Contingency Planning: Protecting the Bottom Line
Vol. 4 , No. 5
May 01, 2002
"Those who do not remember the past are condemned to repeat it."
George Santayana (20th Century philosopher)
Historically, business has viewed security planning from a very simple, even simplistic perspective: guarding some "thing." Security plans have often been just a paper exercise: required by corporate policy, then buried somewhere in a file. As a result of the tragic, gut-wrenching wake-up call we got on September 11, 2001, a dramatically higher level of emphasis has been placed on what traditionally has been called "security planning."
Companies who are truly tuned into the new, post-9/11/01 world can now ensure their companies are prepared to react to any challenge, not just threats to physical security. These companies know they must have well-developed, threat-based contingency plans which reach far beyond the old "gates and guards" approach. The out-dated idea that you just add more fences and guards to ensure security is no longer valid, if in fact it ever was valid. Without a thoughtful, well-designed and dynamic contingency plan, you end up with a file that is of little or no value.
Businesses operating in the 21st Century - whether opening or staffing offices in St. Louis, Missouri, or Curitiba, Brazil, or Mumbai, India - need to address certain basic issues:
# What do you value?
# What do you want to protect?
# Is there a defined threat? If so, what is the nature and time-line on the threat?
# Who has responsibility for contingency planning management and implementation?
# Does the plan work, and does the staff know what they should do under the plan?
# Who is responsible for making sure the plan works the next time, and the next?
# What Do You Value?
Traditional approaches to "security plans" concentrated on providing physical security. The classic approach could stop an armed attack on a building. But it often virtually locked employees inside. While in certain circumstances this may be necessary, this approach is not suited or even germane to many offices, plants or business environments.
We suggest a more radical approach: evaluating what is important to a company and worth protecting - before you design and implement a security management plan. This approach is long overdue. It is time to stop using a "more is better" approach and to design effective and efficient programs to meet actual challenges and needs.
Under this new approach, management reviews assets and operations to evaluate what is critical to company survival. Among the basic decisions: What do we have to have? Do we have to protect people (how many and where?), plant & equipment, R&D materials, intellectual property? Companies will automatically say their people must be protected. But there are basic issues as to management, staff, and departments that must be evaluated, just as governments must weigh their tiers of executives, branches and agencies within the government. After addressing this tough and sensitive area, the other issues need to be prioritized. This is hard, but - unless your resources are endless - you must be willing to make decisions on relative priorities and move forward.
You should ensure that your process is not so bureaucratic and simplistic that everyone simply spends five minutes on bare necessities (as in, "1-2-3, we're done"). This won't serve any purpose. What is needed is deliberate, thoughtful study devoted to the process, so management can evaluate the core operations of its business and identify what really contributes to the company's success. In other words, this entire process of evaluation can have significant, positive repercussions for the entire company. Such an evaluation can help to cut through to vital issues that may not have been sufficiently considered before. These strategic issues may include the need to identify and protect future markets, the need to develop strategies for political issues related to long-term operations, labor relations and problems, the cost of a poorly designed HR program, etc.
Regardless of what business sector a company is in, it is necessary to clearly define and prioritize what is of critical value to the company and its operations. The issues developed will ensure that the resulting security plan is company-specific, industry-specific and region-specific, as well as practical, efficient and cost-effective. The new contingency plan will be aimed at dealing with your company's issues and your priorities.
Who and What is Your Problem?
While this sounds like a teenager's retort to a parent, it highlights the second step of risk minimization. Succinctly, it can be presumed that you have assets that must be preserved and protected. The question remains: Is there any identifiable threat to staff, assets and operations? As an example: if you have completed research on a microchip that is integral to the design and functioning of an exotic fishing lure intended to attract a certain type of fish, making this research vital to the company, is there a real threat out there to your R&D operations? Is there a competitor with an interest in your research? If so, could this competitor reverse engineer the microchip, or could it manufacture such a device if they had the plans? If the answer to these questions is "no," you may decide that a full risk avoidance program is not necessary. However, if the answer is "yes" to any of these questions, you should look at the vulnerabilities in your R&D program, and begin to develop security measures to protect your sensitive research results.
Consideration of real threats will mean development of reality-based contingency plans. Using the same example, if all of your fishing lure research is stored in an IT database rather than in a file, constructing 10-foot walls around your building does not necessarily meet your needs. The real threat may be internal or technological. You may decide that rigorous employee vetting, security briefing programs, and a carefully designed, fully implemented and enforced IT security system may more realistically meet your needs. First, look at your core operations to define and prioritize valuable assets, then look outwards to potential threats. Furthermore, expect cost-savings to result from this kind of targeted security program. The resulting plan will absolutely present more direct, efficient and effective options than the security blanket of risk management as usual.
