How to Secure the Global Enterprise
Boeing’s Senior Manager for International Security Operations, has developed a global security policy that includes a proactive strategy and process for identifying and establishing security measures in other countries.
We are like many global companies: we are chasing business in many countries, but we won’t establish a presence if the risk/benefit analysis does not work,” says Dave Komendat, Vice President & Chief Security Officer, The Boeing Company. “At the same time, the key for our security operations is to be business enablers. Our organization wants to be anticipatory with our business acquisitions, and we want to have boots on the ground early. So in Security, we have to go back to our business partners and either tell them that it’s safe to establish a business in a certain region, or clearly explain the risk. That’s why we are out there doing what we are doing. As Boeing is set to celebrate our 100 year anniversary in 2016, international growth is imperative to future long-term growth and success. We cannot be a US centric based operation.”
Komendat, with Verdonn Simmons, Boeing’s Senior Manager for International Security Operations, has developed a global security policy that includes a proactive strategy and process for identifying and standing up security measures in other countries. Boeing has more than 173,000 employees with located in 72 countries, including the U.S., UK, Russia, Dubai, Singapore, Japan, Amsterdam, Australia and India.
Boeing’s security operation has regional security managers, who Simmons says have to “be jacks of all trades” because they represent elements of the security operations that are employed in the US in addition to the practices that are unique to the international environment in which they work. “We matured over the years,” Simmons notes. “At one point we had a large expatriate deployment. Today, our model is to hire locally with talent that brings the cultural understanding and knowledge to better support our operations. We attracted and retained professionals with local skill sets, in addition to relationships with local suppliers and intelligence agencies. That local piece for us has proven to work well.”
Still, there are challenges. “One of the challenges is integrating that local skill set into the Boeing system,” Komendat notes. “Verdonn’s leadership team spends a lot of time integrating those professionals into our organization so that we can maximize the value we get out of them. The other challenge is that the world is shrinking, and Boeing continues to look for business opportunities. But with those opportunities comes significant risk.”
Boeing also employs a robust supplier management program, which entails soliciting bids from a variety of vendors, tracking vendor progress and keeping them on a list to be used at any time. “Some of those vendors are intelligence providing companies, some are crisis intervention to help us extricate people out of countries,” Simmons notes. “But they are held to our internal security standards.”
“Our security standards and security management system has been in place for many years. It’s the ‘Kinross Way’ for security,” notes Mike Osborne, VP for Global Security for Kinross. The company, with headquarters in Toronto, has active mining and exploration of gold properties in North America and internationally, including South America, Russia, Africa and the U.S. Each mine site has a security organization in place that is overseen by regional managers.
“Our security management system has been in place for years,” Osborne explains. “It’s risk- and threat-based, and the threats in the U.S. are different than the threats we see in Brazil, so each site conducts quarterly threat assessments using a vulnerability assessment tool and the security teams design their security measures around the threats. Our philosophy is that we protect pencils like pencils and gold like gold. Our efforts are focused on our most critical assets.”
One of the biggest challenges in those vast and varied locations, Osborne says, is trying to install “the Western values and laws that we are held accountable to in these countries. A lot of times people in those locations don’t care or don’t understand that we have to follow anti-corruption laws, for example. In some cultures that’s how they’ve done business for thousands of years. But we can’t do business that way.”
Osborne says that he is most proud of how his security team works with public security forces, whether it’s the police or military. “We also have good compliance policies,” he says. “Getting those entities to understand those requirements was a big challenge at first, but I am proud of how our regional teams are in full compliance.”
Stevan Bernard, Executive Vice President, Corporate Safety & Security, Sony Pictures Entertainment, says that he uses a model that defines the world in three regions: EMEA, Americas and APR. “Although our core operations are based in Culver City on the Sony Pictures Studios lot, we also have staff in Hong Kong, London and New York,” he says. “Our approach also includes efforts to educate and engage capable and trusted employees from departments outside of security (IT, Finance, legal, travel, etc.) to supplement our efforts in locations where we may not have a lot of personnel on the ground, and my department provides expertise and support, and establishes a strategic direction with policy, standards and even protocols.”
