No Business As Usual: Lessons Learned During the COVID Pandemic

Every person and every business has been impacted by the COVID-pandemic in one way or another. Humans and (most) businesses are surprisingly resilient and adapt to challenging environments relatively quickly. Flexibility and new approaches are required to overcome obstacles and deal with new situations.

This unprecedented global pandemic has taught all of us many lessons, some rather painful. The question is whether some of these lessons have a long-term impact on how we interact and conduct business, or whether it’s a short-lived experience. In general, I believe it’s fair to assume that we won’t go back to the ‘old’ normal but rather develop a ‘new’, hopefully better and advanced normal.

From a security and risk management perspective there are a few aspects to take a closer look at.

 

#1 The need for reliable business partners in a global economy

If nothing else, the pandemic has taught us how much we all depend on each other, both in private and in business. The vast majority of businesses today are international in scope. Businesses rely on overseas partners in practically all aspects of corporate activities, i.e. production, supply chain, logistics, sales and distribution etc.

During the pandemic these international business relationships have been put to the test. Can you rely on your business partner? Do you really know enough about who you are dealing with?

Many companies found out the hard way that their decisions related to foreign business relationships was based on insufficient information and lacked the depth to make a detailed risk assessment. The need a concise third-party management policy and for in-depth due diligence on potential or existing business relationships has never been more apparent than today.

#2 It’s not just financial risks

Experience shows that corporate decision-makers have a tendency to focus on legal and financial risks. This is what they’ve been trained to do. However, taking a more holistic approach to risk integrates other non-financial risk factors like operational, human and reputational aspects.

There is no one-fits-all solution. Every business is unique and requires a unique and dedicated approach. Trade and travel restrictions vary tremendously from jurisdiction to jurisdiction and change constantly. A high degree of flexibility is needed and will also vary depending on the industry sector.

Besides a holistic all-risk approach and flexibility it has also proven vital to think in alternatives and back-up solutions: reliance on just one source or business partner for a crucial aspect of business operations is never a good idea. Even if not implemented, it’s always a good thing to have pre-planned and vetted alternatives.

#3 Preparedness

There is this old saying in crisis management: Prepare for the unthinkable. Admittedly, almost no one outside some public health expert circles really saw this crisis coming. And in the very early stages many companies were hesitant to acknowledge the impact the crisis would have on their business operations. But those companies who had at least some sort of pre-planned crisis management in terms of policies, procedures and training were quicker to adapt and mitigate the impact. With an existing crisis management organization and based on other crisis scenarios these companies were able to adapt faster and develop an appropriate response plan.

As a consultant I have heard the statement “this will never happen to us” far too often. I can only hope that this crisis has taught all of us the lesson that no person and no business is immune from bad things happening, no matter how ‘unthinkable’ it might seem at the time.

#4 Leadership

Managing any type of organization has its unique challenges even when everything runs smooth, which is hardly ever the case. But during a crisis like the one we’re experiencing now, businesses don’t need just good managers, they need good leadership. Providing true leadership to an organization demands experience, a certain skill set and character to deal with the organizational and human aspects during a crisis. And to be really effective it requires trust, a trust that has been built and earned over time.

#5 Viruses don’t know borders – neither does Crime

It’s amazing how fast fraudsters and criminal organizations have adapted to the new situation and exploited it to their advantage. While the pandemic brought a decrease in some organized crime activities, i.e. drug or human smuggling, it presented new criminal opportunities in other areas.

Millions have been defrauded from Governments and the public health sector in almost any country around the world: selling counterfeit masks and PPE at ridiculously overprized conditions; offering fake vaccines; exploiting Government-funded help programs by using thousands of fake personas; etc.

White collar crime, fraud and corruption, cyber-crime and cyber-extortion aimed at businesses, business email compromise and cargo theft have all seen a significant increase during the COVID-pandemic.

The COVID-pandemic has exposed many flaws and short-comings in business operations. It remains to be seen to what extent corporate decision-makers will take this as “lessons learned” in the truest meaning of the word and prepare their organizations for the next crisis – because it will come.

