REPRODUCED, DISTRIBUTED OR UPLOADED PUBLICLY ON THE WEB WITHOUT WRITTEN CONSENT OF THE OWNER .
© 2016 J.D & Associates