Imagine a "Little Britain" scenario where a security manager calls and the conversation goes something like this; "I’ve been worried for some time about the integration of Turnbull, Sarbanes Oxley and the Combined Code on Corporate Governance with my security risk assessment, particularly as we seem to have fitted some systems, in particular CCTV without the benefit of an Operational Requirement. My MD has asked whether he will be dragged off a plane on his holiday to Florida and held for trial with the ‘Nat West three’, or the Enron crowd!"
Whilst there is little chance of such a conversation taking place, at some level of this fictitious security manager’s organisation, particularly if it is a listed company, there could be one or more of the board members agonising as to how they will invoke a corporate wide risk assessment as part of the company’s attendance to all the above governance issues and so avoid any personal repercussions.
In recent years there has been an outpouring of articles charting the increasing importance of ‘corporate governance’. The Smith and Turnbull reports have laid the foundations in the U.K. for what we now know as the ‘Combined Code’. Both reports could be used as ‘levers’ during a presentation arguing as to why a security inclined risk assessment should be an integral part of a ‘top to toe’ audit on the more traditional area of internal control, or in the assessment of the risks of embarking on certain commercial ventures. Unfortunately, though, a board often struggles with linking their commercial controls with the work of the security department, however complex.
‘In the modern era, the role of the security professional is to be an integrator and a strategist, to advise and to maintain an ongoing awareness of the host organisation’s strategic security programme. To be successful, the discipline of security must be at the heart of the company.’ (SMT May 2006:56) Indeed, CBI Director General, Sir Digby Jones recently said "Security must be in the DNA of every corporate organisation" (SMT December 2005:7)
2. The Importance of an Integrated Approach
The problem is that there is still a dislocation in many organisations between the outward facing, commercial activities of a company and its inward looking security/risk department and that this dislocation undermines the standing and, therefore, credibility of the security department to be talking about such seemingly sophisticated issues in the eyes of the board and senior management.
With many companies security suffers from the ‘second cousin twice removed’ syndrome where the activities of the security people are often seen as ‘black arts’ or happening beneath the radar of the intellectual heavyweights who are dealing with the ‘proper’ issues of the business.
‘The overriding lesson to be learned by the Corporate Security Director or Manager is a simple one. Their role is not to enforce security. Rather, it is to use their specialist skills and experience to assist all members of the organisation in making the company’s security regime work. Security is a partnership activity. The need to protect the organisation’s assets, people and operations leaves no room for stovepipe communications or internal empire-building.’ (SMT May 2006:56)
Therefore, the security department has to be inserted at a high level. The role of the Corporate Security Director – when working on risk and strategy issues in an organisation – is to ensure that the project engages senior management and board members; thereby, as a consequence, elevating the security personnel and their efforts and placing them firmly in the radar as a department which is not only fundamental to the wellbeing of the company, but one which is more attune to the management of risk than many board members and has the skills and professionalism to be handling such matters.
‘Large organisations have both the requirement and the budget for a professional head of security. In others, the role may fall to someone who is double or even treble- hatted: the Facilities Manager or the Head of Personnel, for example. At the same time, the guarding function may be hived-off and given to someone with the title of Security Manager but having only the security guarding responsibilities.’ (SMT May 2006: 56)
Inserting the security department at the right level can be a bit of an issue, but there are many ways to engage a board in the more ‘conceptual’ issues of risk and security management. However, security has implications for corporate governance issues since they very much, need to be integrated within the areas of operation of a security department. Whilst it has taken a good few years to finally see the light of day (Turnbull reported in 1999) following various papers on risk, internal controls and focus and interest group (i.e. The Institute of Chartered Accountants in England and Wales) responses to the proposals, there is now in place clearly defined standards and responsibilities for company directors in respect of corporate governance.
The corporate governance issue does, (and don’t be swayed in any other direction with this) affect the work we do. Whilst, say, Turnbull, more specifically, concerns itself with the methodology of how a company manages risk effectively and embeds internal controls in the business processes, by which a company pursues its objectives, equally, Turnbull touches on a variety of common security risk issues. It is also important that managers get out of an ‘only downside risk’ mentality. Risk is not only ‘bad things happening’, but also ‘good things not happening’. Companies should see opportunities from focussing on risk and control, rather than purely focussing on controls.
