But just when you think that you have it all down, your I’s are dotted and your T’s are crossed – your company goes global. Suddenly you have a bunch of regional economies, societies and cultures integrated throughout your organization. Your company’s goods, capital, services and labor now span oceans and miles, and you find you must address new sociocultural, technological and sometimes political challenges to your security operations.
Security incidents can happen anywhere in the world at any time, as evidenced by last year’s Mumbai terrorist attacks and suicide bombings, tourists killed in Mexico and of course, the events of 9/11. In addition, there have been other terrorist attacks against government buildings, businesses and people around the world.
“In view of these incidents, corporate management might understandably question whether a business can protect itself against such threats when even governments with their intelligence agencies, military support and large security budgets may seem powerless to protect their own employees,” says Jonathan Tetzlaff, Senior Director of Crisis Management and Business Continuity for Merck & Co. “In fact, global enterprises can undertake a number of prudent steps to reduce – not eliminate – risks. Some precautions involve traditional solutions such as armored cars, bodyguards and extensive physical barriers. In most cases, however, effective approaches to reducing risk are considerably more sophisticated and involve a combination of risk analysis, pro-active risk management and the employment of commonsense security precautions.”
Tetzlaff works with a cross-functional group of global Merck management to ensure that appropriate processes and procedures are implemented. He understands and respects the risks associated with a global organization. Since beginning his professional career in risk management, he has visited more than 50 countries, some in situations with levels of terrorism and unrest approaching the level of civil war.
In his current and previous positions, he has supported company operations in Pakistan, Angola, Algeria, Nigeria, the Republic of the Congo, Papua New Guinea, the United Arab Emirates, Egypt, Yemen and Romania as well as Western Europe, the Middle East, Africa and Asia. And it’s Tetzlaff’s job to ensure that a “OneMerck” approach to crisis management is implemented across those global organizations.
OneMerck Works
“A ‘OneMerck’ approach guides practically everything that we do,” Tetzlaff explains. “It also saves us money. Any organization should have some type of crisis management governance, a central top-down approach of how the entity deals with responses to crisis management and business continuity. That doesn’t mean that the tactics are implemented identically in each location, of course. For example, what one does in Pakistan is different than in Switzerland, but preparation for disasters must be undertaken in a consistent manner.”
Prior to Merck, Tetzlaff encountered situations in which incidents occurred at a company site, and people on the ground dealt with the problem efficiently and effectively at a local level. “However, they did not always communicate upward that these things were going on,” he says. “When the C-suite hears about it for the first time via a media contact, that’s not good. Senior management is not happy and the company is not organized efficiently to respond. The absence of that communication can do a lot of damage in the public arena.”
Therefore, the OneMerck approach helps Tetzlaff and the cross-functional Corporate Crisis Team to put in place an efficient and planned response, including proper notification to the correct channels so that they can then respond and support.
“Our task is daunting and endless,” he says. “Companies are changing quickly. Training is helpful, and it needs to happen, but people move and change positions. The structure that works best is to have a corporate crisis team with representatives of all key businesses and functions within Merck (HR, sales, manufacturing), so we know who to contact should a problem arise. We started by training those members first with an overview and then built in tabletop exercises, where we present them with scenarios and ask them to work through the situation. That staff has to know how to contact the regional and country locations, so we are conducting this training globally.” Tetzlaff and his staff then take it on the road, provide an overview of the plan and then do exercises based on local issues.
After staffs are trained and procedures are followed, Tetzlaff still believes that communication is the biggest concern in risk management and business continuity. “I’ve dealt with a variety of issues over many decades, and once you set aside the practical precautions, the plans and the emergency tools, the biggest concern is communications. If you can’t communicate between the site and the corporate level, nothing else works.”
He adds that language challenges and distinct culture differences can also be a factor. But part of the solution involves the personal touch. “When someone in a facility thousands of miles away notifies corporate, he needs to know who he is talking to,” he suggests. “Those personal relationships are critical.”
