Every firm must have a system to manage risks - and crises

 

Would your business be able to cope during a Crisis?

 

Risk management should be an integral part of every company's strategic planning. Anticipating the threats and minimising the risks are the hallmarks of good business. As organisations establish networks that cross the globe, they become more vulnerable. Companies of all sizes find themselves doing business in markets where information is less accessible and less reliable. 

Even in the UK, reliable information that can influence decisions is sometimes hard to find. But I am continually surprised by how many organisations have not integrated this factor into their strategy. 

 

Companies enter deals without having conducted comprehensive due diligence. They fail to protect their information from competitors. They give a nod to anti-money-laundering regulations, but consider them a burden. And they think terrorism is something that happens to others. Every company faces a number of unique threats and has its own specific vulnerabilities. But every business will also find that it operates under the same two basic rules: one, if too little has been done to identify vulnerabilities, then the business will not cope with the difficulties it encounters; and two, when a business doesn't cope with difficulties, its senior management is held to account. 

 

I recently addressed a group of Scottish business leaders and discovered the increasing threats and worries in Scotland. We discussed the following questions: How confident are you that those within your organisation can be fully trusted? How confident are you that mechanisms are in place to prevent individuals within the organisation damaging the business? Do you have the right mechanisms to spot malpractice early? 

 

Figures from KPMG show the value of reported fraud in the UK in 2005 was £942 million, with management-level employees responsible for £421m, the same figure accounted for by organised crime. Employee fraud happens for a number of reasons, the most common being to finance extravagant lifestyles or pay off debt. However, the uncertain future of the pension market, frequent lay-offs in large corporations and greater job mobility mean that employees are now, more than ever, seeing corporate fraud as a form of insurance against future losses. The growth in employee fraud has led businesses to take steps to protect their assets by employing corporate security firms that work in tandem with forensic accountants. 

 

We are employed to find the chinks in the armour of security systems, whether physical, technological or personnel-related. Experience shows that it is very difficult to commit a major fraud without internal help. However, corporate fraud and espionage is not always about theft of funds. Employees can walk out with intellectual property, client lists and pricing information and deliver them to competitors for money. Companies need to work harder with accountants and corporate security firms to devise strategies to prevent employee fraud. These measures can include anything from CV-checking to ensuring that loopholes in security and IT systems are closed. Those IT systems have of course brought us all huge benefits, including massive efficiencies in business. But for every benefit that IT offers an organisation, there is added vulnerability. 

 

Companies face several threats through their IT infrastructure, from simple malicious damage through to theft of the organisation's data. People outside the organisation can get into internet-based networks by targeting websites or e-mails or through other means. Once in, they can alter, steal or destroy data and can plant malicious bugs. Of even greater concern, external entities can also gain access to internal networks through ill-secured firewalls, modems and other means - for example they can get in through using stolen or lost company laptops. And once into an internal network, it doesn't take an IT expert to imagine the damage that can be caused to a company. 

 

A few years ago the threat from al-Qaeda-type terrorism seemed quite distant for many in Britain. In 2005, the 7 July attacks - and the attempts later that month - brought the reality home: al-Qaeda terrorists are operating in the UK. But what does this threat mean for business? And particularly, what does it mean for Scottish businesses? The threat of terrorism has no geographic boundaries. It is definitely not just focused on London. And as London presents an increasingly difficult target, the terrorists will seek more vulnerable options elsewhere. 

 

The July 2005 attacks showed al-Qaeda's continuing focus on transport, and I have no doubt, for example, that Scotland's airports have been considered as potential targets. The terrorists are also focused on the energy sector. Osama bin Laden and others have regularly urged their followers to attack oil and gas facilities. Think what that means for Aberdeen: more than 40,000 people directly employed in the industry; a city with one of the highest GDP-per-head ratios in the UK. If we feel the effects of a small attack on an oil tanker off the coast of Yemen, imagine the impact of an attack on the industry here in Scotland. And it seems that the terrorists who are willing to carry out these attacks come from within our own towns, cities and communities. 

 

The case of James McLintock - who became famous as "the Tartan Taleban" - showed how a person from a perfectly ordinary background could find themselves in the presence of some very dangerous and influential individuals. He didn't subsequently turn to terrorism - but others do. And they return to the UK to do so. In fact, they are often ordered to. And we shouldn't underestimate the broader impacts of this threat. What processes does your company have in place to ensure that staff can cope with the psychological and emotional aspects of terrorism? Are tensions and divisions likely to emerge within our diverse workforces? What is your role in reassuring staff? 

 

An effective crisis management programme is imperative in this day and age. Shareholders are increasingly demanding that companies demonstrate what processes and procedures are in place to mitigate these risks, and boards are expected to take a close interest in the detail. Ultimately, directors will be held to account. 

 

Sir John Stevens, or Lord Stevens of Kirkwhelpington, was Commissioner of the Metropolitan Police until February 2005, and is now chairman of security group Quest. 

 

 If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please call on + 44 (0) 208 993 1599.