Disjointed, haphazard, piecemeal, ill-thought out, are all statements which come to mind to describe security projects – despite costing tens of thousand pounds. Typically such projects involve disparate systems - CCTV installed without the benefit of an Operational Requirement (OR) being one such example. Organisations are often shocked following an assessment of their current status. It is no easy task for the Corporate Security Director to soften the blow. Organisations often suffer from ‘empty wall syndrome’ which is that, if a wall hasn’t got a camera on it then it needs one! And salesmen take advantage of this naiveté. There is sufficient empirical evidence of inappropriate selling of systems to fill four issues of this magazine. If CCTV systems fell under the auspice of pensions legislation and mis-selling of same there would be millions of pounds going back to clients.
When considering the operational requirements of a security system such as CCTV other issues such as the privacy laws, data protection and the Human Rights Act also need to be considered.
‘Badly sited and or focused cameras may not be processing that individual and, as such, you would not be processing that individual’s personal data (ie image) fairly. This could be construed as a breach of principle one of the Data Protection Act.’ (SMT, May 2006: 51)
In placing the blame, however, it must fall squarely on the client’s shoulders for not being strong enough to resist the ‘box sellers’ and for not defining operational needs. But when we say ‘client’ what do we mean? There are examples from a number of organisations where the CCTV installation was taken completely out of the hands of security and was run by an M & E department, because the issues were ‘too technical’ for the security department. Disturbingly, access control systems are determined solely by HR departments and more fool the security manager if he or she lets this happen and they become excluded from the decision making process. It can only be a reflection as to how they are perceived in the organisation; "security lock doors and recruit people to stand about or walk about in uniforms"!
‘If we look briefly at a professional head of security, we should see a strategist who is able to pull together all of the diverse aspects of corporate risk and security portfolio. Not only will he or she, be able to advise on each individual area of security activity, but they’ll also be able to integrate these activities to create a holistic solution. They will be skilled in assessing risks and threats, and in guiding the Chief Executive and members of the board towards achieving maximum protection for the corporate bottom line. However, the Security Manager will be unable to make their strategy work unless they accept the fact that every part of the security plan can only succeed if it is operated as a partnership. The formal security team members cannot – and indeed, should not be, the only people seen to hold a security role. Rather, a professional organisation will share the security responsibility. Typically, the breakdown of responsibilities might see the Security Department sharing the protection of premises, guarding and stock control with facilities management, pre-employment screening duties with Human Resources, information security with IT, investigations with the Audit Department and business continuity with Group Operations.’ (SMT May 2006: 56)
So the blame falls firmly on the shoulders of security managers who must resist, absolutely, any systems installation where the decision making has been as a consequence of the equipment’s technical capabilities and not informed by operational needs. Whilst recognising that many decisions on these issues are made outside of the security division, the time has never been better for security managers to make a stand and claim back the ‘high ground’ when it comes to operational issues and how these, not technical attributes, should drive decision making. These ‘needs’ should clearly have been identified through the risk and security audits. One must, though, be convinced that this cohesive, strategic approach is also required under the terms of corporate governance, for herein lies the Corporate Security Director’s longest lever.
Risk/security managers should take heart that their day has dawned, without getting too lyrical, but they must also be very certain of the solidity of the ground underfoot. The dislocation between the board and corporate security needs mending. There is little indication to date that the drive for this will come from above, from a board of directors who, in the main, believe that all is well in the kingdom because they can see lots of cameras on walls and have to ‘badge in’ every morning, but who, in reality, have no cognisance of the sheer breadth and depth of all the issues that ‘Security’, as a catch all title, now covers. Necessary change must be driven upwards from below.
Security operatives need, somehow, to be letting directors know that risk management doesn’t stop at the commercial decision making as to whether it is feasible to open a distributorship in Baghdad, or Bakino Fasso. As it was pointed out in a paper called ‘Implementing Turnbull’, issued by The Centre for Business Performance (The Institute of Chartered Accountants in England & Wales), useful questions for members of the board are;
∑ Do they feel comfortable that we could defend a risk decision after a ‘shock’ or disaster?
∑ What are there, by way of early warning mechanisms for identifying potential disasters?
∑ Have the more likely kinds of fraud been identified and are there controls in place?
∑ What would we hate to see reported in the press?
The paper also stated that ‘a risk management policy document is to set out clearly for employees, the board’s attitude to risk and the appetite for risk which it is prepared to accept. It is also an opportunity to demonstrate to all levels of the company that the board takes risk management seriously’. (ICAEW 1999: 9 )
Since ‘the ripple effect of 911 atrocities has included a resurgence and reconsideration of risk assessment, target hardening and insurance. While these measures are laudable in this new era of global risk, there’s a definite need for the practice of risk mitigation (including insurance) to embrace a wider range of risks – particularly in respect of the effective management of risks to reputation.’ (SMT May 2002: 44)
So, corporate governance issues, clearly, descend to levels of operation that are not simply core, commercial business ones. On a separate, but connected issue, security managers must reclaim business continuity from I.T departments who, whilst they may have squared away the aspects of information continuity and, hopefully communications, are unlikely to have addressed the critical relationships and inter-dependencies of the company’s various other departments, nor have written contingency plans for their recovery in a prioritised manner. A board may, however, be convinced that all continuity elements are in place, because IT have assured them they are!
