A heightened threat of terrorism, the increasing sophistication of criminal activity and a growth in ‘white collar’ crime are changing the way many businesses configure the security component of their risk management programs.
A heightened threat of terrorism, the increasing sophistication of criminal activity and a growth in ‘white collar’ crime are changing the way many businesses configure the security component of their risk management programs.
Companies are placing significant emphasis on security audits and risk assessments to identify their vulnerabilities and safeguard against potentially costly fall-outs from adverse events.
A number of industries, including tourism, aviation, public transport and health, have had advanced security and crisis recovery plans in place for some time.
So too have some larger companies, including those with major projects or offshore oil and gas operations, and private companies that own critical infrastructure.
The growing interest in security issues from business has prompted the Chamber of Commerce and Industry Western Australia to nominate security as one its seven major priorities for the year, releasing a discussion paper in September on security and the threat to business continuity.
The paper’s author, CCIWA’s Anne Bellamy, said security threats could come from a number of areas, from a pandemic, bombing or natural disaster, to events such as fraud, embezzlement or sabotage.
Ms Bellamy said two threats that were more immediate, and received more publicity, were a terrorist attack and a flu pandemic, both of which, according to the CCIWA’s research, could happen in Australia.
“We’re not being alarmist, but we’re saying that the threat is real and it should be part of any business planning to ensure that if an event does occur, then business is prepared for it and has plans in place for continuity,” she said.
Although there is a growing awareness among business about the need to heighten security, the perception remains that Australia is a relatively secure country.
“Our perception of the risk may not be as high as the reality of the risk,” Ms Bellamy said.
“We would like to see that awareness grows even further, so that business is aware of the risk and at least gives it some consideration in normal business planning.”
Events that occur overseas usually trigger interest among local business, but the interest level is often relatively short term because incidents are seen as occurring in isolation and at a distance.
A global survey undertaken by Deloitte Touche Tohmatsu this year revealed that 95 per cent of participants had increased their security budgets since 2005 and, for the first time, business continuity management rated as one of the top five priorities for respondents.
Perth-based KPMG risk advisory services partner Mark Puzey said there had been an increase in the adoption of business continuity plans in recent years in response to various world disasters.
“Terrorism has certainly heightened awareness of boards that these things might happen, and there might be black spots in the business that they’re not taking care of,” he told WA Business News.
“People tend to think that it won’t happen to them, so it’s quite a challenge to get people to do enough.”
Mr Puzey said the most effective business continuity plans were those driven downward from directors and senior management, rather than those driven upwards from middle management, or as was often the case, from the IT department.
Director of Northbridge security consultants Amlec House, Chris Cubbage, said an organisation’s perception of risk was usually influenced by its own experience.
“It’s a bit like how people implement security in their home; generally they don’t put security in until after they get broken into,” Mr Cubbage said.
With a background in the police force and corporate investigations, Mr Cubbage, who lectures in security management at Edith Cowan University, said a good meter of an organisation’s security management plan was to compare it with their other management systems.
“It’s got to be as good as the other business systems,” he said.
“They’ve got to look in-house first; what’s critical to their business, and what’s going to harm their business.”
“If the business doesn’t survive in just general operations, how are they going to survive a terrorist attack? So we make sure those critical operations are secure and protected.”
Mr Cubbage said growing interest from business had prompted the expansion of risk management services offered by some major auditing and accounting firms to include advanced security advisory and business continuity planning, and the inclusion of security consulting as a value-add service by some engineering and property management firms.
He said there had also been an increase in the number of public companies seeking risk assessments, adopting a more proactive approach in monitoring misconduct and other potential security reaches.
But whether businesses can plan effectively for unforseen events, whether from internal or external forces, is open to debate.
Glew Communications principal Philip Glew believes it is possible.
He said the best way was to formulate a risk management plan that incorporated a crisis response plan enabling the continuity of the business, and a communications program to deal with key stakeholders and protect the company’s reputation.
Based in Perth, Mr Glew said the risk of white collar crime – including kickbacks and graft, financial manipulation and insider trading – was increasing, with inappropriate business management and cultures driving some companies into ruin.
“Most larger organisations are at least half way prepared in that they have crisis management plans for events that happen to them,” he said.
“But they generally don’t have the same planning in place for the most common business crisis, which is generally an internally generated crisis.
“[They are] more likely to bring an organisation undone than terrorist attack, certainly in places like Perth.”
Businesses should identify their vulnerabilities and develop a stakeholder management plan.
“You need to get back to normal as quickly as you can, and that means you’re going to need support of key stakeholders to do it,” he said.
A good crisis management plan should also identify chains of command and an approval process for the dissemination of information.
“You can’t manage these events on the run – you need to have the manual at hand and everybody needs to know what they have to do,” Mr Glew said.
