Insights from our Advisory Board members: "Security management. A full-fledged managerial function."

Published on 21st March, 2024

Insights from our Advisory Board members:

Our series "Insights from Our Advisory Board Members" is an ongoing collection of articles designed to share the wealth of knowledge and experience possessed by the distinguished members of our advisory board.

Through this series, we aim to provide readers with unique perspectives, valuable insights, and practical advice on a wide range of topics. Each installment features contributions from a different board member, offering their expert analysis and reflections based on their extensive careers.

Today, we're excited to feature an article authored by Antonio Kamil Mikhail, continuing our commitment to bringing the thoughts and expertise of our esteemed advisors to the forefront.

Insights from our Advisory Board members:

Mr. Kamil Mikhail served in Criminal Police Departments of the Ministry of Interior in Italy and was appointed as Liaison Officer at the ICPO Interpol General Secretariat in Lyon, France, before being deployed as a security professional in United Nations missions. Within the UN system, he worked as Field Safety Adviser for UNHCR posted in Egypt and Iraq, then as member of UNHCR Emergency Response Teams deployed in humanitarian crisis areas and as Senior Investigation Officer with UNHCR Office of the Inspector General. During his seven-year period with UNHCR, Kamil Mikhail undertook several emergency missions to Africa, Asia, the Middle east and the Balkans.

Mr. Kamil Mikhail boasts a distinguished career in security, having served as the Chief of Security at IFAD (a specialized UN agency) in Rome for ten years, and spent one year as the interim Chief of HQ Security at FAO (another specialized UN agency). Throughout his tenure, Mikhail was an active participant in the UN Inter-Agency Security Management Network, led the UN Working Group on Safety as its chair, and was deployed as a UN Hostage Negotiator.

Currently, Kamil Mikhail has established himself as a prominent International Consultant and a Security and Investigation Instructor for the Professional Certificate in Security Management Course at the esteemed Italian Institute for International Political Studies (ISPI) in Milan. He is also the co-author of “Linee Guida per la sicurezza degli Operatori Umanitari e dei viaggiatori nelle aree a Rischio” (Security Guidelines for Humanitarian Workers and Travelers in High-Risk Areas), published by L’Harmattan Italia in 2011.

.

Security management. A full-fledged managerial function

Every year we witness an increase, both in number and severity, of security incidents involving humanitarian workers, aid workers, and journalists overseas. On one hand, this increase can be explained by the growing number of travellers and aid workers employed in high-risk areas. On the other hand, there is an objective expansion of violence and insecurity in increasingly larger areas that were considered, until recently, stable and secure. The responsibility for the security of the project and its workers ultimately lies with the host government, regardless of the role of the company, or of multi- and bi-lateral donors, in the country in which the project is being implemented.However, there are several situations in which the host government is unable – or unwilling, to provide the necessary security for the mission, or has accepted that private entities organise their own security.

Labour laws and court rulings in many countries have progressively evolved towards the principle of responsibility of the employer for the security of its activities and operators, even when the activity takes place in a country other than that of employment. The Italian legislation, for example, does not limit the responsibility of the employer to the national territory. Hence, employers are prompted to apply to their overseas activities, the same security standards that they apply to their operations at home.

This is why security planning and management has become an integral part of the preparation process for a development project or humanitarian assistance. This paper will present the following considerations that can serve as a contribution for a further investigation on this topic:

  • Security management: definition and scope.

  • Security management explained

  • Security implementation

Insights from our Advisory Board members:

Security management: definition and scope

Security management is a combination of forward-planning, resources (human and material) and skills. Forward planning can be schematised in two sub-activities: risk analysis and security planning.

A specific risk analysis of the project allows for more accurate resource planning, also providing a medium-term forecasting tool. Security planning will include resource mobilisation over the short-, mid- and long-period, and the implementation of what planned according to best industry standards.

