The How of Security Governance: Procedures Provide Support
It was cold and clear on the afternoon of 15 January 2009 when US Airways Flight 1549 received its clearance for takeoff from New York LaGuardia Airport. The Airbus A320, call sign “Cactus 1549”, was full of fuel and packed with 150 passengers. The crew—a veteran lead pilot with more than 19,000 flight hours logged, a first officer with more than 20,000 hours of experience, and three flight attendants—were finishing the day on their return to home base of Charlotte, North Carolina.
But less than two minutes after becoming airborne, the plane struck a flock of Canada geese, both of its engines were incapacitated, and the A320 lost airspeed. Two minutes and 37 seconds after takeoff, the commanding pilot called a mayday to the control tower and shortly thereafter, and—without any other realistic options—announced he would need to make a water landing.
What happened next was later called “The Miracle on the Hudson.” The pilots made an unpowered ditching of the A320 in the middle of the Hudson River, and the three flight attendants led all 150 passengers to safety. Although there were some serious injuries and cases of hypothermia, no one was killed.
Captain Chelsey “Sully” Sullenberger; first officer Jeffrey Skiles; flight attendants Donna Dent, Sheila Dail, and Doreen Welsh; and the emergency first responders were heralded by legions, including U.S. President George W. Bush and then President-elect Barack Obama. The story was told in numerous written accounts, and Sullenberger’s 2009 memoir, Highest Duty: My Search for What Really Matters, was adapted into the 2016 feature film Sully. At a time when the United States was still reeling from 9/11 and searching for heroes and heroic deeds, they were found on the afternoon of 15 January 2009, floating on the Hudson within a mile of where the World Trade Center towers once stood.
The Miracle on the Hudson is often cited as one of the most successful case studies in emergency and crisis management. It had all of the elements of an emergency—high stress, a compressed timeline, limited resources for management, and high potential for casualties, chaos, and reputational damage. In his memoir, Sullenberger often cited procedure as one of the most fundamental keys to his success. His procedures for flying—and ditching—were based upon guidelines, best practices, and standards established over the course of a century by aviation governing bodies and the thousands of experiences of those who came before him. Many of these were lessons learned from failure and paid for in blood.
One of the most remarkable outcomes from the Miracle on the Hudson incident was a complete lack of lawsuits. The U.S. National Transportation Safety Board (NTSB) and the European Aviation Safety Agency (the plane was assembled in France) concluded that the plane had been maintained and the crew had acted in accordance with regulatory standards. Investigators also concluded that U.S. Airways had acted responsibly in caring for its passengers and crew. It was a shining example of how establishing a strong governance program can provide resilience against operational, reputational, legal, regulatory, and strategic downside risk.
This is the third in a four-part series on security governance. The first installment, “Setting the Bar for Strong Governance in Security Management,” makes the case for establishing a governance program within your organization’s security risk management department. The second installment, “For Effective Governance, Start with Why,” implores you to ask yourself why you need a security program in the first place and then provides an outline for your program standards as to how you can communicate your why to the rest of your organization.
Once it’s clear why you need a security program, one needs to communicate the how: How should we do our jobs? These are the operational procedures—a tactical and operational product that will likely be the most cited resource to communicate the how for the most common tasks your teams are likely to encounter.
“The safety of the airline industry is significantly increased by practicing procedural requirements repeatedly,” says Rich Davis, former chief security officer of United Airlines. “Much of it is regulatory driven, but it is also a product of the extensive experience of the millions of hours logged by pilots and flight attendants every year. Such is also the case in security management. The best way of managing common tasks, based on experience and lessons learned, is to have standards and procedures in place to address all situations and to frequently utilize simulated exercises for training your employees.”
It seems pragmatic, right? However, a common excuse I’ve often heard among security leaders against establishing operational standards is often akin to, “The field doesn’t want to hear from corporate how they should do their jobs,” or “We’re too big. It’s unrealistic for us to issue guidance for so many (insert: business units, countries, facilities, cultures, etc.).”
I have often found that when one takes a collaborative, practical approach to establish governance products, the opposite is actually true. Our teams usually want to do the right thing and appreciate our guidance in doing so, and when that guidance is based upon established industry guidelines, best practices, and standards from organizations like ISO, ANSI, ASIS, and NIST, we provide additional legal protections for our teams and organizations. Further, these procedures should establish a baseline from which regional and area guidance can be created and better aligned—more prescriptive—with business units, countries, facilities, and cultures.
“We owe it to our people—from the young guard standing post to an experienced investigator in the field—to provide direction as to the right and wrong ways of doing their jobs,” Davis says. “Our guidance needs to be just prescriptive enough to be meaningful yet broad enough to allow for organizational, situational, and cultural differences. It is essential for the CSO to get support from multiple divisions (legal, HR, operations) within the company to establish a security culture throughout the organization. By adhering to the fundamentals–the procedures–everyone can conduct themselves with confidence, knowing they’re operating within the guardrails of organizational and industry expectations.”
