Making it Work
Workplace security programs and protocols that can stop dangerous and damaging incidents before they happen
- By Tim Williams
- Mar 01, 2019
We only talk about incidents like mass shootings
when they occur, but for every mass shooting at
a concert, or every incident of workplace violence
we see on the news, there are dozens of
other acts that don’t happen—often because of
preventive security measures that were implemented well in advance.
For business decision-makers and their security partners, there
are few priorities more urgent than identifying potential threats to
people, property and proprietary information, and adopting mitigation
strategies designed to prevent those incidents from ever occurring.
Whether it is workplace violence, bomb threats, mass shootings,
opioids, internal theft, counterfeiting, supply chain security, natural
disasters, cybercrimes or a myriad of other damaging and violent
acts, the most effective risk mitigation security strategies all stem
from the same basic process:
- Get inside the minds of bad actors
- Identify weaknesses in existing security protocols
- Use those insights and information to conduct a security threat
analysis
- Design an effective security program to optimize protection
going forward
Here are the critical steps in driving that process forward.
Make an Assessment
The first step in any security plan is assessing the risk that could
impact a company, venue and/or business sector. That assessment encompasses both the Structural Risk, those risk factors shared by
all companies in a certain business sector or geographic area, and
Variable Risk, elements that are impacted by management decisions.
The best and most effective security audits are both holistic and
strategic in nature, assessing not just the big picture, but the small
details. Professional security audits are designed in such a way that
they identify the vast majority of threats and vulnerabilities in a
systematic and strategic manner. And while you can never discount
a true Black Swan event, a prepared professional can use their experience
and insight into familiar scenarios and tactics to inform
their analysis.
Harness People Power
While you can (and should) try and get into the head of those who
might want to harm your business or your people, it’s frequently
more effective to get into the heads of your own workforce. The best
way to do that is to make sure you foster a workforce where employees
communicate, and where people feel comfortable bringing safety
concerns and ethical issues forward.
If employees know there are programs and protocols in place they
can count on to safely, confidentially and appropriately address their
concerns, they are far more likely to come forward—especially when
they have concerns about an individual harming themselves or others.
A reliable reporting program also helps with situational awareness:
employees are more likely to be both vigilant and vocal if they
know that their enhanced situational awareness will lead to meaningful
follow-up.
You also need to make sure that different parts of the company
are talking to each other.
If the right people are talking to each other within the organization
(HR communicating with security to evaluate personnel risks,
for example) the majority of potentially volatile situations can be successfully
mitigated before becoming a problem. It’s when people don’t
talk that issues arise—and sometimes people get hurt.
So, while risk needs to be assessed and addressed programmatically,
the secret sauce is a committed, well-trained workforce who
takes safety and security seriously. They are the ones who will tell you
what’s wrong, where it’s wrong, and how it’s wrong: the single best
payoff for your security dollars.
Partner Up
While your employees are a good source of intel, they should not be
the only one. Complacency can impact their reporting since they can
become too familiar with their surroundings, failing to notice issues
that an outside source might recognize immediately. That’s why an
outside perspective is such an important step in assessing risks and
creating a mitigation plan.
Experienced security professionals have worked with many different
types of companies. This gives them a perspective that can’t be
achieved through internal security departments. Solutions created to
address risks with other companies can be applied to your company
by these professionals if a similar situation arises for the first time.
For example, you may have a disgruntled former employee that is a
risk to do harm to company personnel. Because your outside security
consultants have addressed this type of risk several times with other
companies, they can quickly help you create a plan that includes
preventative measures, communication and the involvement of local
authorities.
Data is playing a much larger role in risk management than in
the past. A consulting company should have a strong commitment
to data-driven decision making. They have access to benchmarking
metrics most companies don’t, and they have the perspective to put
those metrics in context. This is especially valuable for smaller and
mid-sized companies that often don’t have much, if any, of a security
infrastructure in place. Security organizations can consult, applying
their expertise and insights and creating new security systems, programs
and protocols; they can be used as a “liquid workforce,” bringing
in personnel to handle specific situations or scenarios as needed;
or they can even embed an employee as a full-time asset within your
organization.
Finally, security professionals can tell business decision-makers
hard truths: what you need to hear, not what you want to hear. That’s
essential, especially with large corporations. Hierarchies, org-chart realities
and relationships and corporate inertia can compromise communication
and decision-making. Unfortunately, an in-house security
executive may be less motivated to expose weaknesses in the company’s
security efforts, since any weaknesses that are uncovered could be
seen as reflecting poorly on the security department. An outside firm
typically has both the willingness and ability to point out—appropriately,
but assertively—what is and isn’t working and what needs to be
done improves safety and often saves money in the process.
Educate and Inform
Once you’ve committed to enhancing your company security, implementing
a clear and culturally acceptable workplace violence training
program is vital. The right educational program is empowering. No
matter what position they hold in the company, every employee wants
to know what to do in the event of an emergency. Reviewing and discussing
past security incidents is a great way to make this training hit
home. Every incident is unique, but they can all help learn from the
past and better prepare for the future.
Even the threat of a security vulnerability can disrupt business
continuity, impacting lives and damaging bottom lines. Bomb threats,
for example, are far more common than many realize, and the standard
response of immediate evacuation often isn’t the smartest or
safest move. Funneling employees out the front door actually creates
a greater opportunity for mass devastation if the bomb threat is real
and placed at that entrance. More generally, a company can lose millions
of dollars in lost productivity when bomb threats occur and
disrupt business operations for hours at a time while investigations
are conducted.
Talk the Talk
One often underappreciated aspect of corporate security is how effectively
companies handle the aftermath of an event. While clear
communication and public relations might seem like “spin” or “too
little, too late” in the wake of an event, strong crisis management
is enormously impactful. Productivity can drop precipitously after a
security breach occurs.
However, when employees see leadership respond to security incidents
quickly and appropriately, they are more likely to quickly
return to business-as-usual. The result is that you have minimized
downtime/disruption, avoided lasting damage to your brand and
business, and improved your chances of avoiding future incidents. A
big part of an effective response is coordination—knowing who does
what and why. In sports, we talk about playing your position and not
the ball, and it’s the same in business. Because whether you’re protecting
people, facilities or assets, the ability to respond is a key aspect of
your overall preparedness and security posture.
Working closely with a trusted and experienced security partner
who follows these basic guidelines and best
practices will go a long way toward creating and
maintaining an effective security program that will
minimize risks to property and personnel—and
stop dangerous and damaging incidents before
they occur.
This article originally appeared in the March 2019 issue of Security Today.