Especially in high-risk or geographically isolated areas, security management requires specific skills, to manage as many and diversified activities as physical protection of facilities, cash management, fire prevention, or medical emergency response (just to name a few), which are not necessarily attributable to a single professional figure.

For this reason, security management has increasingly professionalised, becoming an autonomous managerial area.

Insights from our Advisory Board members:

Security Management explained

In the reality of the contemporary world, for various reasons, no state can truly guarantee the total security of all individuals within its territory and, in honesty, no organisation can ensure that incidents will not occur to its operations. This is what experts call ‘residual risk’.

Furthermore, the concept of security has significantly broadened in recent years to mean the 'expectation of absence of harm' even in the case of unforeseen events, fuelling a compensatory culture that demands that a responsible party for the damage be always identified. Following this evolution, private entities that are in a position to impact on sources of risk (e.g. production processes) have become legally responsible for the damage, both due to specific legal obligations and civil liability for the incurred damage. These premises entail that no organisation can truly operate without a clear vision of its risk exposure, and without a dedicated Security Management. This is particularly true for organisations operating in unstable or dangerous environments, but it is also true for all other organisations – even when the vulnerability of their operations is not immediately apparent.

Moreover, no organisation can properly develop its security strategy without an independent professional security management, to be made distinct from adjacent management roles such as logistics or operations management, or IT. In the recent times, situations such as COVID-19 infection, the risk of a cyberattack, or the risks from extreme weather events, which have imposed drastic choices to most organisations. Although always associated to the definition of the corporate Security strategy, the independence of security management has proven to be a safeguard against potential confusion in managerial lines of responsibilities, when the management comes under pressure when facing new risks and disruptive events.

Security Implementation

The consequences of a security incident on the fate of individuals and organisations are obvious. It is therefore good practice for an organisation to adopt security planning as an integral part of its management activities, alongside other activities that contribute to the achievement of the organisation's purpose.

Some of these actions are of strategic relevance and are usually achieved by the top-management of the organisation. The other actions consist in the implementation of the security strategy, through security plans and regulations, and the day-to-day enforcement of corporate security policies.

Strategic planning of security

  • Phase 1: A proper risk assessment, through the analysis of one's operational environment and review of specific risks and hazards, as well as a thorough understanding of the organisation's sources of vulnerability – considering the available resources. Risk assessment will determine the ‘residual risk’ for the organisation according to the specific operational profile of its activities. As we will see later, risk assessment is the conditio sine qua non of all other phases of security planning. Risk assessment is probably the most difficult part of the whole planning, as it requires a combination of analytical skills and a sound understanding of security practices.

  • Phase 2: Defining a security strategy that outlines the internal hierarchy of responsibilities (accountability) regarding the identified risk, as well as: the level of integration of security policies in the management of the organisation, the type of benchmarking that will be used, and the amount of resources to be allocated for security, for each identified risk scenario.

  • Phase 3: Operational planning, which consists of predicting behaviours and preparing the resources needed to prevent damage or mitigate its extent.

  • Phase 4: Implementation of what has been planned - which is different from ad hoc interventions made to counter occasional vulnerabilities, for example, to restore security after an incident. Implementation consists of enforcing the set of regulations (procedural rules) and resources that will permanently reduce the organisation's exposure to the previously identified risk.

  • Phase 5: Constant update of risk assessment, in parallel with all other phases, aimed at adjusting planning and action based on emerging new risks.

Let's clarify some aspects of this process.

Insights from our Advisory Board members:

Elements of Security strategy

After having identified risks and vulnerabilities, management must set up the framework of its security strategy, by defining the following guiding policies:

1) Accountability

Through accountability, the organisation decides how it intends to collectively (as an organisation) manage the identified risk. This requires defining an internal hierarchy of responsibility (accountability) with regards to managing the ‘residual risk’ and security management in general (planning and implementation). This responsibility/accountability hierarchy may differ from the accountability scheme provided for by national legislation on workplace safety - and is made specific to the organisation’s structure, establishing, for example, a different line of internal accountability for the risk of cyber intrusion, or for the prevention of corporate espionage, etc.

