If your security department is bottom of the heap, the organisation is rife with an ‘open’ culture, and IT has pinched the business continuity issues, you can still conduct a fight back. Peter Speight invokes Turnbull and SOX to explain how

Security inclined risk assessment should be an integral part of a ‘top to toe’ audit on the more traditional area of internal control, or in the assessment of the risks of embarking on certain commercial ventures. Unfortunately, though, a board often struggles with linking its commercial controls into the work of the security department, however complex.

The problem is that there is still a dislocation in many organisations between the outward facing, commercial activities of a company and its inward looking security/risk department. This dislocation undermines the standing and, therefore, the credibility of the security department in the eyes of the board and senior management when talking about seemingly sophisticated issues. Too often the activities of the security people are seen as happening beneath the radar of the intellectual heavyweights who are dealing with the ‘proper’ issues of the business.

This dislocation between the board and corporate security needs mending. There is little indication to date that the drive for this will come from above. Often there may be a board of directors who, in the main, believe that all is well in the kingdom because they can see lots of cameras on walls and have to ‘badge in’ every morning. They may have no cognisance of the sheer breadth and depth of all the issues that security, as a catch all title, now covers. Necessary change must be driven upwards.

Security and governance

Inserting the security department at the right level can be difficult, but there are many ways to engage a board in the more conceptual issues of risk and security management. Security operatives need to let directors know that risk management does not stop at the commercial decision making over whether, for example, it is feasible to open a distributorship in Baghdad.

For example, there are now in place clearly defined standards and responsibilities for company directors in respect of corporate governance. Security has implications for corporate governance issues since these very much need to be integrated within the areas of operation of a security department.

While the Turnbull report mainly concerned itself with the methodology of how a company manages risk effectively and embeds internal controls in the business processes, it also touched on a variety of common security risk issues.

The paper, Implementing Turnbull, issued by The Centre for Business Performance (The Institute of Chartered Accountants in England & Wales), suggested useful questions for members of the board:

n Do they feel comfortable that we could defend a risk decision after a shock or disaster?

n What are there by way of early warning mechanisms for identifying potential disasters?

n Have the more likely kinds of fraud been identified and are there controls in place?

n What would we hate to see reported in the press?

The paper also stated that ‘a risk management policy document is to set out clearly for employees, the board’s attitude to risk and the appetite for risk which it is prepared to accept. It is also an opportunity to demonstrate to all levels of the company that the board takes risk management seriously.’

For security, commencing the march up to the high ground requires better understanding of the broad issues of governance. Corporate security operatives must be absolutely convinced that what they do, and the issues they have responsibility for, are as integral a part of the process as are the management of capital, execution of business strategy, change management, or takeover strategies and failure of major projects.

Regulation

“Necessary change must be driven upwards

The Sarbanes-Oxley Act 2002 (SOX) has been a major driver for best practice in corporate governance. Born out of major accounting scandals such as Enron and WorldCom, the legislation calls for tighter internal controls, with CEOs having to sign off on (certify) all financial statements, and mandating real time disclosure of any impactive details. The controller of compliance is the Securities and Exchange Commission (SEC) and, overall, the objective is to protect investors.

SOX also affects foreign-owned companies, not just those listed in the US who fall under the auspices of the SEC, but European companies who trade with US firms. So public companies and their auditors must now assume responsibility for their internal controls. No one, any longer, can have a defence that they knew nothing. Incidentally, such issues as the maintenance of all business records, including e-mails, for five years, have the potential to create an IT and security nightmare.

The Act contains some 60 plus pages on security related issues, albeit vague in the main on execution. Clearly, though, compliance means now that senior management must be very aware of what their security division is doing and that their activities are auditable. We have seen some recent examples of the ‘one way street’ of extradition of business people to the US, such as the three NatWest personnel and the arrests of the managers of on-line gaming organisations, so the threats are not hollow. What is very clear from the Act is its requirement for reporting on activity to be ‘holistic’ and, essentially, risk driven – in other words activity audits, processes, controls and integrated, risk driven security all need to be brought together.