Bernard employs a converged model that includes the protection of people, information and physical assets operating daily in every corner of the world, he says. “For example, we handle a wide range of issues such as information security, physical security, environmental, health, fire & life safety, production safety, BCP, talent protection, special events management, content protection, sustainability, travel safety, medical and more. To ensure efficiency, many of our staff have multiple responsibilities, and they must work across many of these roles. There is also a significant difference in your effectiveness when you have staff members more embedded in region. Not only due to time zone issues but more importantly in relationship building and trust among the many customers we serve.”
The biggest challenge that he faces, he says is that “Today, both movie and television productions are increasingly global. A major theatrical production may involve the temporary engagement of hundreds of staff who may film in many international territories over a several month timeframe. In each instance we are faced with unique differences including cultural and legal. We get involved early; we assess risk; we participate in location scouts, and we become active partners with the production teams. Careful planning and open communication help us ensure that safety issues are addressed.”
One of the tools that Jack Sullivan, Global Director of Corporate Security for Dunkin' Brands, Inc., is using is Recorded Future, which organizes the future, per se, for data analysis. Using the data from Recorded Future, Sullivan can learn more about what’s happening around the world before it happens, so that he can be proactive with his security decisions. Dunkin' Brands is going to engage in these countries, Sullivan notes, and he wants his Security operations to be a business enabler. More companies are employing analyst teams within security to keep an eye on geo-political situations and the “weather” across the world. “Even corporate PR departments keep an eye on social media to ensure no bad customer experience goes viral. These tools can help us keep an eye on things. The data is too much for any one analyst to get their arms around, so with this software we can cover a lot more territory. It also helps me with resource allocation and to forecast budget spend each month,” Sullivan says.
The software continually scans tens of thousands of high-quality news publications, blogs, public niche sources, trade publications, government websites, financial databases and more. From these open websites, it identifies references to entities and events. “We detect time periods, when the events are predicted or reported to occur. Each reference links back to original source and is scored with analytics including positive and negative sentiment,” says Dr. Christopher Ahlberg of the company. “You can explore the past, present and predicted future of almost anything in a matter of seconds. Our analysis tools facilitate investigation of temporal patterns and better understanding of complex relationships.”
“You could equate it to talk surrounding when the iPhone is coming on to the market,” Dr. Ahlberg adds. “And we have a 97 percent success rate.”
Black Swans, an Extreme Security Risk Beyond the COSO/ERP Framework
By Prof. Patrick O. Connelly
The global marketplace continues to suffer in the wake of continuing streams of challenging events, often unanticipated and as often poorly hedged. The common perception of a solution seems to be remediation and moving on.
These exogenous events have taken the form of political transformation such as the Arab Spring, natural disasters such as the devastation in Aceh, Indonesia and more recently in Fukushima, Japan and have ranged beyond to include computer system invasion by hackers focused on massive disruption in control and process management.
The enterprise and the systematic recognition and impact of that segment of risk that is not “ordinary course” has been commonly referred to as a “Black Swan.”
What exactly is a “Black Swan?” The event has been characterized as an economic event, not generally predictable or even identifiable using traditional Enterprise Risk Management (ERM) processes, and which introduces serious consequences into the enterprise business risk model.
