Security is a corporate governance priority
by Graeme Mickelberg
Making sure your organisation complies with its corporate governance responsibilities means ensuring that security is part of the mix. Graeme Mickelberg has the story.
No matter what legitimate activity an organisation is involved in, there is an expectation that owners, directors and managers will fulfil their corporate governance responsibilities.
Legislation has been enacted by federal and state governments mandating governance requirements for workplace health and safety and financial management. Such requirements may also be supported by prerequisites stated in relevant Australian standards.
In addition to compliance with Australian legislation and standards, some businesses and organisations will also be required to comply with international standards and legislation that mandates governance requirements when operating in particular countries or with companies from those countries.
The Sarbanes Oxley Act, which was enacted in the US, the International Ship and Port Facility Security Code and ISO 28001, Security Management Systems for the Supply Chain, are examples of international legislation and standards that address security requirements which are relevant when considering corporate governance responsibilities.
The corporate governance responsibilities of the owners and directors of businesses and persons with management responsibilities in organisations, include responsibilities that relate to security.
Security responsibilities
The extent of such security responsibilities and the emphasis being attached to security has changed substantially in recent years. The 9/11 terrorist attacks and other subsequent acts of terrorism have resulted in international and national legislation, Australian standards and industry guidance focused on security.
The Commonwealth Anti-Money Laundering and Counter Terrorism Financing Act 2006, Victoria's Terrorism (Community Protection) Act 2003, HB167:2008 Security Risk Management and a range of security guidance released by federal and state governments are examples of the response by Australian governments to security. Implicit within such legislation, standards and guidance are corporate governance responsibilities to ensure the security needs of businesses and organisations are addressed.
The impetus for the increased focus on security has been terrorist attacks. Although there is recognition of the benefits of enhancing security to protect against other security threats, inevitably, because many businesses and organisations consider they are not terrorist targets, security has not been accorded the priority needed. The result has been lack of meaningful changes to security measures to protect against non terrorist security threats.
The safety of people and property, sustaining the continuity of business operations and facilitating business recovery should under-pin the corporate governance approach to security.
Key corporate governance requirements
Key corporate governance requirements for owners, directors and managers to implement include:
* corporate security policy. This policy should be endorsed at the highest level within the business or organisation and should state the primary objectives of security as they relate to people, property, business continuity and recovery. The policy should also address arrangements to benchmark and measure the effectiveness of security, including relevant Australian and industry standards.
* corporate security plan. A corporate security plan should allocate security responsibilities and requirements for managers, employees and contractors. Procedures that relate to physical security, information security, security awareness training, incident response and emergency management should be addressed as part of the plan.
* crisis management arrangements. A crisis situation may result from a security incident that affects the safety of people, the continuity of business operations and/or corporate reputation, with the potential for catastrophic impacts requiring high level corporate management.
* audit requirements. Security risk should be accorded the same profile as financial risk, which is more often than not the focus of directors and the CEO as part of an on-going audit program involving internal and external audit.
The capacity of owners and directors to effectively implement their governance responsibilities in respect of security risk depends on their understanding of the nature of security threats confronting the business or organisation and the risks to people, property and business continuity.
There is little doubt many businesses and organisations are less than adequately prepared to deal with security threats. A contributing factor is the lack of awareness of owners and directors and their inability to contextualise the nature of security threats confronting their businesses and organisations.
Security risk
Security risk is not limited to acts of terrorism committed in countries other than Australia. Similarly, other security incidents and their impacts are not limited to very large businesses and organisations.
Although the likelihood of a terrorist attack targeted directly at a business or organisation in Australia is rare, other security threats such as sabotage, vandalism, theft or fraud are likely or almost certain to occur.
These security threats could have potentially catastrophic consequences with implications in terms of the safety and well-being of employees and customers; productivity; corporate reputation; litigation; insurance; and financial cost.
The challenge for governments, business and other organisations is to maintain security capabilities in such a way as to prevent or deter security threats. This requires a corporate consciousness that gives emphasis to a proactive approach to security in preference to a reactive approach prompted only after security incidents occur.
Inevitably a reactive approach results in measures that have the potential to be ad-hoc and piecemeal, which will be costly to obtain and implement.
First published in ASM April 2008 edition.
About the author: Graeme Mickelberg is a security risk consultant. His business, Hydra Enterprises Pty Ltd, has national and international clients in the private and public sectors. Graeme can be contacted by email at hydraenterprises@telstra.com or on 0407 113 909.