As well as SOX, there are domestic corporate governance requirements. These aim to protect shareholders’ rights, enhance disclosure and transparency, facilitate effective functioning of the board and provide an effective legal and regulatory enforcement framework. They are a key element in enforcing investor confidence.

As outlined previously, Turnbull, while it primarily concentrates on a risk-based approach to commercial business objectives and activities, does not ignore the requirement for a company to ‘safeguard its assets from inappropriate use, loss, or fraud’, – words as familiar to security people as to board members. The corporate-wide risk matrix will have some principal headings, such as business, financial, compliance, operational and other. Under the latter, one would have such issues as lack of business continuity, physical disaster (including fire and explosion) and loss of physical or intangible assets, all of which engage the security department and with which it deals regularly. Also, under the compliance heading one would expect to see health and safety risks. Finally, under the financial heading there are items to be addressed such as occurrence of types of fraud to which the business is susceptible and penetrations and attack of IT systems. So clearly, Turnbull is a ‘top to toe’ requirement and one which has to engage a risk driven security department.

The above issues are only a sample of areas for attention which would fall within the remit of corporate security, so a defence can be prepared against any accusation that Turnbull does not reach down to what security does.

The value of the Turnbull guidance is in its context as a ‘framework’ with which to address s404 requirements for any company with US connections or strong business links and for which SOX could be a potential problem. The SEC has actually identified Turnbull as a suitable framework for ‘judging the effectiveness of internal controls over financial reporting’ (FRC 2005:1).

London stock exchange listing rules impose a requirement for companies to report on how they apply the principles of the Combined Code – or to explain why they do not – known as the ‘comply or explain’ approach. A company has to report in two parts, the first being on how it is applying the principles of the Code and the second to confirm that it complies with the Code’s provisions or to provide the explanation where it does not. The section ‘Guidance on Internal Control’ (The Turnbull Guidance) contains the following questions under the heading of ‘Control Environment and Control Activities’:

n Does the board have clear strategies for dealing with significant risks that have been identified? Is there a policy on how to manage these risks?

n Is there a clear understanding by management and others within the company of what risks are acceptable to the board?

Corporate governance issues, clearly, descend to levels of operation that are not simply core commercial business ones.

On a separate, but connected issue, security managers must reclaim business continuity from IT departments who, while they may have squared away the aspects of information continuity and, hopefully communications, are unlikely to have addressed the critical relationships and interdependencies of the company’s various other departments, nor have written contingency plans for their recovery in a prioritised manner. A board may, however, be convinced that all continuity elements are in place because IT have assured them they are!

Too many IT departments claim to have addressed the issue of proprietary information security, yet do not wish to be audited to BS7799 primarily because they recognise that this would mean engaging with the issues of security per se in the company. And this would involve dealing with the security department so issues of territorial protectionism arise.

Role of corporate culture

Corporate culture has a major role to play in how boards regard risk and security functions. A company’s view of its core business functions often prejudices the adoption of a correct mindset in senior management, which is a pre-requisite for establishing a risk based process for internal controls and reporting. Classic examples of risk blindness such as ‘it won’t happen to us’ or ‘it’s not the number one priority’ and ‘I’m just too busy’ still infect many organisations, particularly when employees do not see their activities as being particularly high risk.

“Security managers must reclaim business continuity from IT departments

Highly sales-driven organisations often simply face outward and directors have to be dragged screaming to address non-core internal matters. Other organisations adopt openness as a corporate culture so as to facilitate the free flow of people and, hopefully, ideas. Great, but it also usually facilitates the free flow of people who have no legitimate purpose on the premises and the free flow of company assets, including proprietary information, out of the door. For many years universities and other academic institutions fought tooth and nail not to exercise control over access, nor instigate security regimes and mandated procedures on campus (many still do) because it seemed at odds with the principles of academic freedom.

