Home > Articles By Issue > Safety & Security > Article Aug 2003

Legislative Climate Heats Up For Safety And Security Measures

By Joseph Ricci, Ricci Communications

Current events continue to change and alter the shape of today's business environment; from the economic impact caused by lost revenue to tremendous increases in insurance and risk management. In addition, the creation of the Department of Homeland Security (DHS) has forever changed the approach and attitude of the federal government, law enforcement, and private industry toward security and safety issues for critical infrastructure, information, and physical security.

Spending Initiatives Propel Regulations And Standards

According to the DHS, more than 80% of the U.S. safety and security issues are the direct responsibility of the private sector. Various state, federal, and professional organizations are working to address these issues through numerous channels, each carrying a significant price tag.

In July, the House Appropriations Committee approved a $29.4 billion fiscal 2004 spending bill for the DHS, with $4.4 billion for first responders, $9 billion for border protection, and $5.17 billion for transportation security. The U.S. Conference of Mayors estimates that post-9/11, cities spent $2.6 billion on additional security, mostly related to anti-terrorism. However, despite fluctuations in the warning levels, many are reducing their response based on current fiscal realities.

This prudence is reflected in the results of a recent study, "Corporate Security Management," released in early July by The Conference Board and ASIS International. The study, developed to provide quantitative data on private industry spending based on a request from the Joint Economic Committee of the U.S. Congress, shows a relatively modest increase-4%-on security spending post-9/11. Although the increase is satisfactory for many in corporate leadership, the majority of security directors and others surveyed are dissatisfied with their budget allocations.

"Although the figures for private industry spending may seem small in light of increased concerns about terrorism," says Dan Kropp, CPP, president of ASIS International and vice president of Exton, PA-based CAP Index Inc. "Whether security is adequate cannot be judged by spending; it must be judged against the level of threat, the degree of risk, and the potential impact of security related events for specific companies." With a myriad of security options, both technical and physical, spending has been mixed since 9/11. Initial funds were spent on immediate increases in physical presence-such as security officers-closely followed by more practical approaches involving consultants and risk assessments.

Since the end of last year, budget allocations have primarily concentrated on technology, particularly on upgrading or installing access control systems. The economy and other factors are forcing more cost effective approaches to safety and security, with technological advances offering increased mobility and coverage through wireless systems and integration.

How and where these funds are being spent has created more than 100 pending orders, laws, acts, and bills. Several hundred regulations have emanated from local, state, and federal legislative, executive, and judiciary branches that directly impact the safety and security of businesses and citizens across the country.

"Being located in the heart of Washington, DC carries additional risk and responsibilities," says Sharon G. Kinsman, senior vice president of administration for the National Association of Broadcasters. "Our facility's plan must continue to change as the district, regional, and federal governments' plans evolve," Kinsman explains. "I'm spending about 50% of my time keeping up with these changes, revising our plans, and communicating them to our emergency team and employees," she adds.

The majority of these new legislative and regulatory initiatives are positioned to help businesses better handle security concerns. If passed, one bill will provide access to the FBI's national criminal records for background investigations of contract and in-house security personnel. Another will create tax incentives or breaks for investments in security.

Disaster Planning And Business Recovery

Unlike Kinsman, facility professionals in less "challenging" parts of the country may not be spending 50% of their time focused on business continuity and disaster management. However, every indication is that many are spending significant resources in this area. Statistics vary, but in general, the majority of unprepared businesses hit with a natural or man-made disaster either never re-open or are out of business within three years.

"Disaster management training is critical to the future of businesses and organizations; it is critical to our economy both in our communities and as a nation," says James Lee Witt, former director of FEMA and president of disaster management and recovery consulting firm James Lee Witt Associates of Washington, DC.

Preparation is critical to survival. Witt continues, "After a major event, more than 30% of businesses cannot afford to recover. Every company is impacted by a disaster on average every five years, so it's easy to see why businesses really can't afford not to plan for any and all hazards. Planning and training are an investment in the health and well being of the company, its employees, and the surrounding community, because every dollar invested in prevention averts $7 in future losses."

Disaster recovery is also highly dependent on the operations and planning of others, especially suppliers and distributors. Any plan is only as good as its weakest link, which can be anywhere within the operations of a facility and/or its partners' operations.

Risk Assessment

"Post-9/11 the approach to security really changed, but the risk assessment process didn't; it remains a probability vs. impact equation. Any good security and safety program must begin with a solid and thorough risk assessment process," says Regis Becker CPP, global director of security and compliance for PPG Industries, Inc. of Pittsburgh, PA.

Successful disaster management and recovery (along with sound security) must stem from a risk assessment that provides a measure of threats in terms of probability and impact that directs planning, policy, and implementation. As mentioned earlier, there are several initiatives surfacing regarding conducting assessments, including recent OSHA requirements for firms of 10 or more and guidelines released earlier in the year by ASIS International which are available online at www.asisonline.org.

Generally, risk assessments take into account vulnerabilities based on risks, the probability of the risks, and their potential impact on operations (in comparison with current security and safety measures and expenses).

Simply by their nature, risk assessments are site, industry, and company specific. This requires an individual approach to each facility, from corporate headquarters to distribution centers.

In addition, because threats and risks change and businesses evolve, assessments must be conducted regularly to stay on top of developing issues. Disaster recovery or business continuity should involve an assessment, a written plan, and appropriate actions including emergency response, contingency guidelines, and media issues.

Challenges And Challenges

"Corporations have done a prudent job in handling risk management and building customer confidence," explains Don Walker, chairman and CEO of Chicago, IL-based Pinkerton Inc. "But CEOs, CFOs, and COOs need to become more involved and begin viewing security as a corporate responsibility and not a cost center," he adds.