What might operational procedures look like? I found a “Standard. Purpose. Procedure.” format to be helpful. If you have followed this series, you’ve already established your why with department standards. This codified your jurisdiction within your organization, so we will reference this with a direct citation for every tactical element we’ll address (standard). Second, we want to establish the reason for guidance in every category. Describe a scenario in which the guidance might apply (purpose). Lastly, walk the reader through the steps necessary to complete the task (procedure).
For example, when providing guidance for managing abandoned vehicles, the formatting and content may look like the following:
Reference: Global Security Standards § x.x.x Parking and Traffic Control
The security department (or functional department responsible for security) will have authority over all traffic, parking, and vehicles on company grounds to the extent necessary to maintain security at the site.
Facilities which provide uncontrolled parking may need to manage the issue of abandoned vehicles.
To ensure safe, secure, and accessible parking facilities at (organization name), each facility will institute a method by which to identify and remove abandoned vehicles from the property.
- (insert as many steps as necessary to complete the task)
This is by no means a comprehensive listing of tasks to include in your operational procedures because the type of your organization will drive your tactical and operational components, but your how might be codified within the following elements:
Like the department standards (and this can be exactly the same verbiage), your introduction should include:
- A high-level leadership statement outlining the importance of the security program and your security governance products. It tells a casual reader why the department exists and what the organization can expect from you.
- Application of the document. Explain where within the organizational ecosystem this document applies, doesn’t apply, or may be in conflict with other governance products. It also describes the process for determining what to do if other guidance is in conflict.
- Terminology defining titles of the members in the department and regularly used industry terms.
- Roles and responsibilities. Who are the members of your department and what do they do?
- How is your department structured?
- Who is responsible for similar functions like cybersecurity, safety, and/or risk management? They are likely not within your department, so make it clear to the casual reader where they reside.
Arranged in an easy-to-reference A to Z format, this may include guidance for the following:
- Abandoned vehicles
- Active violence/shooter
- Armed robbery
- Bag inspections
- Bomb threat and response
- Civil disturbance
- Conduct code
- Contraband (narcotics) on site
- Courtesy escorts
- Death on property
- Denying entry to facility
- Drone management
- Duress alarms
- Duty log
- Explosives, detection
- Heightened conditions actions
- Incident reporting
- Injury or illness (associate, vendor, or visitor)
- Key control
- Kidnap, ransom, or extortion
- Law enforcement requests
- Legal services
- Lost and found
- Media inquiries
- Moving violations
- Parking and traffic control
- Pass down log
- Post orders
- Property passes
- Public areas
- Radio use and etiquette
- Responding to disputes
- Security department briefing
- Security officer authority
- Security patrol
- Security responsibilities for associates
- Security screening
- Suspicious mail or packages
- Suspicious persons
- VIP visits and special events
- Visitor management
Like with all of your governance products, enlist the help of an attorney to help ensure compliance with internal controls and to minimize risk to the organization. Each of the above topics should be addressed in one to three pages, but more complex or sensitive topics like active violence, bomb threats, kidnap and ransom, or VIP visits and special events may warrant more extensive guides. In these cases, provide reference to where this guidance may exist, either as an addendum at the end or a standalone document. Consider creating a website where the latest copies of all products are made available and accessible to your global teammates.
Lastly, per guidance established within your department standards, this document should be reviewed regularly and updated for relevancy. For example, 10 years ago one would have been hard pressed to establish guidance for drone management. The same is not true today.
The final leg of our foundational governance series involves technical security. Supported by our department standards and operational procedures, this tactical and operational product will cover the selection, implementation, and management of the technical systems we use on a regular basis. This includes access control, video management, and intrusion detection systems as well as the less complex like keys, barriers, lighting, signage, doors, locks, glazing, and other common controls. Lastly, all of this is nothing more than a bunch of good ideas unless we’re willing to enforce them, so we’ll outline the architecture of a basic security audit program.
Erik Antons, CPP, PSP, is the chief security officer of Whirlpool Corporation, where he leads the physical security risk and crisis management programs for the $20 billion enterprise of more than 61,000 employees across 170 countries. Previously, he was vice president and CSO of Hyatt Hotels Corporation and the manager of international security and executive services
with Sempra Energy. Antons began his security management career as a special agent with the Diplomatic Security Service with the U.S. Department of State, where he safeguarded the people, property, and information of Americans overseas, often in critical-threat environments.
The comments and views expressed in this article are the author’s alone and may not reflect those of his employer.