The design of a real contingency plan can now begin.
Now What?
Many companies with basic risk avoidance and contingency management plans draft them, then put them on a shelf for use only when disaster strikes. Beware. A plan that is not reviewed, implemented and practiced is not worth the paper on which it is printed or the data space it occupies. To contribute to corporate success, such a plan must be a dynamic, living document that is part of a functioning security program. It must be subjected to review, updated, and actually used. A good plan allows for the effective management of risk; encourages effective, efficient use of resources in protecting assets; and contributes to the ultimate profitability of the company.
The plan should have:
Responsibility assigned for management and maintenance of the plan. Mandatory periodic reviews of the plan by all members of the management team. Country-specific plan reviews, as appropriate, in our global economy. Exercises that familiarize decision-makers with the plan and its elements. Exercises that assure employees and contractors buy into the plan and its procedures.
The Bottom Line
Without reviews, updates and practice, time and money can be wasted on a meaningless security plan that serves no one. Traditionally, "security plans" have been viewed as adding nothing to the bottom line. Contingency planning and risk avoidance planning do in fact contribute to the bottom line: they guide your company toward actual analysis of who and what they are; they encourage broad, strategic conceptualization designed to ensure that a company recognizes real challenges; they help your company to be prepared to deal with all types of threats. Objective, professional preparation, coupled with review and implementation, are necessary to over-ride the all too common and dangerous chaos, which can come when a company is challenged in a way never envisioned. To paraphrase Santayana: "He who fails to learn from history is doomed to repeat it."
© Copyright - Smith Brandon International, Inc.
George Santayana (20th Century philosopher)
Historically, business has viewed security planning from a very simple, even simplistic perspective: guarding some "thing." Security plans have often been just a paper exercise: required by corporate policy, then buried somewhere in a file. As a result of the tragic, gut-wrenching wake-up call we got on September 11, 2001, a dramatically higher level of emphasis has been placed on what traditionally has been called "security planning."
Companies who are truly tuned into the new, post-9/11/01 world can now ensure their companies are prepared to react to any challenge, not just threats to physical security. These companies know they must have well-developed, threat-based contingency plans which reach far beyond the old "gates and guards" approach. The out-dated idea that you just add more fences and guards to ensure security is no longer valid, if in fact it ever was valid. Without a thoughtful, well-designed and dynamic contingency plan, you end up with a file that is of little or no value.
Businesses operating in the 21st Century - whether opening or staffing offices in St. Louis, Missouri, or Curitiba, Brazil, or Mumbai, India - need to address certain basic issues:
# What do you value?
# What do you want to protect?
# Is there a defined threat? If so, what is the nature and time-line on the threat?
# Who has responsibility for contingency planning management and implementation?
# Does the plan work, and does the staff know what they should do under the plan?
# Who is responsible for making sure the plan works the next time, and the next?
# What Do You Value?
Traditional approaches to "security plans" concentrated on providing physical security. The classic approach could stop an armed attack on a building. But it often virtually locked employees inside. While in certain circumstances this may be necessary, this approach is not suited or even germane to many offices, plants or business environments.
We suggest a more radical approach: evaluating what is important to a company and worth protecting - before you design and implement a security management plan. This approach is long overdue. It is time to stop using a "more is better" approach and to design effective and efficient programs to meet actual challenges and needs.
Under this new approach, management reviews assets and operations to evaluate what is critical to company survival. Among the basic decisions: What do we have to have? Do we have to protect people (how many and where?), plant & equipment, R&D materials, intellectual property? Companies will automatically say their people must be protected. But there are basic issues as to management, staff, and departments that must be evaluated, just as governments must weigh their tiers of executives, branches and agencies within the government. After addressing this tough and sensitive area, the other issues need to be prioritized. This is hard, but - unless your resources are endless - you must be willing to make decisions on relative priorities and move forward.
You should ensure that your process is not so bureaucratic and simplistic that everyone simply spends five minutes on bare necessities (as in, "1-2-3, we're done"). This won't serve any purpose. What is needed is deliberate, thoughtful study devoted to the process, so management can evaluate the core operations of its business and identify what really contributes to the company's success. In other words, this entire process of evaluation can have significant, positive repercussions for the entire company. Such an evaluation can help to cut through to vital issues that may not have been sufficiently considered before. These strategic issues may include the need to identify and protect future markets, the need to develop strategies for political issues related to long-term operations, labor relations and problems, the cost of a poorly designed HR program, etc.
