By Robert F. Littlejohn
A veteran security professional of 25 years shows how businesses can smash the silos that hamper enterprise preparedness. (Extended Online Exclusive)
Many organizations think they have good crisis plans in place when, in fact, their enterprise preparedness programs are fragmented into different silos with poor coordination, communication, and collaboration.
In my experience dealing with numerous global crises during the past 25 years, I have seen how silos cause problems. And recent research confirms why enterprise preparedness is critical to long-term profitability. In 2006, Oxford-Metrica research estimated that 83 percent of companies will face a crisis that will negatively impact the profitability of the company by 20 to 30 percent over the next five years. Another study conducted at Oxford University showed that shareholder value increased by 7 percent for companies that were prepared for crisis versus a decrease of 15 percent for companies not prepared for crisis.
Two recent incidents show how multinational organizations dangerously distribute their enterprise preparedness responsibilities across too many regions, facilities, and departments geographically. Problems such as these do, however, have a solution: vest enough authority in one position to oversee enterprise preparedness, and let it into the C-Suite.
The first case involves a supply-chain disruption. The site was located in Garwolin, Poland. It was the primary product manufacturing facility for Europe, the Middle East, and Africa. This region accounted for a significant portion of the company’s annual revenue.
The incident began with a few workers on the production line complaining of nausea and fatigue. An ambulance was called, and they were sent to the hospital. As the night progressed, more workers became ill and were taken to the hospital. The remaining workers left the facility and refused to return to work.
As the local leadership team arrived in the morning, the situation worsened, and the facility was closed. With the facility now shut down, global security was notified. Global security alerted both the corporate and regional crisis teams and responded to the scene.
In this company, the crisis management function was owned by the global security team, while business continuity and recovery were owned by the risk management group, and enterprise risk management was owned by yet a third unit, the audit team.
At the scene, a fourth silo was local management, which headed the investigation, yet failed to identify the cause of the workers’ illness. After a few days, management reopened the facility without diagnosing the cause of the trouble, a serious error in judgment that might not have occurred if all of the aspects of crisis management had been centrally managed.
Workers returned, beginning with the night shift. After only a few hours, they again began to feel ill, and this continued throughout the night. The facility was again shut down.
Finally, with the second closure, the global crisis team—composed of the heads of legal, human resources, communications, finance, and security—was activated. The incident had finally been recognized as an enterprise-wide crisis, which was critical if the company was to avoid costly business interruptions and long-term damage to customer relations.
One problem created by the silo effect was that business continuity was a local operational responsibility without enterprise oversight and assistance. Now, on the fly, leaders scrambled to figure out how to source the products if the facility remained closed.
Meanwhile, it took two weeks to determine that an atmospheric problem may have caused gases to reenter the facility. After conferring with local government and various experts, the facility was incrementally reopened.
The limitations and failures in the enterprise risk functions were glaring. Although the company had a comprehensive crisis management program that extended to every region and facility, involved top leadership, and was updated and exercised, continuity and recovery were not part of the crisis management program: risk management owned them. Also, the enterprise risk area was owned by audit. This group was not represented in the solution process and failed to provide enterprise guidance or oversight for business interruption incidents.
This incident represented a serious threat to the brand since the company was unable to provide products to customers during a critical season. Local management had failed to conduct a deep dive into long-term consequences and the strategies needed to meet those consequences.
One day a letter addressed to the general manager of a multinational corporation’s facility in Guangzhou, China, was delivered to the facility’s receptionist. The letter demanded that the company wire money into a specified account or the author would poison the company’s products distributed throughout China. Despite the potential catastrophic damage widespread poisoning would do the company’s brand, the letter was seen as a local criminal act.
Fortunately, the facility notified the global security department for informational purposes. It set off shockwaves throughout the company. Global security, where I was vice president at the time, viewed this as a significant threat to the business’ brand and reputation and its shareholders and customers. As the crisis management program owner, it sprung into action and notified the global and regional crisis management teams and opened a major investigation.
Global security then hired two investigative firms to conduct parallel independent investigations into the extortion demand. The investigations produced two totally opposite conclusions about the author, his intent, and his capability to pull off the attack. The first investigative firm received the letter from the local office in Guangzhou and reported, after analysis, that the letter’s author was well educated, in his late twenties, capable of carrying out the threat, and had an understanding of the business. The second investigative firm, however, reported that the individual was young, about 19 or 20, illiterate, living in a remote area of the country, did not understand the business, and was incapable of carrying out the threat. After receiving these results, a question remained: “How could two very reputable companies come up with such dramatically different conclusions?”
The answer was in the letter.
The first investigative firm received the letter after it was translated into English from the general manager’s office. The second investigative firm requested the original letter that was written in Mandarin. Although the global security department was somewhat confident in the conclusions of the second investigation, the crisis management process continued. It began to construct continuity and recovery plans to be used within a 150-mile radius of the sales center in question. The department also began working on the crisis communication that would go out to sales representatives announcing a product recall. Finally, it developed a strategy to work with the appropriate government entity at the national level. The shake down artist was not apprehended.
Much like the Polish incident, the multinational company had a global policy and crisis program owned by its global security department. The facility’s notification to global security was timely, ensuring an immediate response from the department because it had global and regional crisis teams assigned and in place.
But once again, as in Poland, the weaknesses had to do with organizational structure and program substance. Business continuity and recovery was owned by local operational units, guaranteeing minimal guidance for the continuity and recovery effort. Continuity and recover plans were developed on the fly and there was no assistance or oversight on either business continuity or enterprise risk.
These incidents demonstrate that despite company differences in type, geography, and organizational structure, similarities exist. In each incident, silos allowed a potentially disastrous event to be seen as a local problem initially and not a threat to the company’s brand, employees, and shareholders. This ensured that the response would be incremental and played a significant role in complicating the work disruption issue without providing continuity solutions and assistance.
In today’s turbulent business environment, board of directors, shareholders, customers and employees expect the organization to identify risk across businesses and across the globe. They expect that the organization will prepare for, mitigate, and respond effectively to crises whenever or wherever they may be. These expectations, highlighted by incident responses in Poland and China, lead to one conclusion: enterprise preparedness must be owned by one entity.
The functional owner of enterprise preparedness must operate across business lines and must understand the businesses and its many interdependencies. Furthermore, the owner must respond strategically from above and operationally on the ground and have the confidence of senior management and operational leaders. The owner must see risk both strategically and operationally across the organization. He cannot permit the organization to be blinded by a narrow perspective of risk from a number of silos. The importance of this entity supersedes any organizational entitlements or cultural or historic patterns. The most logical place to rest this authority is in the Chief Security Officer (CSO).
Companies considering this course of action should consult the ASIS International Commission of Standards and Guidelines 2008 when creating the CSO position. The model suggests reporting to most senior level executives, who should provide access to the board of directors—clearly the appropriate level for enterprise preparedness.
The model also emphasizes some critical CSO responsibilities in the area of enterprise preparedness. For example, the CSO will be responsible for coordinating efforts within the organization to restore critical systems and provide facilities needed by the organization to function in case of an attack or a catastrophe. Also, the CSO will coordinate with internal and external resources to ensure adequate medical, financial, and emotional support assistance is provided to employees, customers, and others involved in a catastrophic event or an attack on the organization. Finally, the CSO will coordinate and collaborate with local, state, federal, and international government.
Security professionals must design their respective approach to enterprise preparedness to fit their organization based on the relevant risks associated with their business model. The CSO is a strong contender for that responsibility. By centralizing enterprise preparedness in the CSO position, companies can make their businesses more resilient by eliminating silos and streamlining their crisis management response. Effectively executed, enterprise preparedness should increase shareholder value. Talk about return on investment.
Robert F. Littlejohn, CPP, CFE, is president of RFLittleJohn Associates LLC, based in New York, New York. Formerly, he was the vice president of global security at Avon Products. He has also served in the past as president of the International Security Management Association, cochair of the Overseas Security Advisory Council, and on the ASIS International Board of Directors.
♦ A shorter version of this article appeared as a sidebar to the article "Don't Let the Plan Be the Disaster ," by William M. Lokey, which appeared in the June 2009 print edition.