The value of Local Site Verification in Enhanced Due Diligence

Adrian Protogeros, Managing Partner, PSI Proactive Strategic Intelligence*

So you have entered your pre-contractual phase and are currently in negotiations with that new perspective foreign company collaborator. Maybe you are forming a new joint venture somewhere in the Middle East to participate in a large infrastructure state tender. Maybe you are expanding your local sales channels in one of the fast evolving countries in Africa. Or maybe you are getting more competitive prices for your manufacturing components from a new supplier in Eurasia. The company is good in their communication and has provided you with all necessary information. All is proceeding well.

Your trusted business intelligence provider, reflecting your own strict policy for high integrity and low risk collaborations, has also done their best effort due diligence to ensure all is proceeding smoothly. They have visited the local registry, the local chambers, they have obtained all the available formal documentation and you are aware of the company’s directors, the shareholders, and even their 2nd-tier shareholders and UBO. Your provider has done media and OSINΤ research in the local language and also came in contact with key local unofficial sources to provide you with a thorough reputational assessment of the company and its owners. Financials provided by the company itself have been studied and appear healthy and solid. So there is nothing to worry about. Or is it?. Wait. Didn’t they send you a picture of their headquarters somewhere in one of their emails?

Local Site verification is the process, whereby a local operatives team visits a perspective collaborator company’s local headquarters/plant/installation/offices and via legal and ethical procedures, collects hands-on intelligence regarding the subject’s local operations. This includes visiting the actual premises, taking pictures, evaluating installations and asking local associates and neighbors about the company’s activities and presence in the locale.

It is part of human nature to sometimes exaggerate. In today’s harsh competitive business environment, aggressive marketing and promotion can sometimes even lead to misdirection. The pure physical distance between you and a foreign company thousands of miles away, may also be a factor enhancing the levels of exaggeration which one can perceive as one they can get away with. No one expects to find you in their own back yard. But when you do get there, the results are quite interesting.

In the 14 years that we operate in the field of enhanced due diligence, we have performed over 1000 local site verifications for subjects in over 40 countries in the Middle East, Africa, Eastern Europe, CIS and Eurasia. The statistics speak for themselves:

  • In 1 out of 4 cases, visiting the local headquarters of a subject has revised expectations from the collaboration and/or increased related business safeguards.
  • In nearly 1 out of 10 cases, local headquarters indicated considerable exaggeration of the subject’s capabilities, and resulted in serious revision of the contractual terms.
  • In roughly 1 out of 25 cases, local headquarters were unacceptable for the form of the perspective collaboration being planned and in certain cases the collaboration was terminated as a result.

So does this mean we will only do business with companies with nice large shiny offices and modern spacious manufacturing plants? No, not at all. Many very successful businesses of today as we all know, have started from someone’s own garage. However you cannot have top notch manufacturing from a garage or someone’s own back yard, or a derelict warehouse. You cannot have optimal transportation logistics from a rural installation, only connected to the transport grid with dirt roads. You cannot have a supposedly 20-staff modern services provision company operating out of the ultimate beneficiary owner’s own living apartment. These are all real life cases as examples of the numerous ones we have come across.

In the era of analytics tools, combinational statistics and database reports, Local Site Verification remains a valuable tool in enforcing Integrity, Lowering Risk and ensuring Compliance. To date, still nothing can replace the penetrative visibility and value of the primary research and local, hands-on intelligence collection offered by Local Site Verifications of your perspective collaborator’s headquarters, premises or installations.

**************

*Acknowledgement: This article was first published on October 19, 2016 on LinkedIn Pulse by Adrian Protogeros, Managing Partner, PSI Proactive Strategic Intelligence, and is republished here with kind permission of the author.

Business Security – More than Cyber Security

In December 2014 Wired Magazine published a short article titled “The Business of Security is Business”. Although predominantly written from a cybersecurity perspective, I like the title and the article definitely raises a couple of good points.