Regardless of what business sector a company is in, it is necessary to clearly define and prioritize what is of critical value to the company and its operations. The issues developed will ensure that the resulting security plan is company-specific, industry-specific and region-specific, as well as practical, efficient and cost-effective. The new contingency plan will be aimed at dealing with your company's issues and your priorities.
Who and What is Your Problem?
While this sounds like a teenager's retort to a parent, it highlights the second step of risk minimization. Succinctly, it can be presumed that you have assets that must be preserved and protected. The question remains: Is there any identifiable threat to staff, assets and operations? As an example: if you have completed research on a microchip that is integral to the design and functioning of an exotic fishing lure intended to attract a certain type of fish, making this research vital to the company, is there a real threat out there to your R&D operations? Is there a competitor with an interest in your research? If so, could this competitor reverse engineer the microchip, or could it manufacture such a device if they had the plans? If the answer to these questions is "no," you may decide that a full risk avoidance program is not necessary. However, if the answer is "yes" to any of these questions, you should look at the vulnerabilities in your R&D program, and begin to develop security measures to protect your sensitive research results.
Consideration of real threats will mean development of reality-based contingency plans. Using the same example, if all of your fishing lure research is stored in an IT database rather than in a file, constructing 10-foot walls around your building does not necessarily meet your needs. The real threat may be internal or technological. You may decide that rigorous employee vetting, security briefing programs, and a carefully designed, fully implemented and enforced IT security system may more realistically meet your needs. First, look at your core operations to define and prioritize valuable assets, then look outwards to potential threats. Furthermore, expect cost-savings to result from this kind of targeted security program. The resulting plan will absolutely present more direct, efficient and effective options than the security blanket of risk management as usual.
The design of a real contingency plan can now begin.
Now What?
Many companies with basic risk avoidance and contingency management plans draft them, then put them on a shelf for use only when disaster strikes. Beware. A plan that is not reviewed, implemented and practiced is not worth the paper on which it is printed or the data space it occupies. To contribute to corporate success, such a plan must be a dynamic, living document that is part of a functioning security program. It must be subjected to review, updated, and actually used. A good plan allows for the effective management of risk; encourages effective, efficient use of resources in protecting assets; and contributes to the ultimate profitability of the company.
The plan should have:
Responsibility assigned for management and maintenance of the plan. Mandatory periodic reviews of the plan by all members of the management team. Country-specific plan reviews, as appropriate, in our global economy. Exercises that familiarize decision-makers with the plan and its elements. Exercises that assure employees and contractors buy into the plan and its procedures.
The Bottom Line
Without reviews, updates and practice, time and money can be wasted on a meaningless security plan that serves no one. Traditionally, "security plans" have been viewed as adding nothing to the bottom line. Contingency planning and risk avoidance planning do in fact contribute to the bottom line: they guide your company toward actual analysis of who and what they are; they encourage broad, strategic conceptualization designed to ensure that a company recognizes real challenges; they help your company to be prepared to deal with all types of threats. Objective, professional preparation, coupled with review and implementation, are necessary to over-ride the all too common and dangerous chaos, which can come when a company is challenged in a way never envisioned. To paraphrase Santayana: "He who fails to learn from history is doomed to repeat it."
© Copyright - Smith Brandon International, Inc.
Smith Brandon International, Inc. conducts international investigations and provides actionable business intelligence and risk avoidance counsel to assist companies in their overseas operations. The firm's principals are grounded in investigative, analytical, and intelligence gathering techniques, drawing on decades of experience in the FBI, State Department, intelligence circles and the private sector. For more information, please call 202-887-9363, or visit our website at http://www.smithbrandon.com/.
Smith Brandon International has a network of experienced professionals anywhere in the world.
1156 15th Street NW, Suite 510
Washington, DC 20005
(202) 887-9363
info@smithbrandon.com
Global assurances for a world
filled with uncertainties.
Member of:
ABA
ACFE
ASIS International
FCIB-NACM
Former Special Agents of the Federal Bureau of Investigation
IACP
Kentucky Bar Association
NAPBS
© 2009 Smith Brandon International, Inc. (202) 887-9363
Powered by Addison Clark Online