This article aims to present a new model of security intervention for organizations, where the conception of protection is maintained but demonstrates that security is an alternative of contribution and tangible benefit for organizations.
By Eduardo Alfredo Rueda Lemos*
Historically, the trend of security in companies has been to prioritize external threats and infrastructure security. Today this conception has shown that some results can be obtained. However, one of the biggest complaints of entrepreneurs, in terms of the control of expenses in organizations, refers to the lack of clarity about the value that some costs bring to the corporate purpose of their companies.
Security is an issue that is part of the list of high-cost intangibles, a concept that unfortunately is strengthened by the premise put forward by most security service providers, when they emphasize that they are of means and not of results, trying to avoid responsibilities when they are required and evaluated through management indicators, that they should demonstrate with figures that they are more of an investment than a cost; it is for all this, that we are called to think of a model that can demonstrate its process, evolution and impact.
For this reason, in this article we intend to present a way to demonstrate how security can become an asset that adds value, with tangible, measurable and auditable benefits, and that in turn can be presented to a Management with a new conception, where corporate security ceases to be thought only as protection in itself and is enriched in terms of contribution and benefit for companies.
The proposal is to observe more acutely the internal threats and emphasize the security of the processes, identifying risks and proposing measures to close gaps, such as the best way to impact on the functional structures of our organizations, expanding the spectrum of our intervention in a transversal way to the business and actively participating in the achievement of corporate objectives.
Some of the benefits translate into a better relationship with the authorities, an increase in collective actions in the prevention and control of antisocial risks in the geographical sectors where operations are carried out, as well as a control of the identification, entry and circulation of people and vehicles in the organization's facilities.
To achieve this, we must change the traditional way of doing things and opt for the application of new models that allow managing risks and safety, which is nothing more than the intervention of these risks, to modify their existing generating conditions, within a perspective of reducing them.
This new model is generically called Risk and Security Management, which is an administrative tool capable of interacting with the rest of the company, through related elements or processes, which facilitate and order the opportunities for improvement through actions and procedures planned and organized to obtain results of prevention, protection and control, under a process approach.
The procedure begins with the identification of scenarios and threats, in a thorough analysis of risk assessment and assessment. Once this information is obtained, we can anticipate its materialization, knowing the frequency and consequences, determining the impact on the critical functions of the company.
In the same way, the knowledge of vulnerability analysis also allows us to complement information on: possible threats, areas and vital processes; when the questions have already been resolved about: What should be protected?, From what?, From whom?, Against what? and How will we protect it?, you can already elaborate a proposal of measures to be taken or select methods of prevention, protection, control and sharing.
This first part is part of the traditional conception, which is always carried out, but the new model enriches the process at the time of design and intervention to risks and threatens integrating security criteria in decision-making in all corporate areas, as it happens in the financial, in the computer and others.
The steps to follow fit any management or continuous improvement model, although for our example, we opted for the PDCA Cycle, known in Spanish as PHVA (Plan, Do, Verify and Act).
In its order with the H (of doing), corporate security policies are elaborated jointly with the management of the company, which reflect its objectives and purposes, being the fundamental to direct and support the security management, through the issuance of standards and guidelines, which allows the management to control the employees, in security decision-making; implement human, technical and technological resources.
In the H (of doing or implementing), an action plan is elaborated, embodied in a Corporate Security Plan (P.C.S.), through which we can intervene the risks, through actions of foresight, planning and intervention and with the implementation of prevention, protection and control measures, and even participation in rehabilitation.
In the V (verification), daily supervision tasks are carried out with a routine approach to verification of logistics and periodic inspection approach, to validate and verify operational compliance with the provisions of the Plan (its programs, protocols associated with the service and the occurrence of incidents); in this phase of the Cycle, an Audit process is also advanced, which will allow us to verify a fact and report on compliance with the established rules and procedures.
In the fourth and last step, that of the A (known as Audit, Act or Improvements), the implementation plan of all the identified measures is advanced, the taking of corrective, preventive, control and improvement actions; here the audit of the process is carried out:
- If what was planned was implemented (P – H)
- If what was implemented was reviewed (H – V)
- Whether what was reviewed was maintained and/or improved (V – A)
The management review of the initial risk analysis, versus the current one, is carried out to demonstrate how and to what extent the plans and programs intervened and managed to modify the generating causes of said risks, allowing to reduce their levels of frequency and severity, using management indicators for them.
At the end of the cycle, the results are communicated and the impact of the improvements on the proposed objectives and goals is checked, in order to re-propose new ones; these changes obtained and continuous improvements on our levels of risks and security is what we call management and is the only means that allows us to finally present to senior management, results that translate into an asset that finally generates tangible benefits and that allows our security systems to be fed back cyclically, adjusting for the emergence of new risks, new threats or simply new objectives in reducing the incidence and probability of their materialization.
In a conclusive way it can be evidenced how this new model, in addition to proposing a new way of integrating actions and procedures in security, allows to lead to tangible figures and indicators, and give the preventive and control action developed by the surveillance contractors a specific value for the use of technological means applied to security and in the process demonstrate to senior management the real value of the contribution of security in the fulfillment of the strategic and operational objectives of the organization; A goal that every security executive should consider in this postmodern era.
* Rueda Lemos is cPP, South American Security Analyst of Seguros S.A., with Specialization in Risk Management and Insurance University of EAFIT. If you want to contact the author write to the email: [email protected]
