Does our thinking around protecting a business’s reputation need to change?
Security as we know it is changing – and taking on a far more serious tone than has been needed historically. At least in Australia anyway.
In many parts of the world, security practices like those we are now seeing locally have been common for years. Be it the USA, Africa, Middle East or the more volatile regions of Europe, security has always been a far bigger deal than it has for us. This is simply because the risks they have been exposed to are very different to those we have had to consider in Australia.
And while the practices we use and the countermeasures we have deployed over the years demonstrate an evolution in security, things are now different. Very different in fact. And the key difference is security is now focussing on life safety over the protection of property.
It is a paradigm shift in our thinking but for very good reason.
The major risk to business will always be associated with an event that results in serious injury or loss of life. Recently, the likelihood of security incidents that could result in death or injury has increased. This should come as no surprise to anyone, given the frequency and severity of incidents has increased locally and globally.
High probability, low impact incidents such as graffiti and petty theft will generally not cause injury or death, attract adverse media attention or severely impact an organisation’s operations or reputation. They do come at some cost to the business as they need to be addressed. Left to fester, they can escalate and result in risk in other areas.
But the cost of managing these types of risks in real terms is quite low, as is the cost to business when loss occurs. From our experience, most criminal acts that target commercial property cause losses of less than $10,000.
For business, most loss comes in the guise of business disruption. This can include the need for temporary premises, lost days of productivity, additional or redeployed staff and other operational changes. But physical assets are almost always insured and easily replaced. There may be some pain from an insurance perspective but this is usually short lived.
Physical security has traditionally been about intrusion detection, access control and monitoring the movements of people and motor vehicles. These have been the staples of security for many years. But collectively they do little to reduce the risks to business that can cause the most harm.
This shift in thinking also underlines the importance of non-traditional methods of managing risk. Low-level measures such as CCTV cameras, alarm and access control systems cannot be relied upon to protect a business. While at times they are promoted as able to solve anything from graffiti to world peace, we need to be real about what measures address significant risk to business. The risks that could have catastrophic consequences for a business.
Examples of catastrophic property-related events are limited in Australia. The most recent recognised incident was the Lindt Café siege on December 15, 2014. The café closed for more than three months as a result of the incident, which saw three lives lost – the gunman, café manager and a customer.
After the incident, staff were also expected to attend the coronial inquest. The cost and disruption to the business would have been significant, as was the initial reputational harm.
The next most prominent example of reputational impact to business was the Dreamworld incident of October 2016, which killed four people. While it was safety rather than security related, it gave us a really good understanding of the possible consequences to business when people get hurt or killed.
Looking back, the impact this incident had on the business was both significant and ongoing. Ardent Leisure (the owners of Dreamworld) had a share price of $2.55 the day before the incident. Three years on, it was just $1.19. That represents more than $600M in lost market value. The incident also resulted in the departures of senior executives and the company’s ongoing involvement in a lengthy coronial enquiry.
Dreamworld attendances are still reported to be well below what they were in 2016 – three years after the incident. This highlights people’s tendency to not attend places they perceive to be unsafe, regardless of how reassuring the company’s message may be.
In business, reputation is everything. And today, when we look at security, the primary objective must be reputational management. It simply has to be because irreparable damage can occur that an insurance policy can’t fix.
In business, reputation is everything. When we look at security, the primary objective must be reputational management.
I was invited to a workshop in 2019 conducted by one of the UK’s leading universities on the cyber terrorism risk to commercial property.
Of all the case studies and data that was tabled that day, the most interesting was a graph that explained the impact to businesses that have experienced critical incidents.
It highlights the significant impact to the business and that the business may not ever get back to where it was before the incident.
Risk to people comes in many forms. We know it can involve terrorist groups like IS but those on the extreme right have also proven their capability and ferocity in New Zealand with devastating results. At a more local level, incidents can involve the disenfranchised, mentally ill, drug-impaired, upset ratepayers and almost anyone with a grudge or an agenda.
The types of properties perceived to be most at risk will include those where people meet such as shopping centres, transport hubs, schools and universities, local, state and federal government buildings, places of worship and even our workplaces.
Owners and operators of commercial property should appreciate that security is an important element in maintaining staff and occupant safety. This means that security should be taken more seriously than it has in the past. Those responsible should ensure that the security practices are appropriate, well documented and easily substantiated if the need arises.
While determining appropriate security measures is often challenging, I think it is now apparent exactly what sort of incidents are possible.
And knowing this, we can deal with them more effectively if an organisation is prepared and takes adequate precautions.