As an example, Tetzlaff relays a situation with a previous employer with operations in Somalia. “It was such a remote location, and we had very experienced expatriates there,” he says. “But what happens culturally is that sometimes people become so focused on local issues that they can’t pull back and see the broader picture. At that time, we had frank discussions with our in-country staff, explaining that they needed to evacuate the country for their own safety. They firmly declined, saying that we were letting exaggerated news stories shape our perspective. But we did further analysis – using contacts from my former colleagues in the U.S. Government, among other sources – and we were convinced that the situation was too dangerous for them to remain in Mogadishu. We couldn’t demand it, but we requested that our staff relocate from Mogadishu to a site in the southern part of Somalia. That reduced risks considerably for a time, but the collapse of Somalia eventually made any presence in the country dangerous. As a result, later that year, we undertook an emergency evacuation of staff from the remote site. Fortunately, we were able to evacuate them safely, but they delayed longer than was prudent despite our counsel. Shortly after they evacuated the site, it was overrun by insurgents. We later learned that some looters – who came onto the site after we evacuated – lost their lives at the hands of the insurgents.”
Having the support of C-suite is critical, Tetzlaff notes. “We are fortunate to have it here at Merck, but it’s not a ‘given’ at some companies. The leadership displayed by my boss Grant Ashley (VP, Global Security) has been absolutely critical in gaining that C-suite support. In my experience, it’s possible to commence a lot of change at the grass roots level – by building support at the lower level, it can work upward. But the success of the program is ultimately determined by the extent and visibility of C-suite support.”
It’s not so much about telling people what to do; Tetzlaff suggests, but instead, his role is to help avoid mistakes and support the global security team. He also needs to make the business case that any world-class organization has effective crisis management programs and policies in place. “If you want to compete on a level playing field with the competition, you need the support of senior management,” he says. “Our executive management gets a lot of credit for seeing what’s happened elsewhere and getting out in front of issues. That success is an outcome of our top notch leadership at Merck.”
Scott Hewitt, CPP, Director of Security for Ferguson Enterprises, echoes Tetzlaff’s comments about communicating security’s value to the organization and its global operations. Ferguson is a diverse wholesale distributor with a distribution network of approximately 1,350 service centers in all 50 states, the District of Columbia, Puerto Rico, the Caribbean and Mexico.
“For our organization, the biggest challenge is coordinating and communicating globally with others who focus on profit protection,” Hewitt says. “We recently adopted a worldwide incident tracking system that tracks significant losses and trends across the whole company. The system is shared by Security, Risk and Internal Audit. Additionally, we hold regularly scheduled international conference calls to discuss new loss trends and ways to mitigate risk.”
In addition, Hewitt recognizes the importance of security being mindful and respectful of local people and cultures. “Things don’t work out as well as they could if we are perceived as the ‘know-it-all’ Americans who are way ahead and have the solution if you will just do it our way,” he says. “Language can be an issue also, as in Canada where all notices are required to be posted in both English and French. This can be an issue when sharing a whistleblower tip line such as our ‘We Tip’. We placed a call in French to make sure it wasn’t a problem. It wasn’t, but the point is we need to be aware of these issues when operating outside the U.S.”
Centralizing Operations
One of the greatest challenges of mitigating risk and securing multiple and global locations is the inherent difficulty in implementing policies and procedures from a centralized security command. Toyota Motor Manufacturing, Texas, Inc. has more than 8,000 employees alone at its Texas facility (the number globally is obviously much larger), and security is responsible for security, fire protection, emergency medical response, hazardous materials response and radio communications.
“Risks are often different from location to location,” says Kevin A. Elliott, CPP, Chief of Security and Emergency Services, and of critical importance is the presence of a local or at least regional security expert to continuously assess and countermeasure local concerns. “It is then incumbent upon that local or regional expert to push those concerns up to the headquarters level in order to gain consensus on countermeasures that best mitigate the issues, address long-range protective intent and maintain the overall security strategy of the company,” he says.
