South Carolina Businesses: Understanding and Managing Risk
Mar 06, 2018 02:13PM ● Published by Emily Stevenson
International Business Professor, Darla Moore School of Business / University of South Carolina
What do the words “corporate security” mean to you? Does it conjure images of your IT support standing watch over your firewall? Is it the security guard at the gate? The identification card you use to access your facility? Or is it something more? Following the old adage that a chain is only as strong as its weakest link, corporate security should be viewed similarly. A security program in your firm has to be comprehensive in nature. Likewise, security cannot simply be relegated to a few employees. Every employee has a role to play in ensuring the overall security of your firm. So where do we even start?
First, we need to consider security from a comprehensive view. Security is more than gates, guns, and guards – although physical security is certainly one component of it. Corporate security also includes:
Compliance and Ethics Programs
Crime Prevention and Detection
Business Continuity Planning
Environment, Safety, and Health Programs
This list is not all-inclusive and the robust nature of each individual component may vary depending upon many factors including the size of your firm, location, industry, or even the types of chemicals you store. Regardless, all companies in South Carolina need to think about how each of these fits into a larger security program.
But first, why security? The economic arguments for and against a comprehensive corporate security program have been around since those first trading caravans carried clubs to ward off predators (both human and animal). How much security is enough? Where do we apply our limited resources to ensure some degree of security while not inhibiting the firm’s ability to function? Which side of the corporate balance sheet do we assign security-related expenses?
Even within corporate security there are various schools of thought as to the fundamental role of security in the workplace. Should security protocols be enacted that serve to prevent an incident from happening in the first place? Rather, should the security steps assume that “something” happening is inevitable and, thus, the real focus should be on mitigation and cleaning up the mess afterward? Or, is comprehensive security more of a hybrid of those two extremes? Whichever side you espouse, all of it starts with a simple concept: understanding your risk. Thus, knowing the risk you face will help answer some of these aforementioned questions and guide your corporate security programs.
Risk is often defined as having three distinctive components: threats, vulnerabilities, and consequences. Let us start with threats. If you were asked to create a list of potential threats facing your firm, how long would that list have to be? Chances are, you might develop a list with several obvious threats. Upon closer consideration, however, we realize that the number of threats is nearly infinite. How can we possibly understand every threat facing us at any given time? Could the security managers of the World Trade Center have foreseen that 79 cent box-cutters would be used to hijack aircraft on 9-11? This is not to say that building a list of potential threats is not prudent. It is prudent, but we must reserve a space on that list for the unforeseen. Someone who would do us ill is not limited to the obvious choices. In addition, if we were to draft a list of potential threats facing us, we must avoid the trap of simply listing man-made events. There are a host of natural phenomena as well which may be more likely to affect us and have even more potential for economic devastation. Hurricane Katrina, the single worst natural disaster in U.S. history, left a path of wanton destruction across multiple states. So developing a list of potential threats is prudent even though we recognize that it may not be 100 percent complete.
This reinforces the need for relationships beyond our normal B2B partnerships. For example, South Carolina has a robust network of county Emergency Management (EM) officials. As a businessperson who works and lives in the state, engaging with these officials and building relationships prior to an event can have multiple benefits in the long run. The South Carolina Emergency Management Division and the county EM offices offer a great deal of potentially helpful information to the business community. Through the South Carolina EM network’s internet sites, workshops, and training opportunities, these are potential resources that South Carolina businesspeople can use time and again.
Speaking with a local EM official in preparation for this article, he mentioned that he routinely meets with businesses to coordinate planning and responses to potential incidents, and helps with continuity of operations planning and a host of other beneficial programs that can help the private sector’s overall preparedness.
In summary, a comprehensive corporate security program is built on a foundation of understanding risk. The three components of risk as mentioned earlier are threats, vulnerabilities, and consequences. Whereas this article focused on developing an understanding of threats, next month we will consider vulnerabilities and consequences and how assessing these in light of potential threats all lend themselves to a stronger and better prepared business community.