The classification of corporate security within the corporate hierarchy is in motion. As a result of reorganization projects, corporate security is increasingly placed in the area of compliance or risk management. This is accompanied by a feared loss of importance of corporate security: Will the heads of corporate security in particular experience a significant decline in importance and also in payment? All in all, this raises no less than the question of the sustainability of corporate security in its current form.
Article by Dr. jur. Klaus Bockslaff
Increase the importance of security in the company
In many companies, the topic of “corporate security” or ” enterprise security” has grown historically. Individual operational areas of “security” are well developed in themselves. At the same time, however, there is often a lack of
(1) a clear reference to the corporate strategy,
(2) a derivation of the requirements from the business processes and
(3) the risk analysis as well as
(4) a clear definition and structure of the planning, management and control processes of safety.
In other words, the strength at the operational implementation level of security is contrasted by the lack of a consistent, process-oriented management system for security.
In addition: In many companies, a considerable amount of actionism in terms of security after major events is (unfortunately) accompanied by low acceptance in everyday life. This is compounded by significant job cuts and high employee turnover, and a separation of IT security in terms of content and organization. In addition to a mental separation between safety and security – with “box” thinking on both sides – we finally find a “commissioned” mismanagement in many companies.
Security management as a company-wide overall requirement
All these findings taken together are not the least an expression of a lack of an overall demand for security. The consequence is a lack of acceptance of the value added contribution of corporate security. With the fatal result that in things security all too gladly the statement prevails: ” For this we have now no money!” Precisely because the value-added contribution of security is not made measurable.
In this situation, a part of the literature suggests that the area of business continuity management should be expanded to an “integrated crisis management” and thus provide a stronger substantive framework for corporate security as a “continuity manager”. For this purpose, the BSI Standard 100-4, a work of the Federal Office for Information Security, which was mainly created by an IT consulting firm, is being attempted, and which certainly contains valuable insights from the IT perspective.
For the area of security management systems, however, there are currently no recognized standards – apart from the considerations in Austria (ONK 252 Corporate Security Management). As a model for a comprehensive security management system, the ISO 27000 ff. for information security or the BS 25999 “Code of Practice for Business Continuity Management” or the ONR 49000 “Risk Management” can be used.
How can a company-wide overall security management claim be created and implemented? And how can the added value contribution of security in the company be made measurable?
One answer: Many companies have a distinctive quality management. So what could be more obvious than to transfer these already established methods – including the PDCA cycle – to the safety sector and to design safety management analogous to quality management and later combine it in an integrated management system? At the same time, this could also follow the path indicated in ONR 49000 and ISO 31000 with regard to the establishment of an integrated management system including the areas of quality, environment, information security and health and safety.
If we continue to pursue this approach, in practice it will be important to first define the company’s security objectives and security policy. In the subsequent elaboration of the necessary documents at the various levels, the areas to be covered will be delimited, responsibilities will be established and the security processes will be defined. In addition to the organizational, overarching structures, the individual topics are then dealt with in detail with the responsible employees, right down to individual process descriptions. Existing structures, organizations and measures are reviewed and, where possible, transferred to the new safety management system.
Until the complete system is finally implemented, it goes through several quality management cycles. The modular structure ensures that every company that follows this path actually receives an individual system tailored to its specific security needs, in compliance with “best practice” standards. This helps to answer the above question, the value-added share of security becomes clear, and the acceptance of security in the company will at least not decrease further. And not to forget: Ultimately, this approach makes it clear in which requirement environment the successful security manager will have to operate in the future.
A project example – the LIFE AG
The following fictitious project describes how to proceed when introducing a process-oriented safety management system:
Our model company, LIFE AG, is a medium-sized family business with approx. 780 employees, of which approx. 640 work in production. The only production site is located in the immediate vicinity of the Main River near Frankfurt. The company is engaged in the development, production and distribution of electrically driven tools for do-it-yourselfers and craftsmen (e.g. drilling machines). The catalog producer with a global distribution network (70% sales) has subsidiaries in various countries and independent importers in other countries. The good market success is achieved through high quality and delivery capability. Adherence to delivery dates is of great importance in competitive markets.
This company has had very negative experiences in various situations with crises and especially with the press. There had been worldwide product recalls. Plagiarism and a flood of the river Main also caused difficulties.
After these experiences LIFE AG had the complete safety management system audited. It was found that the existing security organization did not have a strategic orientation, but rather focused on individual operational solutions.
The goal of a comprehensive project is now a reorientation of the safety management system, taking into account strategic and operational components. The strategic management for the headquarters and all subsidiaries concerned is to be assigned to a central coordination and specialist security unit. The operational management and implementation will remain with the individual departments concerned.
The aim of the project is to establish a new corporate security within a process-oriented approach. The following basic assumptions are made:
❏ “Security” is the prerequisite for the efficient and successful execution of all business processes along the entire value chain (illustrating the value-added contribution of security).
❏ In addition to the protection of people and other important objects of protection, the continuation of business operations with as little disruption as possible (business continuity) is a key security objective.
❏ A company-wide definition of security principles is a prerequisite for a common understanding of “security” and company-wide implementation.
❏ “Security” is defined in the applicable regulations and is in line with the values of LIFE Ltd. Above all, the values “trust” and “reliability” form the basis of the security philosophy.
❏ Company-wide security principles, which follow this basic understanding, make a direct value contribution to the company and offer clear orientation in all markets: the employees of LIFE Ltd as well as customers, business partners and suppliers.
The company-wide security concept is the unification of all decisive points in the security architecture of a company. Instead of additive concepts and partial solutions, a holistic approach with a common philosophy is generated in all levels and areas. Security management in such a company-wide security organization means:
❏ Transparency about corporate risks and the associated opportunities, including all costs associated with managing risks.