In the last 15 years we have seen dramatic changes in the geopolitical landscape and a highly dynamic and constantly changing threat environment, both with significant impact on global business.

Today, security risks are definitely on the agenda of corporate executives. With media reporting large-scale data breaches and cyber-security threats almost on a daily basis, IT security has become one of the top priorities for corporate management.

However, there should be no mistake that a comprehensive corporate security program needs to address risks that go beyond technical and IT security issues, i.e. prevention of fraud and corruption, insider threats, terrorism, economic espionage, crisis management, travel security, etc.

Concepts like “Enterprise Risk Management” or “Total Business Security” provide a more holistic perspective on the threat landscape trying to implement security aspects into all corporate processes and operations.

Security is a Management Task
Corporate security managers need to clearly communicate what the impact of any threat is on the business. They need to translate security requirements into a language that CEO’s, CFO’s and other corporate decision-makers understand. A successful corporate security manager needs to be a business manager with a specialization in security. The business of security is business!

Corporate security goes beyond cyber-security
Business security is more than IT security. With all the attention (and budgets) cyber-security gets corporate security managers should make any effort to take a broader understanding of security and build a comprehensive security program that provides a more holistic protection of physical assets, personnel, information and know how, and commercial interests.

Build a security program for real life
It can be a daunting task to keep up with all the security threats and implement a smart protection program, especially if an organization is operating globally. Many computer-based tools are offered on the market to assist in this effort. With all the software tools and dashboards corporate security managers are well advised to make a very careful selection of exactly what tools they need and what these tools actually provide to handle real-life situations. Tools can be a useful support but it is neither the objective nor sufficient to fill a database with lots of data and information. Have a reality check once in a while.

Learn from others (their mistakes and successes)

Here is the good news: Although in today’s world corporate security is a challenging, complex and interdisciplinary task it can be done. Most likely, it has been done before. Nothing is more appropriate than to learn from the experience of other professionals and organizations, both their failures and their success stories.

Why don’t they listen to me?

A couple of weeks ago I had the opportunity and distinct pleasure to speak at a corporate management conference. A global company had gathered their top 300 executives from around the world to discuss business matters and the road ahead. I had been granted a 45 minute slot on the second day to talk about security issues. There was no preset topic the company wanted me to address. After a few conversations with the VP Security and some senior executives I decided to talk about the role a modern security function can play in a global organization, the potential for integration of security into the overall business strategy and especially the need to effectively communicate with each other.

I titled my presentation “Why don’t they listen to me?”. I’ve heard this question over and over again from many corporate security managers. In a lot of cases there seems to be a disconnect between the business and the security function. Security mangers describe their difficulties and frustration to get senior management’s attention and buy-in for pressing security matters. Likewise, many business managers elaborate on their perception that the security managers have little understanding of the business requirements of their own company and try to implement policies and procedures that are perceived as an additional burden for the business.

Communication professionals will tell you that whenever you hear the phrase “Why don’t they listen to me?” you have a core communication problem at hand. As a corporate security manager you should not expect your senior executives to speak your language. You need to speak their language. And getting their attention is easy if you describe the impact a security issue has on the business.

My best advice: Don’t tell your boss about just another security problem. Tell your boss about the security issues that you have identified, how you have prioritized them based on business relevance and impact, and most of all tell him what your solution is. And if you’re really up to speed you might even offer some options how to respond to a specific risk together with an estimate how the different options will impact the organization.

Most executives are usually well aware of the many problems facing an organization. What they want and what they need is someone who provides a solution. As the expert in the field of security it is your job not just to identify areas of concern but to find options and solutions.

In most publications about security you will find reference to today’s multi-dimensional threat landscape. However, in reality it seems that many organizations deal with it in a very narrow focus, allocating resources almost exclusively on cyber security. This could be a recipe for disaster.

Yes, the business world is facing a multitude of threats and risks, cyber security just being one of them, albeit an important one. Any responsible security manager will need to educate his audience that a comprehensive and effective corporate security program needs to address all threat dimensions.

There is no security risk, there is only a business risk.