And yet, this thinking is slow to develop, with many C level executives more concerned about rapidly escalating insurance and liability issues, quarterly returns on investments, and cost savings through integration and centralization. In contrast, professionals directly responsible for security and safety rank deterrence and employee and customer confidence as priorities followed closely by liability and loss prevention. Despite the varying concerns of facility, HR, IT, risk, and security managers (which range from life safety and physical security to workplace violence and information integrity), they all face a common set of challenges in terms of developing and implementing appropriate security and safety for their corporations' assets.

These common areas are reflected in the "2003 Survey of Top Security Threats and Management Issues Facing Corporate America" report released by Pinkerton, Inc. These challenges included tight budgets, justification of expenses, evolving technologies, effective recruitment and training, legislative and regulatory issues, turnover, growing areas of responsibility, downsizing, and outsourcing.

Although security budgets are tight and spending is lower than expected," explains Becker. He believes "that a focus on results is reflected in corporate management's spending on security." Furthermore, he feels it has become "easier to get the attention and interest of non-security people" in terms of developing and implementing security and safety measures.

"Resources are being spent on access control, background screening and investigations, and IT hardware and software; much of the focus is on business continuity. This includes testing and training to determine effectiveness and interdependencies, especially with supply chain issues which involve transportation and distribution security," Becker observes.

Roles And Responsibilities

In the everyday professional lives of facility managers, security and safety are a growing component of the job function. This is supported by several recent surveys, including the recent The Conference Board/ASIS International study which indicates that nearly 20% of all senior security personnel report directly to the senior vice president for facilities; an additional 15% report to senior operations and human resource directors. Many of the smaller companies that make up the majority of the U.S. economy exist without in-house security expertise. Instead, they rely on facility, operations, and human resource managers as well as law enforcement, consultants, and contract security. Together, they hope to handle the development and implementation of security and safety policies and procedures.

For a great number of facility professionals, safety and security responsibilities have increased in importance and substance. This requires them to become involved in security management and decision making regarding policies, procedures, and measures often with little formal training or knowledge in these areas. The situation is further complicated by the constant introduction of new solutions and the increasing integration of building systems such as HVAC, life safety, lighting, access control, and other facility solutions.

"Security is a distributed function," says Marene Allison, director of global security at Basking Ridge, NJ-based Avaya Inc. "Corporations spent the post-9/11 period putting more emphasis on the management of their security measures and operations by reviewing costs and responsibilities, centralizing functions, and making sound business decisions regarding reach and role while reducing overall costs."

Helpful Resources

Significant budget allocations have been made to address information and critical infrastructure protection as well as first responder equipment and training. To meet the need for increased security and safety, many professional organizations, such as ASIS International, the Security Industry Association (SIA), the International Facility Management Association (IFMA), and other associations, have begun working together to study the issues and offer training, recommendations, and networking opportunities for members to share knowledge.

Both ASIS International and the Security Industry Association (SIA) have made themselves available to the U.S. Congress and government agencies as resources for information and expertise regarding security issues and concerns. "As a professional organization, we felt compelled, obligated really, to get involved, not in drafting legislation, but rather in an advisory capacity," says Kropp. The goal is "to educate and assist legislators, the DHS, and other agencies in better understanding the issues from a preventive, proactive corporate security perspective."

For example, in addition to the aforementioned study with The Conference Board, ASIS International has formed a Commission on Guidelines "to advance the practice of security through the development of risk mitigation guidelines." The Commission released its first guideline, General Security Risk Assessment Guideline, in January 2003 and is currently working on future projects including guidelines for hiring and training security officers. ASIS International has also developed and launched several new professional development programs to demonstrate technical knowledge and skill.

Education, Knowledge, And Networking

There are many educational programs and conferences available to facility professionals, with new organizations and events emerging daily. At last count, there were more than 200 conferences and educational programs on any number of physical, IT, or other security issues offered by more than 100 different organizations and publications targeting those responsible for security and safety.

Research suggests that professionals continue to rely on colleagues for the majority of their information sharing and turn to trade magazines, professional organizations, and consultants for knowledge. These serve as vital links for disseminating new measures, technologies, policies, and regulatory standards.

As previously mentioned, many of these organizations are already working together. One group will be presenting the National Summit on Security (NSS) scheduled for October 1-3, 2003 in Washington, DC. Supported by the Washington Metro area Society for Human Resources Management (SHRM) and IFMA chapters, the program is also backed by SIA and several federal agencies including the General Services Administration (GSA), the Department of Commerce, and the DHS.

The largest and longest running security conference, the ASIS International Annual Seminar & Exhibits directly reflects the trends, challenges, and concerns facing professionals in the security field. Scheduled for September 15-18, 2003 in New Orleans, LA, the conference will offer more than 135 educational sessions.

"We recognize the need for an organization to step up and attempt to assist in bridging the gap between federal, state, and local agencies and law enforcement and the private security industry," says Michael J. Stack, executive director, ASIS International. "Several programs have been developed to provide education for those involved in security outside of the traditional role of the security professionals," says Kropp of ASIS International. "One of the new offerings is entitled 'Practical Information Systems Security 101 for the Non-Technical Security Professional and Security as a New Business Paradigm.'"

In addition, more than 725 security product and service providers will offer attendees practical, application oriented displays of the latest trends in physical security through interactive demonstrations of the latest security advancements and technologies. Because of the current volatile climate, there are many new challenges for corporate security, compliance, information security, supply chain integrity, international trade, and employment. Fortunately, facility professionals have an extensive array of tools to help them handle escalating security and contingency planning demands.

Ricci is senior consultant and CEO of Arlington, VA-based Ricci Communications. He has provided strategic marketing consulting to the security industry for nearly 15 years.