Communicate, Communicate, Communicate

Nothing is more basic than effectively communicating.

May 8, 2013

Nothing is more basic than effectively communicating. You can develop world class policies, procedures and processes, but they must be effectively communicated. If no one has received any training on their individual roles, responsibilities and accountabilities relative to those guidelines, then those controls and systems are destined to fail.

The quality, frequency and effectiveness of training and awareness programs are key review elements utilized by many of the regulatory agencies, including OSHA, FDA, DOE, DOD, DHS, FAA, etc. We would be remiss not to mention that you do not want to forget about regulations that can really come back and bite you, such as FCPA. The United States Federal Sentencing Guidelines also utilize a similar assessment of an organization’s training programs as part of the calculations utilized when determining the level and severity of sentences handed down by Federal courts. Of course, we can’t forget civil liability involved in legal actions. These civil actions typically result from instances where a company’s products or processes are linked to illness, injury or death of consumers, company employees, contractors and supply chain partners.

There are numerous formats and methodologies that can be utilized to develop and deliver training and awareness programs. These programs have evolved rapidly over the years. The most effective method of training used to be – some say it still is – direct one-on-one training. The other types of on-the-job methods involved watching and learning from someone that had mastered the process, or mere trial-and-error. Today’s computer-savvy society thrives in an environment where online training is delivered through Web-based interactive serious gaming for education programs. Obviously, the key to any training or awareness program is how well individuals are able to grasp the information being presented, retain that information and then act upon any requirements for which they are individually or collectively accountable or responsible.

How many of you have witnessed, or have been the recipient (victim) of, the fire-hose delivery of important information during the on-boarding process (many HR departments call it “New Hire Orientation”)? This “check the box” mentality is frequently deployed by HR departments that are being measured on how quickly they are able to assimilate a new hire into the workforce. Further complicating things, many HR organizations have turned to internal subject matter experts (SME) to participate in “New Hire Orientation” to deliver key information relating to specific requirements that fall under the oversight of each SME’s organization. Once “New Hire Orientation” is completed, HR organizations typically leave it up to the hiring manager to sort out any issues and provide any enhanced training. But the hiring manager probably went through a similar “New Hire Orientation” and may not have any greater grasp on many of the key policies or changes made to the company’s policies, procedures and processes over the years.

Many companies do little, if anything, relative to providing any level of training to temporary help personnel, on-site service providers, or other vendors that are allowed access to a company’s facility without an escort being required. With companies in-sourcing more and more services and functions, it is vital to address this important area of insider risk. When providing guidance to non-employees, it is important to engage your legal department in developing focused and targeted training and awareness materials to avoid co-employment issues arising later.

The most effective approach to training and awareness that we have seen are programs that approach it in a holistic manner. Training and awareness programs aren’t like Ron Popeil’s famous “Set it and forget it” rotisserie infomercial. Effective training programs are both on-going and frequently updated to remain current and relevant. Consider requiring the passing of a test before allowing access to computer systems; utilizing changing awareness messages on screen savers; deploying quarterly or semi-annual training on key company policies, ethical standards and regulatory requirements to retain access to computer systems and/or physical security access control systems. In other words, BE CREATIVE and KEEP IT FRESH!!!!

About the Authors:

Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Prior to founding SMR in 1997, Brennan enjoyed a 26-year career in domestic and international enterprise risk and security roles.

Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity. He has more than 35 years of experience heading these programs at the executive level of three major multinational corporations and one mid-cap company in diverse industries.

Lynn Mattice is Managing Director of Mattice & Associates, a top-tier management consulting firm focused primarily at assisting enterprises with ERM, cyber, intelligence, security and information asset protection programs. He can be reached at: matticeandassociates@gmail.com

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.