Remarks at the Launch of 'The Business of Resilience'
by Molly Webb
"Charles Darwin, the noted writer on security matters, wrote 'it is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change'.
When security is part of the daily rhythm and routine of a business that business is better able to respond to unexpected events, to manage its way through change and - most importantly - be able to take decisive action with confidence in its capacity to manage the intended and unintended outcomes, having previously thought carefully about the risks involved.
I will come back later to security being part of daily rhythm and routine.
Before that I want to address some of the questions that are posed by the launch today of the Demos report - The Business of Resilience. The report advocates a specific approach to security - as a management function - rather than a responsive and defensive approach which it suggests is still common across the business community, I agree with this view.
I would like to talk about the value that we place on security in Prudential; offer some views as to how security can play a role in business development; and what Boards should look for in their Head of Security. Finally, and most ambitiously, I will try to offer some views about measuring success.
So what value do we place on security?
I joined Prudential six years ago as Finance Director from one of the Big Four accounting firms. It would be overstating it to say that I had never heard of group security functions but I had certainly never worked with them directly. This gave me the benefit of no preconceived ideas and when after about a year it was suggested I take on responsibility for Group security from a retiring director I was very keen to do so. To me it seemed integral to my agenda covering as it does such topics as governance, reputation, resilience and cost containment.
First, governance.
There is a growing recognition that effective security management is an essential part of good corporate governance. This is especially true I think for the financial services sector which is so highly regulated and where we now have a capital charge for operational risk. We operate a model here that we call three lines of defence, others use it too. Controls are embedded into processes as a first line of defence; we have a committee structure and other monitoring controls as a second line of defence and thirdly we have internal audit whose role it is to examine the operation of the first two lines. Security's role is to ensure that appropriate controls are embedded in the first line of defence, to participate actively in the monitoring in line two, by membership of GORC for example. Unusually, and in exceptional circumstances, I would also see security as having a role in line three. In response to serious accusations raised against senior management as part of our internal whistle blowing procedures it would likely be Group Security that would be charged with the task of investigation.
Secondly some words on reputation. A relationship between effective security management and reputation is well understood and works in a number of ways. Badly handled security that is not cognisant of local sensitivities has been shown to damage reputation time and time again. Secondly, poorly managed security incidents can escalate quickly and damage a company's reputation with stakeholders and shareholders. The incidents themselves are not necessarily damaging - many studies have shown that companies fare better after an incident if they handle it well as it reassures shareholders of the quality of the company's senior management. Certainly one of the things that I am very proud of is the way we have managed our response to natural events. We have had operations in California affected by forest fires and in Florida many times by hurricanes in recent years. Our customers will however never have known that we were operating under contingency plans. That is to me a measure of success.
Next resilience. The role of security is not just to protect a company from threats whether they be generated by natural events, terrorism or organised crime. Properly integrated and proactive security can increase a company's resilience to change more generally. The processes and approaches that underpin effective security management increase the capacity of the organisation to adapt. This allows it to steer itself away from unexpected problems and respond to new opportunities when they arise. We learnt from our experience of operating in Northern Ireland and Florida in making the detailed plans for our operations in Mumbai that support our UK business. These were tested in the extraordinary monsoon season of 2005 (a metre of rain fell in 24 hours) when our operation was down for less than 12 hours and operated for several days rather like Noah's Ark.
Cost containment - when there is a good fit between security and the rest of the business it can be managed in an integrated way as part of the daily practices of all employees. I will talk about this again later but it is my point about building security as the first line of defence. Security that is tacked on as an afterthought is like any process that is inspected in rather than built in - it is one that increases costs. Again thinking about Mumbai, security was involved in early planning about property, and IT configuration, to ensure continuity of service and to address data protection issues.
Security helps with decision making.
So the second main question - what role should security play in business development? How do you shift the mind set within corporate security departments and among the senior management teams within them? I don't see security as a back of house function keeping undesirables out of the building. If integrated in the right way it can generate significant value for the company and be a major asset in new business development. As one Head of Security comments in the report - "we want to be the grease not the grit".
So linked to my comments on value I see security as having three roles in business development:
First, pre-investment work looking into new markets in time to ensure that the company can operate effectively without unexpected surprises.
Secondly, ensuring that security is built in - it is involved at the design and implementation stage to ensure security is built into rather than added on to the way the business operates.
And thirdly it addresses adaptive capacity. Security helps to ensure that the operating model is responsive to the changing business environment. This in many ways takes us back to my comment about resilience.
So to fulfil this what should the Board be looking for in its Head of Security?
It is a far cry from the traditional approach to corporate security as John Smith here would characterise somewhat crudely as the guard on the gate, a guard perhaps portraying his origins by his brightly polished footwear. I would describe it as a proactive forward looking and business critical function which is involved with taking the business forward will require a number of qualities. Many of these qualities are also recommendations made in the report that I would endorse from what I have seen here.
Security experience is still important. I certainly value the quality of the external networks with government, police, security services and so on that come with this experience. It is right to recognise that security professionals and Board directors are likely to have operated in different worlds. This is not about, as the report describes it, the dark art of security in which presentations are littered with Le Carre like clichés but rather recognising the complementary value of networks.
Leadership and the ability to operate at the highest level in the company is critical too, not just for the Head of Security. I would expect any of his direct reports to be able to present confidently about their area of expertise to the Group Audit Committee for example. The Head of Security must be able to influence change among senior management and inspire trust and confidence among the company. Business acumen is essential too. Security departments must understand what makes the business tick and take their lead from this rather than simply the external threat assessment. Financial services firms are not alone in having a risk based approach to management and security functions must be able to operate comfortably within this model of risk assessment. There is no room in my view for security purists in the corporate world and I note that the survey suggests that the current level of those surveyed has a relatively low level of general business experience that I would expect to increase over time.
Finally here I would say that collaboration is critical to business aligned security. If the security department is to get the buy-in and involvement of staff right across the company it needs to be run by people who are committed to collaboration rather than instruction.
Command and control approaches to management in the corporate world were modelled originally I think on the 19th century civil service, certainly Prudential's was. They are rarely encountered today other than in major incident management when that approach may be appropriate. This probably does effect the degree to which people coming in to security may need to adapt, although I probably betray here my own ignorance of the organisational models from which security professionals are often initially drawn.
All of what I have mentioned has consequences for the Board too. They have a part to play.
It is essential for somebody at Board level to have responsibility for security and to ensure that he is available to the Head of Security at all times. Saturday morning football with my son has been interrupted to hear about the consequences of teenage joy riders driving into one of our call centres.
I hope this shows that here, our Board takes an active interest in security matters, and appreciates the value it can add to the business and is willing to have a champion within the boardroom.
I said at the outset I would try and offer a view on how you measure success and it is a personal view. On 7 July last year one of our employees who had just left Liverpool Street station heard the sound of what he correctly judged was an explosion beneath him. He was not on one of our security teams but his first thought was to call in to our incident management team and report the matter. Our team then began to invoke our incident management procedures somewhat ahead of any official notification.
To me this was the best measure of the way we have succeeded with our security agenda. First it proved that we had generated awareness of security mat ters widely throughout the organisation, and secondly we were confident enough to act on the information that we had been given by an untrained employee who happened to be on the scene. As the Demos report says security is achieved through the everyday actions of employees right across the company. While I hope constantly that we will not need to test this maxim again I know only too well that we will."