Whilst there is no desire to pillory IT departments too many of them claim to have addressed the issue of proprietary information security yet, strangely, have not wished to be audited to BS7799 primarily because they recognise that doing so will have to engage them with the issues of security per se in the company and, shock horror, they will have to deal with the security department. It is simply territorial protectionism.
These are just two examples of the root causes of the ‘dislocation’ that security feels from the mainstream of the company’s operations. Before examining the detail of corporate governance and internal controls, it is important to recognise what role ‘corporate culture’ plays in all this and how a company’s view of their core, business functions often prejudices the adoption of a correct mindset in senior management, which is a pre-requisite for the adoption of a risk based process for internal controls and reporting same. Classic examples of ‘risk blindness’ such as ‘it won’t happen to us’ or ‘its not the number one priority’ and ‘I’m just too busy’ still infect many organisations, particularly when the employees do not see their activities as being particularly high risk.
One empirical example of such thinking can be found in the words of Dr Brooke, who was a member of the in-house team that responded to a fire at the Allied Colloids chemical plant, Bradford, West Yorkshire in 1992:
"Never in my worst nightmare did I think that this sort of thing could happen, and I’m sure you think that about your organisation. But there it was – happening." (Toft & Reynolds, 2005:4)
Highly sales driven organisations often simply ‘face outward’ and directors have to be dragged screaming to address non-core, internal matters. There are other organisations that adopt ‘openness’ as a corporate culture so as to facilitate the free flow of people and, hopefully, ideas. Great, but it also usually facilitates the free flow of people who have no legitimate purpose in the premises and the free flow of company assets, including proprietary information, out of the door. For many years Universities and other academic institutions fought tooth and nail not to exercise control over access, nor instigate security regimes and mandated procedures on campus (many still do) because it seemed at odds with the principles of academic freedom.
The challenge here is to convince a board that security procedures, access controls and staff adherence to such procedures and good housekeeping is to the benefit of all concerned and does not ‘tilt a lance’ at the vital flow of ideas. One example comes from the field of broadcasting, where predominance of artistic temperament overrode common sense and eventually it took a terrorist incident to get the organisation and its people to take access control seriously.
In generally benign environments, say the West, openness may be something a company can just about get away with without too much downside, but emigrate that culture to a non-compliant geography, such as the former Soviet Union and very soon the company could be millions adrift and wondering why staff loyalty is only something directors can find in their HR training manuals. A detailed socio-political risk assessment would, however, have highlighted the potential problems of exporting a certain corporate culture to one where business morality is in its infancy and where openness is seen as a sign of weakness and, thereby, legitimately open to exploitation.
A colleague who has worked for many years in Russia with just such a company who - some few years down the road of opening an operation there - was some $12,000,000 adrift as a result of major ‘scams,’ many operated with the collusion of senior local management, distributors and other employees. It wasn’t as if they weren’t told by their security people, but with too much new business coming through the door, managers could ignore the developing problems resulting from inadequately vetted and often temporary staff and crooked business partners. This is without question is what corporate governance and internal controls are designed to identify and resolve and it is sometimes the risk/security people who are best placed to carry out the exercise.
To commence that march up to the high ground requires better understanding of the broad issues of governance. Corporate Security operatives must be absolutely convinced that what they do and the issues they have responsibility for, are as integral a part of the process as is the management of capital, execution of business strategy, change management, or takeover strategies and failure of major projects. The Sarbanes-Oxley Act 2002 (SOX) we see much of the root cause for the drive for best practice in corporate governance. Born out of the major accounting scandals such as Enron, WorldCom etc the legislation calls for tighter internal controls and CEO’s having to sign off on (certifying) all financial statements and mandating real time disclosure of any impactive details. The controller of compliance is the Securities and Exchange Commission (SEC) and overall the objective being to protect investors. The section in particular that you will see when reference is made to potential breeches is Section 404 which deals with internal controls on financial disclosures.