The challenge here is to convince a board that security procedures, access controls, staff adherence to such procedures and good housekeeping are to the benefit of all concerned and do not threaten the vital flow of ideas. One example comes from the field of broadcasting, where a predominance of artistic temperament overrode common sense. Eventually it took a terrorist incident to get the organisation and its people to take access control seriously.

In generally benign environments such as western European countries, openness may be something a company can just about get away with without too much downside. But export that culture to a non-compliant geography, such as the former Soviet Union, and very soon that company could be millions adrift and wondering why staff loyalty is only something directors find in their HR training manuals. A detailed socio-political risk assessment would, however, have highlighted the potential problems of exporting a given corporate culture to an environment where business morality is in its infancy and where openness is seen as a sign of weakness and thus legitimately open to exploitation.

A colleague who has worked for many years in Russia with just such a company discovered that, some years after opening their operation there, there was some $12m adrift as a result of major scams, many operated with the collusion of senior local management, distributors and other employees. Despite the warnings of the security people, with so much new business coming through the door managers could ignore the developing problems resulting from inadequately vetted and often temporary staff and crooked business partners. This is without question what corporate governance and internal controls are designed to identify and resolve and it is sometimes the risk and security people who are best placed to carry it out .

However, one area that this company did tackle well was that of crisis management, particularly in adapting existing policies, emergency management and contingency procedures to the new, very difficult environment.

Getting the message across

My own experience suggests that companies seldom have comprehensive, tested and rehearsed crisis plans that also dovetail with continuity imperatives. The spin off for a security manager driving crisis and contingency issues is that there is no better project with which to engage senior management.

Resilience is a governance issue, but the most telling aspect when trying to capture a board’s attention, is that board members will also be crisis management team members. They will have no alternative but to be engaged and should not be allowed to resist exercising the plans. By this means, the security department and its staff can make that move upwards and create a heightened awareness of the range of sophisticated issues with which they deal.

Crisis planning must be shown in the risk assessment as just one part of the overall management of risk but it can be crucial. It is important to present the findings and recommendations to the board. Do not simply rely on a report, however succinct, as it will seldom be read by all those who need to be better aware of the breadth and depth of issues assessed, many of which will probably be unresolved, and of which most people at senior level will be ignorant.

It is a good tactic to use the cultural inclination of the board to your advantage, enabling you to decide how best to focus the presentation. A highly sales oriented, brand image conscious organisation will respond well to any strategy which protects that brand. By contrast, a company with a technically competitive marketplace, ie pharmaceuticals, will buy in to a range of strategies on the basis that, while broadly protecting all assets including people within enhanced security procedures, they are specifically protecting proprietary information.

Selling a security strategy, either as a consultant working alongside in-house security, or as an in-house security manager, varies not at all from selling any product in any marketplace. The guiding principle is that which deals with needs and wants.

Further, selling to a corporate board is no different from selling to an individual. The key is that selling to ‘need’ is often an uphill struggle, whereas selling to ‘wants’ can turn the whole task around. In selling parlance, the ‘attributes’ of a proposal need to be converted to ‘benefits’. Unfortunately, the security manager presenting to management too often elaborates on what a particular piece of kit or system does, or what the department’s new strategy contains, rather than emphasising the benefits.

A security risk manager, particularly in a non-listed company, could very easily be the person who, through his audit and strategy presentation to the board, lays the groundwork for the future by suggesting the risk exercise extends via Turnbull guidance to a corporate wide activity. In all companies, many of the functions with which security people are involved are implicit to good corporate governance and risk management. Security has a good story to tell - so don’t undersell it!

The role of the corporate security director –when working on risk and strategy issues in an organisation – is to ensure that the project engages senior management and board members. As a consequence, this elevates the security personnel and their efforts and places them firmly on the radar as a department which is not only fundamental to the wellbeing of the company, but also more attune to the management of risk than many board members.

Topics