We spend a lot of time with clients who are trying to gain a strategic perspective on their corporate security program. Many are global in scope – and as the RAND Corporation points out, carry special implications for corporate security. Some have national or regional footprints. But among the most common threads are complexity and risk. Think of this as the “satellite” perspective. Get above your challenges and you’ll gain some crucial insights into how to solve them.
These corporate teams are confronting growing complexity as security spend continues to increase or as unmanaged risk begins to capture more and more attention on the part of the enterprise’s risk management leaders – the CEO, Board, Security Committee, Chief Risk Management Officer, Chief Security Officer or General Counsel.
“How should we balance global standardization with local customization?”
This is one of the common questions we are asked by client teams that have an experienced track record in trying to integrate their security operations across multiple businesses, regional operations and security budgets dedicated to specific products or services. It’s also a question we pose to client teams just beginning to think about how to rationalize security investments and align security with their business’s most strategic objectives. Maybe an example would help. We recently advised an enterprise client that their single greatest challenge in establishing a high-performance, strategy-driven, global security organization was the need to determine:
- Standardization: When, where and which security policies, practices and capabilities should be standardized across major division, business models and geographical locations, and
- Customization: How much flexibility and independence can and should be left to the discretion of the client’s respective management and security organizations.
We didn’t mince words. “Capturing measurable business value on both sides of this issue isn’t just possible, it’s imperative,” our final report emphasized.
“The benefits of standardization are clear. But what about customization?”
“We understand global standardization and its merits,” our client partners said. “Common standards and policies. Integrated procurement. One view across spend. But what drives the benefits of a location-specific approach, where one is merited?” The answer depends, we explained – as is generally the case in our line of work. On big-picture drivers like business model and industry-specific practices. But from a security risk management perspective, we commonly encounter four security trends of note:
- Differences in Security Challenges and Priorities: There are sometimes significant differences in budgeting requirements based on disparate security needs at various locations. For example, development centers tend to have different needs than manufacturing sites – activities that raise security issues not relevant to both operations.
- Differences in Risk Levels: It is one thing to enhance supply chain security measures, purchase video monitoring cameras and automated access control card technologies. It’s another to save lives in the workplace or protect products with real-time intelligence and decision-making support. Risk is sometimes a local issue – and on-site security personnel require flexibility in their mitigation options.
- Differences in Urgency and Timing Considerations: A prevention-oriented approach to security risk management is vital and takes time – training personnel, liaising with first response organizations and updating plans. But ensuring that a global capability exists to respond to a “missing traveler” alert and find that person in a remote area of the world is a very different assignment.
- Differences in Laws and Regulations: These vary – sometimes widely – across international, federal, state and local jurisdictions. The critical issues often relate to matters such as privacy; workplace protection; notification of authorities; and the use of particular types of weapons by security personnel.
These are important differences
Some are easy to address – either by allowing a business division latitude in customizing a local approach or by applying a common enterprise-wide standard. Others are more complex and take time to address. The good news is that many enterprises – even those with a decentralized business model and multiple divisions – have encountered these challenges before and successfully established global security organization functions that are world class.