2) Strategy and Resources

Resource allocations is also an element of the corporate security strategy. The determination of resources is a comprehensive exercise, in which internal resources (such as professional profiles and instrumental assets required in crisis situations) and external resources (partnerships), as well as financial, logistical, and regulatory means necessary for the implementation of the security plan are considered. This is an exercise that involves the whole management of the organisation, because it aims, among other things, at integrating a ‘security culture’ across the different sectors of activity within the organisation. Integration must be sustainable over the long term - not merely motivated by cost saving or depending on other managerial contingencies. For example, in many organisations, there is a tendency to merge physical security and cybersecurity without prior reflection on the advantages and disadvantages of such integration.

Resource mobilisation will also contemplate external partnership frameworks aimed at accessing to resources that are not available in-house and ultimately, at further reducing risks and vulnerabilities for the organisation. Examples can be: co-ordination or asset-sharing efforts, stand-by agreements, or a sustained diplomatic effort or negotiation activity towards maintaining open cooperation channels with potentially actionable partners.

3) Contingency Planning vs. Security

Multisectoral contingency plans are designed to reinforce the organisation's resilience in the event of a blockage of activities not necessarily qualifying as a security risk. A recent example could be the microchip crisis that hit the industry, triggering industrial contingency plans without a security risk manifesting itself. Organisations based on lean management, who found themselves to be vulnerable to crises due to their close interdependence with other actors, have borrowed the predictive-programmatic security model to establish operational resilience plans.

While seeking potential synergies, one must also consider the differences in purpose and perspective between security planning and contingency planning. Security planning shares several common elements with the general contingency planning of the organisation, however it must be understood (and accepted!) that Security planning is a stand-alone exercise within the organisation.

Insights from our Advisory Board members:

Implementation of the Security strategy

After having contributed to the definition of the corporate Security strategy, the next function of the Security management in the organisation is to implement such Security strategy and translate it into plans and internal regulations. Security planning at this level consists in organising the relevant information (risk assessment, resources, mitigating factors) and managing the allocated resources (human and material), while maintaining the internal accountability framework, expanding partnership in security, and adapting internal regulations to best industry standards and suitability in relation to evolving security situations.

1) The Security Plan

The output of security planning is an all-inclusive instrument called ‘Security Plan’. The Security Plan can be represented as one or several cross-referenced documents, or as a virtual platform, or as a product combining several pre-existing sub-activities into one planning instrument. Although it exists in many organisations (and is represented in the specialised literature) as a template, a Security plan must be viewed as a concept that is aimed at structuring information and organising resources in view of responding to risk and mitigating the effects of a damage.

The ideal, or model Security plan consists of common and independent parts, or sectoral plans, designed for specific risk scenarios.

  • Among the common parts, we should mention the description of the operational perimeter, the risk assessment document, the detailed hierarchy of responsibilities (accountability), the inventory of human and logistical-instrumental resources, emergency communication procedures, and the existing agreements with external partners on security matters

  • Examples of sectoral plans include fire prevention or medical plans, or area evacuation plans.

All parts are subject to constant review, such as updating the list of personnel, logistical-instrumental means or the evacuation routes (depending on the evolving security situation).

2) Security Regulations

Internal security regulations, such as procedures for admitting goods to the organisation's site, are not part of the security plan. Indeed, security regulations are sometimes introduced for practical needs or as part of contractual obligations (such as, for example, due to an insurance clause), or as an incorporation of best practices, even in the absence of a security strategy or a Security plan.

Regulations are characterized by their stability over time since they do not require constant revision, like the security plan. But to achieve maximum efficiency, security regulations must be strictly related to the objectives of the strategy and security plan.

.

Antonio Kamil Mikhail (March 2024)