One day a letter addressed to the general manager of a multinational corporation’s facility in Guangzhou, China, was delivered to the facility’s receptionist. The letter demanded that the company wire money into a specified account or the author would poison the company’s products distributed throughout China. Despite the potential catastrophic damage widespread poisoning would do the company’s brand, the letter was seen as a local criminal act.
Fortunately, the facility notified the global security department for informational purposes. It set off shockwaves throughout the company. Global security, where I was vice president at the time, viewed this as a significant threat to the business’ brand and reputation and its shareholders and customers. As the crisis management program owner, it sprung into action and notified the global and regional crisis management teams and opened a major investigation.
Global security then hired two investigative firms to conduct parallel independent investigations into the extortion demand. The investigations produced two totally opposite conclusions about the author, his intent, and his capability to pull off the attack. The first investigative firm received the letter from the local office in Guangzhou and reported, after analysis, that the letter’s author was well educated, in his late twenties, capable of carrying out the threat, and had an understanding of the business. The second investigative firm, however, reported that the individual was young, about 19 or 20, illiterate, living in a remote area of the country, did not understand the business, and was incapable of carrying out the threat. After receiving these results, a question remained: “How could two very reputable companies come up with such dramatically different conclusions?”
The answer was in the letter.
The first investigative firm received the letter after it was translated into English from the general manager’s office. The second investigative firm requested the original letter that was written in Mandarin. Although the global security department was somewhat confident in the conclusions of the second investigation, the crisis management process continued. It began to construct continuity and recovery plans to be used within a 150-mile radius of the sales center in question. The department also began working on the crisis communication that would go out to sales representatives announcing a product recall. Finally, it developed a strategy to work with the appropriate government entity at the national level. The shake down artist was not apprehended.
Much like the Polish incident, the multinational company had a global policy and crisis program owned by its global security department. The facility’s notification to global security was timely, ensuring an immediate response from the department because it had global and regional crisis teams assigned and in place.
But once again, as in Poland, the weaknesses had to do with organizational structure and program substance. Business continuity and recovery was owned by local operational units, guaranteeing minimal guidance for the continuity and recovery effort. Continuity and recover plans were developed on the fly and there was no assistance or oversight on either business continuity or enterprise risk.
These incidents demonstrate that despite company differences in type, geography, and organizational structure, similarities exist. In each incident, silos allowed a potentially disastrous event to be seen as a local problem initially and not a threat to the company’s brand, employees, and shareholders. This ensured that the response would be incremental and played a significant role in complicating the work disruption issue without providing continuity solutions and assistance.
In today’s turbulent business environment, board of directors, shareholders, customers and employees expect the organization to identify risk across businesses and across the globe. They expect that the organization will prepare for, mitigate, and respond effectively to crises whenever or wherever they may be. These expectations, highlighted by incident responses in Poland and China, lead to one conclusion: enterprise preparedness must be owned by one entity.
The functional owner of enterprise preparedness must operate across business lines and must understand the businesses and its many interdependencies. Furthermore, the owner must respond strategically from above and operationally on the ground and have the confidence of senior management and operational leaders. The owner must see risk both strategically and operationally across the organization. He cannot permit the organization to be blinded by a narrow perspective of risk from a number of silos. The importance of this entity supersedes any organizational entitlements or cultural or historic patterns. The most logical place to rest this authority is in the Chief Security Officer (CSO).
Companies considering this course of action should consult the ASIS International Commission of Standards and Guidelines 2008 when creating the CSO position. The model suggests reporting to most senior level executives, who should provide access to the board of directors—clearly the appropriate level for enterprise preparedness.
The model also emphasizes some critical CSO responsibilities in the area of enterprise preparedness. For example, the CSO will be responsible for coordinating efforts within the organization to restore critical systems and provide facilities needed by the organization to function in case of an attack or a catastrophe. Also, the CSO will coordinate with internal and external resources to ensure adequate medical, financial, and emotional support assistance is provided to employees, customers, and others involved in a catastrophic event or an attack on the organization. Finally, the CSO will coordinate and collaborate with local, state, federal, and international government.
Security professionals must design their respective approach to enterprise preparedness to fit their organization based on the relevant risks associated with their business model. The CSO is a strong contender for that responsibility. By centralizing enterprise preparedness in the CSO position, companies can make their businesses more resilient by eliminating silos and streamlining their crisis management response. Effectively executed, enterprise preparedness should increase shareholder value. Talk about return on investment.
Robert F. Littlejohn, CPP, CFE, is president of RFLittleJohn Associates LLC, based in New York, New York. Formerly, he was the vice president of global security at Avon Products. He has also served in the past as president of the International Security Management Association, cochair of the Overseas Security Advisory Council, and on the ASIS International Board of Directors.
♦ A shorter version of this article appeared as a sidebar to the article "Don't Let the Plan Be the Disaster," by William M. Lokey, which appeared in the June 2009 print edition.