A systems-based approach to integrating security risk management into the management practice & culture of a global multi-national organisation

I work in the Corporate Security department of a global multi-national company that operates a wide range of businesses in many complex and turbulent environments, including developing countries and those recovering from conflict or similar strife. To help deliver the best level of protection for people, assets and business processes, my project sought to find an innovative, cost-effective and non-disruptive approach to integrating security risk management into the mainstream management practice and culture of my organisation. The solution needed to be responsive both to global corporate policy, the ontological and epistemological stances of the diverse professions within the company and the demands of the security risk environments where we conduct our business.
The project’s theoretical framework is inherently multi-disciplinary and derives from theories of crime and theories of risk and the fusion of these with theories of management and organisation – particularly those related to systems theory. It provides a powerful platform for an innovative approach to security risk management to help to locate it alongside other key disciplines within the mainstream requirements for management thinking, knowledge and ability.
I developed the approach while conducting internal security risk assessments and corporate security investigations, and while contributing to my company’s consultancy work for external organisations. The project is reflexive in that it has required me to reflect on, evaluate and enhance ways of working that I have acquired by experience and various forms of learning, alongside the various theoretical models that I refer to.
I gathered the project data using focus groups, interviews and participant observations, and incorporated elements of bricolage into my methodology to cope with unpredictable field conditions and other disruptions, which were numerous. My project’s analytical framework is based on a sensemaking approach, derived from the project’s theoretical framework. The units of analysis are case studies of my treatment of businesses in a range of different industries and countries. In addition to evaluating the security implications of explicit formal structures, such as physical design or documented procedures, it also emphasised the significance of ‘soft’ inputs, such as employee perceptions of risk and various styles of management. Collaboration with technical experts enabled mutual learning and significant steps towards designing-in security to systems and processes.
The project’s success was to be defined by the endorsement of the senior corporate and local managers who are ultimately responsible for risk management. It has achieved this goal, manifested in recommendations to use the approach to address a wide range of business challenges. This is supported by testimonials to the effectiveness of the approach and a growing commitment to embedding it within the company’s businesses via training and education programmes which I am currently developing.
My conclusion summarises the project and argues that security risk management is about changing and managing perceptions of opportunities to offend. These include the perceptions of managers and others who support the organisation’s objectives and goals, as well as those of potential offenders who would otherwise perceive organisational assets and processes as attractive targets.