​

AS SOCCER FANS CONVERGED ON SOUTH AFRICA last month for the 2010 Federation Internationale de Football Association (FIFA) World Cup, years of preparations for reaching security goals were put into play. In the case of Tsogo Sun Group properties, guests may rest a little easier knowing that the hotel group, in anticipation of the global sporting event, implemented the ASIS International organizational resilience standard to provide a comprehensive approach to security, crisis preparedness, and continuity management.

TSOGO SUN GROUP, which is the largest hotel and entertainment group in southern Africa, wanted to enhance its existing preparations for natural or man-made hazards, says Gert Cruywagen, the group’s director of risk. The question facing Cruywagen and his team was what standard to use as a guide.

The hotel group considered using ISO 28000, the International Organization for Standardization’s security in the supply chain standard, and BS 25999, the British standard for business continuity management. However, the group decided it did not make sense to implement two different standards, says Marc Siegel, ASIS Commissioner of Global Standards Initiatives. Instead, Tsogo Sun Group chose to become the first to use the ANSI/ASIS American National Standard Organizational Resilience: Security, Preparedness and Continuity Management Systems—Requirements with Guidance for Use.

“It covered everything both of those two standards did, plus it let [the hotel] take an approach that would let them come up with the best balance between security and continuity,” says Siegel, who is assisting the hotel group with ongoing implementation.

As for how it would implement the standard, Tsogo Sun Group decided not to pursue third-party certification due to the time and cost involved. The company did not find a business case for doing external third-party certification and was concerned about sharing the details of its risk assessments from various properties with an external auditor, Siegel notes. But the company resolved to do its own rigorous internal assessment.

To that end, the company selected six people to form a team that would audit the implementation. The team, which included four managers from Tsogo Sun Group and two consultants from Temi Group, completed the ISO 28000 Lead Auditor Course, the same course that a third-party certification body would require its auditors to take.

The company is “setting up an internal mechanism that will have “the same credibility and the same weight” as if someone did it externally, Siegel says. The team has enough people that members don’t have to audit their own work, he adds.

The organization is using the phased approach of a maturity model developed by Siegel for implementation. The model presents six levels of implementation.

Gap Analysis

Tsogo Sun Group started by doing a gap analysis and used a scoring system developed by Siegel to gauge where each property was in terms of preparation. After changes were made at a property, it was scored again to assess the improvement from the previous audit.

One challenge was converting a generic standard for use by the hospitality industry. With industrial concerns, the access control goals are straightforward in terms of keeping out the general public, but in the hospitality industry, “the objective is completely the opposite,” says Cruywagen. “You don’t want to keep people out, you want to get them in.”

Another challenge, says Johan Du Plooy, CPP, senior partner of Temi Group Africa, who was on the auditing team, was in communicating with hotel personnel about resilience, particularly at the lower levels where personnel are less educated. “You speak to…people at times, and you say, ‘What are you going to do within the risk management component regarding resilience?’ and they look at you with totally blank looks,” he says. Du Plooy says they prepared presentations and marketing materials to ensure that all personnel understood the process as well as the goals of the project.

Buy-in

Communication and engaging people in the process is one of the important lessons learned, Siegel says, because buy-in from all levels was key. “The way to get buy-in of the individual people on the properties was to really engage them,” Siegel says.

“It wasn’t an exercise where six guys externally were putting together the program; it’s a matter of, with a management system, you go to the actual facilities, you talk to people top to bottom, and find out from them what essentially keeps them awake at night and what problems they foresee. It gives people a sense of ownership,” he adds.

Manageable Path

The phased approach provided a manageable path for implementation, Siegel says. “When people do it without the phased approach, they just look at it and say, ‘How are we going to do the whole ball of wax at once?’ Siegel says. “And a lot of times, you get really bogged down, and it’s not so easy to do.”

Cruywagen says one of the lessons learned from his perspective is that his staff had already done more with regard to resilience than was generally recognized by management. This process helped to highlight those achievements by giving them a framework.

“I think this organizational resilience standard and…recognition as a result of that shows everybody what is there already,” he says. “So in other words, it’s not a lot of work that had to be done from the start but evidence of work that was done.”

The formal process also ensures that what was already done is now coordinated and that gaps are addressed. Du Plooy notes that Tsogo Sun Group, like most global organizations, had something in place prior to implementing the standard but it was “scattered all over,” he says. “This is a way of bringing it together, focusing it, and refining the different aspects of organizational resilience.”

Stephanie Berrong is an assistant editor at Security Management.