​

MANY ORGANIZATIONS operate in multiple locations worldwide, and because each region has its own unique risk profile, finding appropriate security solutions can be a challenge.

The main challenges are cultural, says Luca Tenzi, security manager for Eastern Europe, the Middle East, and Africa at Philip Morris International. Tenzi says the cultural element is three-pronged. The first prong is the company’s own security culture, manifested in what the organization considers a threat, how sensitive senior management is to its risk exposure, and the security culture of the industry in which the company is operating. German companies, for example, tend to be more security conscious and risk averse than Italian or Latin American companies, Tenzi says.

The second prong is the culture of the local market. “If you bring the American idea of security to Europe, it doesn’t go down so well,” Tenzi says. For example, certain American companies view terrorism as one of the key threats for them. They fear they are a target “because they are American and because they represent American interests overseas,” he says. “When you go to certain countries, that is not a fact. Yes, there is a terrorist threat, yes there are issues, but in the list of priorities, terrorism is not up, up in the scale.”

Multinationals may also face resistance from the local population when they try to base their security solutions on a corporate standard rather than the reality on the ground. For example, for trace explosives detection, dogs are primarily used in the United States, says Philip Lomax, a Hong Kong-based Kroll associate. But they are not commonly used in Pakistan, because Muslims believe dogs to be ritually impure.

There are a lot of idiosyncrasies associated with different geographic locations that make having one corporate standard difficult, Lomax says. For example, “we find that U.S. and European companies [often] try and have a standard solution in terms of, say, technology, and certain technologies in different countries don’t work,” he says.

The third prong, according to Tenzi, is that employees who are natives of the country where the company is headquartered may bring biases and opinions to the location where they are stationed, and those attitudes, combined with the company’s security culture, which may also be at odds with local practices, can create a discordant cross-cultural experience.

For example, Tenzi says, “If you are an American company that has Brazilian people working in Switzerland, and you think that security needs to be tight, the Brazilian will say to you ‘Switzerland is a very secure environment, you don’t need to be so overly stressed.’”

Their attitude may make it difficult for the company to enforce its protocols, but those employees might be more attuned to the real level of the local risk.

Just as U.S. companies face challenges to implementing a security program in other countries, they may also fail to properly prepare employees who grew up in other cultures for living and working in the United States. Global operations do not necessarily begin and end outside of the U.S. borders, says Johan Selle, director of business resiliency services for iJET Intelligent Risk Systems.

Maybe the company has transferred an Indian national and his family to offices in Dallas. Well, the company should be aware that “just because all the other people [who] live in Texas know about hurricane preparedness, doesn’t mean the Indian should know about it as well,” says Selle. “And so, what are you doing to educate him in terms of training, communication, making sure he and his family know what to do during an incident like that?”

The solution is to think globally and act locally. First, companies should consider their security risks, then evaluate the local need to mitigate them.

“If you are a company that has a terrorist risk or has a fraud risk or organized crime risk, okay, that’s a global assessment. Now you need to go into each operation, in each affiliate, and see if this sensibility is replicated at the same level you think it should be replicated or not,” he says. “So this is the ‘act locally’ part.”