❏ Establishment of security management as a management process in the company, so that the necessary transparency regarding organization, responsibilities, competencies and standards as well as the achievement of the necessary management and employee responsibility is ensured through guidelines and awareness raising.
❏ Establishment of quality and security principles as a guide for decisions and personal behavior as well as the creation of a framework for security-relevant processes or incidents based on standards, with comprehensible and repeatable results.
❏ Communication between the department and security managers with a common understanding of business requirements and security objectives.
❏ Optimal implementation of security concerns by selecting appropriate, effective and sustainable security measures and adapting them to the needs of the company and its employees, especially with regard to usability, taking into account cost-benefit aspects.
❏ Delimitation and assignment of responsibility with regard to new areas of danger and avoidance of security measures for subjectively perceived threats that do not represent a significant risk to the company.
If these basic goals are applied to the concrete task, requirements arise in the following points:
❏ Coordinated alignment between security concerns and business requirements and thus the alignment of security with the business strategy of the company.
❏ Networking of corporate governance, quality management, risk management, internal audit and corporate planning.
❏ Identifying and evaluating security risks and deriving suitable measures.
❏ Promotion/obligation of cost transparency for security requirements.
❏ Early involvement of security interests in all concept, project and operational phases.
❏ Flexibility in the further development of solutions while ensuring a stable security level.
Security management based on business objectives
This approach results in a security management system that is linked to the risk management process and is thus a management process aligned with the business objectives. This security management ensures the defined security standards for all products and services of the company.
However, this basic process also results in requirements from accompanying processes. Because only an integral security management, which
(1) uses both the company’s risk management system as an early warning system for the preventive derivation and determination of the necessary safety measures and
(2) relies on the emergency and crisis management system to ensure the company’s ability to act even in particularly time-critical or crisis situations is a suitable basis for securing business continuity in the long term. And finally, there is a special requirement
(3) in the implementation processes of corporate security from a cost and efficiency perspective. This makes a significant contribution to reducing the total costs that must be spent on risk treatment (total cost of risk).
A large number of steps are required for the design of the model for the expansion of corporate security presented here: The starting point is the creation of a handbook for corporate security, in which, among other things, the developed security policy and the security strategy are recorded, as well as the basic organization, process organization, responsibilities and competencies. On this basis, the various other modules required for implementation are then realized. These include, to name individual elements:
❏ a clearly structured system for the document structure,
❏ a distinctive reporting system,
❏ a defined reporting system for the recording of critical events,
❏ a clear definition of security standards of different hazard classes and
❏ an evaluable recording system for any deviations from the security standards.
In view of the great importance of the human risk factor, this overall program should also contain elements for improving risk awareness.
Procedure with the classic phases of project management
The classic project management phases would be used for the further development of the company-wide safety management (SMS) at LIFE AG, as envisaged here:
Phase 1: Study
In a basic study, the first step was to make an as-is assessment and evaluate the planned target status. The final report should contain a presentation of the actual state and an assessment of the planned measures for the target state. Furthermore, possible solutions should be presented and a proposal for the implementation of the best variant should be formulated.
Phase 2: Project planning
In the project planning phase, a plan for the implementation of the future target processes is now presented. For this purpose, a rough concept for the structural and process organization, the necessary instruments, aids and resources as well as a model for an alarm organization are first developed in various workshops. For this rough concept a more concrete implementation plan with the contents procedure, dates, contents, costs and project quality management is then created and finally converted into a project planning application.
Phase 3: System and organizational structure
On the basis of the approved rough concept, the detailed concept is now drawn up with the specifications of the security and the corresponding processes, a detailed plan for the implementation, the realization of the processes and with the corresponding training for the responsible employees.
Phase 4: Implementation of system structure, process organization
The implementation phase is characterized by the fact that now the individual elements for the system structure and process organization are being implemented. In internal workshops, the processes of corporate security are elaborated. In addition, the necessary interfaces to other departments will be determined, a risk-oriented internal control system with suitable control points to be integrated into the reporting system will be designed, and the general reporting system and communication channels top-down and bottom-up will be organized.
Phase 5: Organizational and system transfer into the proper process organization
During the transfer of the developed organization and the system into the proper process organization, the necessary measures are coordinated and the responsible employees are supported and trained. Any quality deficiencies of the system occurring during the introduction are documented and a catalog of measures for the elimination of the deficiencies is prepared.
The results are summarized in a project report and milestones for the further procedure are defined in a corresponding presentation.
Phase 6: Follow-up / completion
The conclusion of the project takes place via a success analysis with a collection of the customer satisfaction, a rework of the recognized weaknesses of the system and the production of a procedure concept for the lasting care and system continuation.
As long as companies can afford to organize corporate security and safety in separate areas, the economic pressure does not seem to be high enough. Those security managers who do not attempt to resolve this classic contradiction are well advised. The resistance to such an undertaking is considerable, but it shows that the people involved are still stuck in the classic operational requirements and have not yet opened up to process-oriented thinking. Only by clarifying the processes of corporate security and their binding implementation in all affected areas can considerable advantages in process costs be realized without a decrease in the quality of security.
It is also obvious that a security officer who takes this path must have more extensive technical and personal skills than is often the case today. In addition to a very good knowledge of security, a very good command of process and project management will be particularly important. Furthermore, very good knowledge of the applicable national and international standards and especially of risk management is required.
On this basis, a security management system can then be created in which the persons involved do not have to shy away from a critical collegial dialogue with the internal audit, controlling, risk management or business continuity manager, but will insist on it.
It will be important for those responsible for security to also deal with topics that at first glance do not appear to be directly related to classic security topics. In this way, the contribution of security to value creation can be made clear and the importance of security in the company can be consolidated.
Downloas article as PDF document (German only)