Elsewhere around the world, outstanding examples of security leadership for a global enterprise come from Ryder, where Bill Anderson, Director of Global Security, relies on a set of consistent corporate security standards and local management accountability to ensure secure operations. “Even though there are slight differences between U.S. and other customs security programs, Ryder operates under a single global supply chain security standard,” he says. Ryder’s security team works with its global operations to implement these processes locally so that there is operational ownership of the program. “That’s been successful for us to mitigate risk,” he says.
Ryder’s corporate culture supports local management accountability. Managers must run their operations securely and adhere to our corporate standards, Anderson adds. “We have a ‘captain of the ship’ philosophy for our operations which broadens the role of the local manager to include security, safety and many other functional responsibilities. However, outside of North America, there tends to be more functional silos, so we’ve had to break down some of those silos and coach operators to be successful security managers. This not only helps Ryder avoid excessive overhead expenses, but also creates a culture of ownership at the local level.”
Anderson adds that in certain regions, local operators may be more willing to accept risks or may have become desensitized to certain risks based on past experiences. “It’s our role to help local operators understand and recognize supply chain risk,” he says. “The supply chain is only as strong as the weakest link so corporate security works with each party in the supply chain to implement a consistent security standard from origin to destination.”
That same mentality also comes from John Imhoff at Ernst and Young, a global business firm with 695 offices in 142 countries. Imhoff, who is Director, Office of Firm Security, says that a “one-size-fits-all model” does not work when securing global operations. “How do we protect data in New York City versus Shanghai? Data is data, and if our clients have entrusted it to us, we have to protect it,” he notes.
To do so, he recommends getting back to basics. “The threat environment is different here in the U.S. than in any part of the world, so it’s important to get back to the elements with a global security operation: what are you protecting and why are you protecting it? If those elemental questions give you a different answer than what you thought, a new policy has to be put in place.”
Accountability is also in place company-wide at Rio Tinto in London, one of the world’s leading mining and exploration companies. The company finds, mines and processes the earth’s mineral resources. The company has operations in every continent with 80,000 employees. Global security, which is run by Mivil Deschênes, Global Head of Security, entails personal security, physical security, information security, business resilience, investigation/due diligence and threat and risk assessment.
Protecting mines that hold valuable minerals requires a robust enterprise risk management process, Deschênes says, so every function within each facility is responsible for identifying risk. In addition, there are “risk champions” throughout the global company that carry out risk assessments. “The key is having accountability for management of all of our risks,” Deschênes says. “Daily risk activities, though, are coordinated through a risk officer.”
Managing the Management
“One challenge I face is ‘managing the management,’ as our company, like most multinationals, is subject to site and divisional management input in all CAPEX expenditures,” says Stephen Morrill, Executive Director, Corporate Security for Charles River. The company has nearly 70 facilities in 18 countries and partners with leading pharmaceutical, biotechnology, government and academic organizations around the world to provide products and services that span all stages of drug discovery and development.
“Corporate security must remain a viable business partner, helping to set priorities toward strategic goals and understanding the obstacles and constraints of individual sites and division P&Ls – all prior to launching costly improvement plans,” Morrill notes. “My approach is a push/pull sales technique. I beta test and obtain buy-in for security system improvements. Once a site team finds these improvements both cost effective and worthwhile, they then become my salesmen or saleswomen for implementation among their peers.
In addition, all security incidents are reported within an automated security incident system – security thus becomes the repository, gaining visibility of security hot spots. The data provides a background for dialogue with corporate executives on necessary improvements and in alignment with Security’s strategic goals.
His approach has worked, particularly with two incidents. In July 2009, his security team thwarted an attempted sabotage of the company’s Italy site. Security officers disrupted the perpetrators attempting to breach the perimeter with incendiary devices. In another incident, a site in France was the target of an ALF attack in 2008 in which a propane bomb damaged an administration building and communications system. Thanks to prior planning, the site was back in operation within 24 hours without any impact to customers.