The ‘rub’ is though that it also affects any foreign owned companies, but not just those listed in the U.S and who fall under the auspice of the SEC, but also U.K companies who trade with U.S. firms. Public companies and their auditors must now assume responsibility for their internal controls – no one, any longer, can have a defence that the ‘knew nothing’. Such issues as the maintenance of all business records, including emails, for 5 years, has the potential to create an IT and security nightmare, by the way.
The Act contains some 60 plus pages on security related issues, albeit vague in the main on execution. Cleary, though, compliance means now that senior management must be very aware of what ‘Security’ is doing and that their activities are auditable. We have seen some recent examples of the ‘one way street’ of extradition of business people to the States such as the three Nat West personnel and the arrests of the managers of the on line gaming outfits, so the threats are clearly not hollow ones. What is very clear from the Act is its requirement for reporting on activity to be ‘holistic’ and, essentially, risk driven – in other words activity audits, processes, controls and integrated, risk driven security all need to be brought together.
This specific accountability for those companies, for whom U.S. activities place them at risk, has also to be integrated with our domestic corporate governance (CG) requirements. CG aims to protect shareholders rights, enhance disclosure and transparency, facilitate effective functioning of the board and provide an effective legal and regulatory enforcement framework. It is the key element in enforcing investor confidence.
3. Turnbull
‘Turnbull’ is now the accepted guidance on internal control and was issued by a working party chaired by Nigel Turnbull. The guidance is about a ‘risk-based’ approach to establishing internal control and reviewing its effectiveness.
The consequence, by the way, for a listed company not complying is severe. The Turnbull guidance is linked, via the Combined Code on Corporate Governance, to the Listing Rule disclosure requirements of the London Stock Exchange. The result of non-compliance would be that a company’s annual report must be qualified by means of a disclosure of the non-compliance, thereby attracting the possible attention of the press, shareholder activists and institutional investors.
Don’t believe that Turnbull guidance only impacts at the very top of corporate entities and neither should it be seen as some negative, time consuming imposition; risk based commercial decisions protect against losses, help seize opportunities, gain advantage over competitors and prepares for a range of unforeseen events. A risk based culture, however, in even a small business also means better management focus on activities, better communication and a good level of board involvement in all the company’s activities – especially security.
As outlined previously Turnbull, whilst it primarily concentrates on a risk based approach to commercial business objectives and activities, doesn’t ignore company’s requirement to "safeguard it’s assets from inappropriate use loss, or fraud", words equally familiar to security people as much as to board members. The corporate wide risk matrix that compliance with Turnbull demands would be organised under some principal headings as – Business, Financial, Compliance, Operational and Other. Under the latter, one would have such issues as ‘lack of business continuity’, ‘physical disaster (including fire and explosion), ‘loss of physical and intangible assets’, all of which engage the security department and with which it deals regularly. Also, under the Compliance heading one would expect to ‘health and safety risks’. Finally, under the Financial heading there are items to be addressed such as ‘occurrence of types of fraud to which the business is susceptible’ and ‘penetrations and attack of IT systems’. So, clearly, Turnbull is a ‘top to toe’ requirement and one which has to engage a risk driven security department. The above issues are only a sample of areas for attention which would fall within the remit of corporate security so be quite prepared to defend against any accusation by others that Turnbull doesn’t reach down to what Security does.
On a somewhat offside note one is amazed at the number of companies that have no written and mandated Security Policy which absence is a major breach of good governance in my opinion. On a more positive note, having such a policy works as a type of ‘coat rack’. If its in place Security has the means by which it can ‘hang’ a wide range of subsidiary policies and procedures i.e. ‘information security’, personal security’ travel security’ etc. With no principal policy in place, though, getting other programmes to be adopted is often a major task and mandating the procedures and requirements of a programme to all staff, probably impossible as the processes to do it are simply not in place. By far the biggest headache of not having a board approved main policy is that staff will attach to all programmes little credibility and, therefore, poor compliance. As a security manager one should be more than able to write a simple Security Policy for the board to adopt.
But back to compliance issues and for any company with U.S. connections, or strong business links and for whom SOX could be a potential problem, then the value of the Turnbull guidance is in its context as a ‘framework’ with which to address S404 requirements. The SEC has actually identified Turnbull as a suitable framework for ‘judging the effectiveness of internal controls over financial reporting’. (FRC 2005:1) Conscious of ‘grandmothers’ and ‘sucking eggs, the following is only a brief overview on what has been alluded to previously - The Combined Code.
