Organisational resilience in practice
Steve Munden and Steve Taylor, of the Perimeter Security Suppliers Association, argue for an holistic approach to organisational resilience at both strategic and operational levels.
Risk does not only come in an external physical or cyber form. Risk vulnerabilities can be hidden, buried within the processes of the business itself posing a real threat to security as well as your profit line. Becoming more resilient enables an organisation to cope with the unexpected and adapt to change through the management of safety, security and sustainability, together with product and process innovation. This allows the business to manage risks and exploit opportunities, ensuring survival and growth.
Terrorists and criminals look at the whole opportunity and then pick the weakest spot to exploit. Security systems are apt to be driven by compliance obligations, leaving some possibly more significant areas unattended, maybe because attention and budgets only stretch to a list of specific must-haves. Add to this, the supply chain is fragmented and works against a ‘whole solution’ approach. But take away or weaken any one element and you weaken the whole business system.
It is vital therefore, when considering security in particular to have clearly defined governance, risk, compliance and assurance structures. Every organisation (and its directors) has a moral and legal duty of care to protect itself, its staff and others from harm and loss. Businesses on all sides of the security industry are in danger of focussing too much on external threats from physical or cyber security that they overlook their internal organisational resilience. If the latter is vulnerable or inadequate, safeguards are weakened as the overall organisational system and overview is poor. Sadly, some rely on ISO 9001, thinking they are adequately covered, but there are many examples where ISO 9001 has not been helpful in ensuring robust product specification, testing and conformance to requirements. Unfortunately, it is still not uncommon to find even large ISO 9001 certified companies whose ‘quality management system’ is not an active part of management of the business.
However, with so many regulations, standards and advisory documents available, businesses often choose to ignore what could be the most economical way to protect their company.
Use one of the simplest keys to addressing terrorist threats
Companies often do not realise that the strongest and simplest tools they have access to are Standards. Using Standards to achieve security objectives and business resilience makes the same good sense in addressing terrorist threats, as it does in mitigating health and safety hazards, environmental impacts or ensuring customer satisfaction through high quality products and services. Sometimes it takes a little insight and patience to drill down into the Standards to understand how to achieve their requirements. By doing so, however, businesses of all sizes can meet the expectations of clients and have an edge on competitors. This is an important consideration for anyone working in security. The effort is worth it though, since the management framework and foundations of the business are strengthened and capabilities increased.
No need to overdo it
Clearly, selection of the right standards, using a ‘no more than necessary’ approach, allows companies to evaluate what is best for them and saves money through a structured methodology and efficient use of resources. This can be a difficult job for those with limited resources and capabilities, such as SME’s, although it is also fair to say that even larger organisations structured by functions, product groups or market sectors are also unable to piece together an holistic solution.
Add to this a general lack of knowledge and understanding across the industry, or at best it is confined to a specific (point solution) area, plus the multiplicity of ICT systems and the constant need to keep abreast of updates, it is no wonder many companies shy away from what actually could be their company’s strongest and most straightforward asset in underpinning their organisational resilience.
That is why a lot of businesses chose to use temporary contracted help or outsourced services on the basis that it’s more cost-effective than wasting time in-house as they are without the expertise and it can be a minefield.
Simple models, like the one here, can help to understand complex environments – but they cannot be taken to be accurate representations of reality.
Some key steps in moving from risk to resilience: context – understanding your surroundings, be they a hostile complex overseas environment or the business environment in which your business trades, it is essential to avoid costly and preventable incidents occurring or failing to spot new risks or opportunities; governance – establishing clear policies, processes and procedures to ensure that appropriate controls are in place, risks are managed and people know exactly what to do if an incident does occur; compliance – being alert to new or changing legal requirements to ensure that the business is not exposed to non-compliance. Ensuring that changes are made to the business’s policies, processes and procedures to prevent exposure to legal non-compliance. Keeping up to date with changing market and industry standards, sometimes used for the practical implementation of legal requirements by governments, and implementing their provisions, which can be used as a defence in law if a case is brought; assurance – at the business level, ensuring that controls for safety, security, sustainability, etc. have been adequately applied at operational level and that strategic risks have been adequately managed; and operational deployment – ensuring that operations are adequately prepared, resourced and have the capabilities, capacity and competences needed to ensure safety of staff ‘on the ground’ and adequate protection of property, both physical and virtual.
Practical for your people
What is also important to recognise is accountability. Is the strategic direction of management being clearly understood at an operational level and reciprocally are actions taken ‘on the ground’ reflecting the company’s objectives and ensuring appropriate representation thereby protecting reputation and profits?
Take an example where an employee is deployed abroad and may enter a country without having conducted a travel risk assessment. Whether it be the inconvenience of theft, a lost passport, or worse still being caught up in a terrorist incident, the ramifications for the management team and the mayhem of trying to manage the situation remotely could be easily mitigated through a set of pre deployment considerations documented through policy, procedure and enforced by management, taking into account the ‘what ifs’ and ‘actions on’, perhaps some pre deployment security awareness training and maybe the consideration of a tracking app, for example. All of which would cover compliance and legal responsibilities, build confidence within the organisation in having a robust structure to support overseas workers and foster a culture of ‘security risk awareness’, thus creating all round better organisational resilience.
Nowadays the terrorist threat isn’t just confined to the complex environments where the rule of law may have broken down, it is on our doorstep and imminent! The responsibility of business owners means taking their heads out of the sand and away from the ‘it won’t happen to us’ mantra to being accountable and committed to creating a safe working environment and an organised resilient structure. The culpability can be alleviated through a management framework that is actionable and utilised. It’s great having the certificate on the wall and ticking the box but when disaster strikes can you answer the question when asked “Were your policies and procedures followed and enforced?”
What the future holds
In the UK and Europe governments are looking at what regulations, standards and compliance structures are needed for security, but will they be timely and robust enough to stop the evolving terrorist attacks? Standards still do not exist for many products, leaving buyers vulnerable. Also few test criteria are recognised and conformity assessment is patchy.
But whatever is decided at governmental level, businesses should make sure they
protect themselves and their enterprise by keeping up to date with developments. Standards can play a vital part but robust security management and operational deployment, backed up by intelligent use of specialist assurance, both internal and independent, can provide a roadmap from risk to resilience.