- Corporate Security
- Governance, Risk and Compliance
- Information Security
Governance, Risk and Compliance
By Debbie Wang Modified January 16, 2019
Corporate security teams are a critical part of ensuring that employees feel safe when they come to work. If you walk into almost any office building, there’s probably a security guard on duty acting as the first line of defense in case of an incident, that is unless they are making rounds (more on that later). But there are also many larger scale risks with huge impacts that corporate security teams need to be aware of that most other employees don’t tend to think about on a day-to-day basis – which is a good thing. As we like to say about security teams, you know you’re doing a good job when no one knows that you’ve done your job.
The top 4 risks that affect security teams are: sabotage and vandalism; kidnapping, ransom and extortion; protests and direct action; and terrorist incidents. Let’s take a closer look at these 4 risks and how security teams can prepare for and mitigate them if an incident were to occur.
Vandalism to your organization’s property can range from minor incidents to major damage that can be costly to fix. It can also cause interruption to your regular business operations resulting in lost sales. Making rounds and conducting regular security inspections of the physical premises and also any property allows security teams to quickly identify the incident and respond accordingly.
The Government of Canada recommends that the control strategy for vandalism should have four phases: protect, detect, respond, and recover. Your first line of defense should always be to protect the premise. These barriers help to delay the act of vandalism. If you were unable to successfully protect the property, detect the issue and respond accordingly. Finally, if all else fails, recover or replace the stolen or damaged property.
When it comes to vandalism and sabotage, it’s best to act as quickly as possible and to communicate the extent of the damage to the right people. How to address vandalism should always be part of a security team’s policies and procedures.
According to the Bureau of Consular Affairs at the U.S. State Department, 60 to 70% of overseas kidnapping of U.S. citizens goes unreported. Economic and political instability around the world can make it risky for corporate employees travelling on business to unfamiliar cities. Failure to safeguard an organization’s employees from KRE and hostage situations can lead to potential worst-case scenarios.
Some preventative measures that security teams can take in case of KRE is to keep the schedule and agenda of the person traveling on a need-to-know basis. On top of limiting access to the itinerary, Risk Management Magazine also recommends performing a risk review before travelling, becoming familiar with any “hot spots”, staying in the company of people you trust, and to not deviate too much from the itinerary without letting someone know first.
It may also be a good idea to have an insurance policy that covers KRE situations as these policies can cover the cost of services from an experienced crisis management team, including those who are most qualified to negotiate with the hostile party.
If one of your employees does become a victim in a KRE situation, the early hours are critical in determining all the facts of the situation. According to Security Magazine, the communicator you select to engage with the captor should be able to influence the hostile party while avoiding confrontation. The communicator needs to then determine what is the financial criteria for the safe release of the victim. The initial counteroffer should never be made until there is proof of life. Other stakeholders that should be involved in various capacities are law enforcement, government officials, the victim’s family, and potentially, the media.
Recently, there has been a global movement where we’ve seen increases in protests, rallies, mass public gatherings, and direct action. Protesters are a difficult challenge for security teams because it is difficult to gauge whether a peaceful protest will spiral out of control and turn into a more violent situation, putting you and people inside your building at risk.
If your team is aware of a planned protest, collaborate with local law enforcement to find out the details of where and when the protest is taking place and whether you will need to increase security presence on that day. Set your team up for success by double checking that all security cameras and CCTVs are working properly and test your security procedures on a regular basis so that there are no major surprises if there is an unplanned protest.
Security teams should communicate their larger plans with the organization and guidelines for employees on how to stay safe, that may include recommending employees do not come to the office that day and avoiding the surrounding area if possible if there is concern for their safety. If employees still plan on coming into the office, provide clear instructions on what to do in the case of an evacuation or lock down.
No two protests are the same. But having security procedures in place and making everyone in the organization aware of them is the first step to mitigating the threats of a protest and minimizing disruption to the business.
No security team can ever be completely prepared for a terrorist incident. In these situations, it is crucial to determine what is an immediate threat to your organization and what has a high probability of escalation. Similar to how security teams should respond and prepare for protests, there should be a clear security protocol that is communicated to the entire organization in case of an evacuation or lock down. All employees should be aware of these procedures and know how to communicate back to the security team or organization that they are safe.
Security teams need to communicate clearly with local authorities and work closely with law enforcement to ensure the safety of all employees, where the first step should be to secure all entry and exit points or points of weakness. Failure to do so can lead to potentially catastrophic end results, much more than just loss of revenue and business interruption.
One general strategy that security teams can take to help prevent and respond to these four risks is the principle of 5D1R, which is outlined in Marko Cabric’s book, Corporate Security Management: Challenges, Risks, and Strategies. The functions of this principle are: deter, detect, deny, delay, defend, and recover. While this strategy may not work perfectly for every incident that might occur because of these risks, it is a good place to start.
Resolver’s risk management software helps risk managers and owners easily manage their risk environment by adding, updating and describing risks that could impact the organization’s goals.