4. The Combined Code on Corporate Governance
The legal position on all this is to be found in The Companies (Audit, Investigations & Community Enterprise) Act 2004. This new Act is the U.K. government’s equivalent of the U.S. Sarbanes- Oxley Act. The Code, however, is about reporting and became effective by late 2003. Stock Exchange listing Rules impose a requirement for companies to report on how they apply the principles of the Code – or to ‘explain’ as to why not – known as the ‘comply or explain’ approach. A company has to report in two parts, the first being on how it is applying the principles of the Code and the second to confirm that it complies with the Code’s provisions, or where it does not provide the explanation. It is in the section ‘Guidance on Internal Control’ (The Turnbull Guidance) that we see our old friend cropping up and the following is an extract from the Code under the heading of ‘Control Environment and Control Activities’;
∑ Does the board have clear strategies for dealing with significant risks that have been identified? Is there a policy on how to manage these risks?
∑ Is there a clear understanding by management and others within the company of what risks are acceptable to the board?
If you asked those questions of senior management of the company with those huge losses in Russia, the answer would be ‘no’ to all the questions despite having been warned of the threats and likely risks that would flow from such threats. Their corporate culture was not, sadly, ‘exportable’ to high risk geographies. One area the company did tackle well, however, was that of Crisis Management, particularly in adapting existing policies, emergency management and contingency procedures to the new, very difficult environment.
This is somewhat of a departure from the norm. personal experience suggests that companies seldom have comprehensive, tested and rehearsed crisis plans that also dovetail with continuity imperatives and, again, this is not just about information recovery and restoration. The ‘spin off’ for a security manager driving crisis and contingency issues is that there is no better project by with which to engage senior management. Resilience is a governance issue, but the most tying aspect when trying to capture a board’s attention, is that board members will be also be Crisis Management Team (CMT) members. They will have no alternative but to be engaged and should not be allowed to resist exercising the plans. By this means, the security department and its staff can make that move ‘upwards’ and create a heightened awareness of the range of sophisticated issues they deal with. However, crisis planning must be shown in the risk assessment as only one part of the overall management of risk and also endeavour to force the issue about ‘presenting’ to the board the findings and recommendations. Don’t simply rely on a report; however succinct, as it will seldom be read by all those who need to be better aware of the breadth and depth of issues assessed, many of which will probably be unresolved, and of which most people at senior level will be ignorant of.
It is a good tactic to use the cultural inclination of a board to your advantage and to inform you how best to slant the presentation. A highly sales oriented, brand image conscious organisation will respond well to any strategy which protects that brand. By contrast, a company with a technically competitive marketplace i.e. pharmaceuticals will buy in to a range of strategies on the basis that, whilst broadly protecting all assets including people within enhanced security procedures, they are specifically protecting proprietary information.
Selling a security strategy, either as a consultant working alongside ‘in-house’ security, or as an in-house security manager, varies not one iota from selling any product or service in any marketplace and the guiding principle is that which deals with needs and wants.
Selling to a corporate board is no different from selling to an individual and the key is that selling to ‘need’ is, often an uphill struggle, whereas selling to ‘wants’ can turn the whole task around. Selling various security strategies to a board and the financial spend, because they are ‘needed’ is as hard a sale as selling life assurance to a twenty year old – both are examples of ‘distressed purchase’. In selling parlance, the ‘attributes’ of a proposal need to be converted to ‘benefits’ but Security often bangs on to management about what this piece of kit or system does, or what its new strategy contains i.e. the attributes rather than emphasising the benefits that derive from the specification. In a McKinsey survey of over 200 institutional investors they found that 80% of respondents would pay a premium for well-governed companies, from 11% in Canada to 40% in Egypt (Global Investor Opinion Survey 2002).
Turnbull and the whole corporate governance issue is one of ‘need to do’ so bearing in mind the above cautionary advice Security operatives have to work hard to find the benefits of compliance to make the purchase an easier one for the board. Remember that only listed companies have an absolute need to comply anyway, so the ‘must do’ argument won’t help in a non-corporate environment or a non-listed company. One should know though that Turnbull as ‘best practice’ is finding its way into central and local government and other non-government organisations. Clearly there are benefits of smaller companies adopting the principles so as to demonstrate to an increasingly demanding marketplace that they are a well governed company. As a lever Security can use Turnbull is getting longer all the time.
5. Conclusion
A security risk manager, particularly in a non-listed company could very easily be the person who, via his own audit and strategy presentation to the board, lays the groundwork for the future by suggesting the risk exercise extends via Turnbull guidance to a corporate wide activity – now that’s gaining the high ground!. If you are in a company or organisation and feel a sense of dislocation from the business as a whole then the solution is in your hands, so go and SOX it to them.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment