Managing the corporate risk

The recent terrorist atrocities in Madrid merely serve to emphasise the importance of remaining vigilant in the face of increased security threats across the globe. It's crucial that companies avoid complacency as they increase security provisions following high profile incidents such as this, because it's all-too-easy to allow standards to slip in their wake. In essence, businesses face a pressing need to analyse security threats and develop strategies that will protect their assets.

The best scenario is to adopt a risk management approach to security. Companies must prepare for 'worst case' scenarios by proactively drafting and testing operational plans, and using incident response contingencies whenever and wherever necessary. These should be complemented by a comprehensive (but at the same time flexible) corporate business recovery plan that could be initiated in the event of a major incident.

How can a company implement security solutions to mitigate risk if an assessment hasn't been conducted to identify the threats facing the business and detail its current vulnerabilities? In an era when corporate reputations are increasingly important, companies need to consider not only the primary costs of an incident and the costs entailed by damage to assets or property, but also the consequential costs which – in financial terms alone – will undoubtedly be far greater than the initial cost. Loss of reputation, or heavy damage to a company brand, can have a far greater and longer term impact than any physical damage to a building or facility.

Don't operate in isolation
Companies recognise that they cannot look at their own security provision in isolation from the businesses operating around them. A terrorist bomb detonated in one building could have a major impact on adjacent facilities or other companies operating on different floors of the same building. Businesses therefore need to work together to maintain security.

For instance, if concerns operate in close proximity located on a small footprint – as is the case in London Docklands – they should consider how best to share resources, working together to safeguard each organisation's assets. If another company in the same or an adjacent building has inadequate security measures, it will inevitably increase your business' vulnerability to attack, or at the very least facilitate a costly security failure.

It's also crucial that corporate concerns don't simply consider security within the building. Once a suicide bomber has entered a building's reception area, or is in close proximity, the damage and cost to human lives could well be enormous.

Protection must therefore begin as a 'layered' system, commencing on the periphery of the premises (or 'asset') with a range of integrated physical, electronic and procedural safeguards used where appropriate to minimise the likelihood of a security failure. Should safeguards be situated in isolation, these minimal barriers increase the potential for the attackers' success.

In today’s security environment, it’s vital that companies have an effective business continuity plan in place which can be readily implemented if a major incident should occur. This plan must take account of both tangible and intangible assets, inclusive

Continuity plans are vital
In today's security environment, it's vital that companies have an effective business continuity plan in place which can be readily implemented if a major incident should occur. This plan must take account of both tangible and intangible assets, inclusive of staff, intellectual property, premises and reputation.

For example, many businesses plan for the relocation of staff in the event of a building being rendered uninhabitable or its infrastructure being designated inoperable, but what if significant numbers of staff are injured or killed?

Companies with a business recovery plan already in place should consider whether their current contingencies are adequate. If companies in close proximity all employ the same operator for their business recovery centres, will there actually be sufficient capacity to cope if a major incident occurs?

It's common practice for companies offering business recovery facilities to oversell office space or computer processing power. In the event of a major incident they may not actually have the capacity to accommodate all the firms reliant upon their facilities. Some important and searching questions should therefore be asked of these providers if your organisation's procedures are to be met.

A number of global businesses have contingencies in place if an entire office or business centre is shut down. For example, if an office in New York is attacked then operations may be immediately transferred to the London office. However, security managers need to consider what would happen if London and New York were to be targeted in tandem. Plans must be formulated for such eventualities. Global concerns who have the capability should consider arranging for an alternative office – in an area designated as less high risk – to take over the running of operations in the event of an incident.

Maximum impact and exposure
In recent years, events have shown that the nature of the terrorist threat has changed. Insurgents are now really beginning to seek both the maximum impact and exposure for their actions. For instance, groups like the IRA usually issued coded warnings before attacks in an attempt to minimise casualties, but the Al-Qaida organisation has demonstrated an all-too-apparent willingness to cause mass casualties without prior warning in order to obtain greater media exposure for its cause.

That being the case, it's absolutely vital that today's businesses have contingency plans in place to sit alongside prevention strategies for responding to the risk or occurrence of a major security breach or terrorist attack.