The incidence of this type of risk has been increased due to growing global impact of:
- geopolitics trends
- economics trends
- regulatory trends
- trade volatility
- technologies changes
- environmental conditions
- events of terrorism
- historical focus on internal risks and solutions, “known risks”
- lack of expertise and experience in assessing external risks
The key issue remains: How effective is an entity – individual, enterprise, or country – in its preparation for and in addressing such events and their potentially catastrophic consequences? Past experience in enterprise analysis has demonstrated most have a reasonable ability to identify and address internal enterprise risks typically (but not exhaustibly), including default risk for nonpayment of undisputed debt, failure to provide trained support or proper succession, etc. However, in order to address these risks the entity MUST be able to identify, quantify and appropriately hedge the potential event. However, as our enterprises continue to globalize, they become more susceptible to “Black Swan” events. This brings consequences that transcend normal security and risk management processes but fall squarely within the scope of enterprise corporate governance and risk management influence. Therefore, the introduction of more creative solutions to this risk are demanded.
The sense of urgency in response to a particular risk depends upon the probability of occurrence of the event. In order to properly deal with Black Swans, enterprises should make a clear distinction between those risks generally identifiable and whose probability can be estimated (and hedged), and those unknown or unexpected risk events wherein the probabilities remain equally unknown and planning must take the form of scenario analysis.
Fundamental risk management practices include a consideration of the sources and flows of critical product supplies to the enterprise. The series of events across time, wherein orders are placed and product is delivered (and the debt extinguished), is the substance of the relationship and the source of customer loyalty and enterprise profit and market differentiation.
Under a fairly standard risk protocol, the enterprise manages the bills of material of its most important product through a network of purchases from diverse sources, thus reducing the impact of a failure to supply from either Supplier 1, 2, 3 or 4, or any two or even three suppliers.
Purchasing organizations regularly monitor the “fill rates” or provisioning of orders placed in order to maintain a suitable mix of suppliers in order to assure product availability as required. In most organizations, this represents sufficient action and has historically been deemed sufficient to assert business control over the process.
It is clear that not only are the relationships at risk, consistent with customer practice, but the communication links between and among these units may be subject to breach with significant impairment, even chaos ensuing. Systems risk in trade must be given high priority. When creating a scenario of risk, reviewers must integrate the risk of impairment at every systematic point of contact.
Preparing for a scenario analysis, the participation should be characterized by participation of seasoned leadership and management, as well as experts with the ability to opine creative solutions. Types of issues to be considered include:
- What types of event may be possible?
- What events are the most probable?
- What is the probability that a Black Swan scenario/event may occur?
- If such an event occurs, what are the ramifications?
- Given these potential ramifications, what are possible enterprise responses?
- Challenge common assumptions.
- Identify dependencies and interdependencies.
- Given the proposed actions, what would be the impact upon the enterprise under different decision scenarios:
- Would such a response service other problem scenarios?
- Define a systematic safety and communication strategy to distribute information quickly and effectively.
- Document the results in a Scenario Guidebook
Preparation for the Black Swan scenario discussion requires establishment of a structure, an audience and a scenario framework. Generally, the scenario process evolves as follows:
I. First create a diagram of the complete enterprise value chain, both:
II. Include all relevant stakeholders in the value and supply chain:
• Providers (banking, trade credit, information resources, utilities)
• Third party providers (finance, analytics)
III. Discuss Black Swan issues from all facets of enterprise relationship
• Determine dependencies
• Identify interdependencies
IV. Establish the Black Swan “playbook” in which to memorialize the strategies proposed for given events.
V. Introduce the WEF Global Risks Report as a feature of the scenario analysis to assist in the identification of Black Swan issues.
Understand that risk in both Tier 1, that which directly interacts with your firm, and Tier 2, that which impacts suppliers and providers, both create an event that directly impacts your firm’s ability to satisfy its objectives. As the elements and relationships are defined, it is important to question historical assumptions about the impact of certain risk events on the current business model. In addition, the types and extent of information shared and the basis of that sharing, encrypted or not, should be a major consideration.
Introducing scenario analysis into the enterprise risk management framework involves enabling the enterprise board and executive team to assert a level of integrity and protection not generally found in enterprises. Therefore it represents a more prudent investment for stakeholders. The potential to test alternative assumptions under conditions of uncertainty will enable a level of experience for the participants and a resource for preparing the enterprise should such an exogenous event occur.