Caveat emptor (let the buyer beware)-Owner estimates and other follies associated with purchasing security solutions

Have you run the numbers?

Have you run the numbers?

Due to the often abstract manner in which security is applied to an enterprise’s assets, determining standards and associated costs is typically quite challenging for even the most experienced of companies and their procurement departments. Furthermore, the final sense or achievement of security is unlikely to be the result of any one department or service and dependent on numerous supporting elements, some from within the company and some externally, to result in the desired objective. It is therefore puzzling as to why a company that does not produce or commercially distribute security products and services would believe they were proficient in determining the financial cost of such services and if they were to apply a margin of error; believe that they were within a mere 10-20% of the provider’s price.

Companies regularly direct their internal departments to determine fair-market-value for their prescribed security demands. Some companies also engage the services of consultants with alleged expertise to assist in this process. Where the plan fails is from the very outset with the majority not even having any first hand experience in running such commercial services, let alone within the terms and conditions set by the company. This excites and frustrates service providers as it presents a headache to educate the company or and opportunity to profit from their hubris or ignorance. Further amplified in developing markets where less scrupulous vendors abound or operate unregulated.

At the pinnacle of this phenomena are those companies that apply a technical and commercial selection criteria. Their first stage presents grossly limiting criteria such as minimum 3 years operating within that sector, prior sector experience, specified office locations, set employee number and so on. This all but removes any possibility of competition within markets outside of the most developed of countries. The second stage then hinges on all the errors accumulated by the company and their advisors to determine what they would charge or see as fair value for such services; with a small margin for error. Quite likely they will also then select the lowest tender.

For companies that want to maximize their budgets, get true value for money or not suffer from ex-post ransom (cheap bids that manipulate the company after the successful contracting to drive the initial price up for fear of re-tendering costs and processes due to potential service failure) or winner’s remorse (you get your service at a bargain price at auction, only to discover that you could have purchased cheaper or better quality items if only you have been better prepared) they should consider the following options:

  1. Get better advice! Only use vendors or individuals that have supplied the same or very similar commercial services continuously without incident/failure.

  2. Develop a specific model for security purchasing. Factor in all the demands, including the required peace of mind or loss mitigation, then work towards a price range relative to the location and industry for such desired quality. Don’t assume your threat assessment and treatment solution approach is accurate either.

  3. Work in a collaborative solutions outcome approach with your providers, not a carrot and stick or contempt approach. If you choose wisely, seek a win-win outcome, listen to advice and modify your initial concepts to include those of the providers and you will get a much better sense of the costs and limitations and avoid surprises/disappointments later on. After all they will be protecting your most precious assets once you commit to a solution.

Caveat emptor applies equally to the foolish and the wise. The difference being that the wise have either read the instructions first or the fool learns from experience, most likely bad.


Chicken or the pig, what came first?-The growing menace from Swine flu and other health crisis

Fact or Fantasy?The evolving threat from any health crisis should be a major concern to all those charged with ensuring their company’s resilience. When Swine Flu first surfaced, the public interest was akin to the gold medal tally board during the Olympics, if my country isn’t represented in the top five, who really cares? Sadly, with planners and medical advocates focusing on an inconsistent and flawed measurement tools such as the WHO’s running tally, most will not recognize the threat until it is literally upon them and rife within their communities. Much like the stock exchange, if the S&P 500 is surging, it is no guarantee that you are inclusive of the rally, alternately if it is plunging you could very well be unaffected. Why should the WHO’s numbers be any different?

When it is widely acknowledged that most governments, certainly within developing countries, are not the most dynamic of organizations and the list of failings by numerous administrations remains long and varied; why have so many placed such absolute trust in their ability to manage this particular crisis? Are so few people aware of the already over extended healthcare system in even the most developed of countries? When people are already waiting lengthy periods for non-life threatening surgeries and general practitioners are dwindling in number do they really believe that thousands of people even mildly ill simultaneously will be serviced in a timely manner? Not to mention the issues over any drug or vaccination that is rushed to market exclusive of any standardized clinical trials. I agree that the current trial periods may be too long but look at the countries that are mandating or implementing widespread vaccination programs of the first round of vaccinations. Concerning? Volunteers?

Even the most progressive multinationals have turned a blind eye to the inequalities of everything outside their home country when addressing planning and prevention for a major health crisis like swine flu. Their “home ground” view seems to be the same assumptions and standards for addressing the issue abroad. Since when has India had the same labor laws as the US? Since when has Indonesia enjoyed the same level of broadband connectivity to enable for employees to telecommute? And who in their right mind would assume that employees in China will stay at home and monitor their own health to ensure they do not contaminate the rest of the office/factory? Contractors and consultants in the UK recently declared that they were unlikely to stay away from the office if sick as they are on an hourly/daily rate which would be reduced should they not turn up for work. So much for that assumption! How many people do you think fill in the health declaration forms accurately when entering a country with such screening? Even Hong Kong’s current attempts are nothing more than superficial and mere inconvenience rather than anything of substance or consistency.

Malaysia has acknowledged their citizens are oblivious to Swine Flu and its affects. India is in a growing state of fear over the sudden realization they could be affected too, and they are helpless to do very much at all. Many employees in companies within India simply walk off the job to care for family if they think or confirm an ailment. How much of the world’s back office is situated in India? What do you think the impact will be from thousands who don’t turn up for work or significant diminished service capacities within India? South Korea, Taiwan and China all have major problems. They thought it was a European and Americas problem. Their population is ill informed, suspicious of the government, dependent on them to do something, have very underdeveloped risk management strategies and little to no budgets for such countermeasures, not to mention the care of extended family responsibilities well beyond that of the European and American cultures. Forget what the conflicting medical opinion is, do you really believe this will not be a problem?

Swine Flu (I don’t refer to water as H20 either) is not a human health issue. It is not limited to public health and safety. Like never before, company resilience to this issue will be determined by their actions and implementation, not industry standards or piecemeal government efforts. More concerning is that while these companies will be well prepared, their vendors, suppliers, consumers, affiliates, distributors, advocates and just about everyone else will not enjoy the benefits of their planning and be at the mercy of dynamically shifting environmental influences. You don’t need an economist to confirm the impacts of the economic downturn, equally any similar announcements by the medical fraternity will come well after the obvious, and at present, inevitable impact. On the scale of victim to survivor, where do you fall?

Asleep at the wheel-Outdated assumptions and current threats

Is my assessment still relevant?

Despite countless events and incentives to change, a startling number of companies are still behind the business curve with regards to their risk management. In much the same way a train travels on a set track that has been planned, surveyed, laid and maintained for predictable routes between key locations it doesn’t permit for deviation or adaptability. Given a large enough obstacle it can even be derailed, damaging the train, goods, passengers and requiring major repairs before service is returned. Shareholder value may be affected and the reputation of the company called into question. While the business demands swift and timely movement between locations, the business decision making process is likely to be much slower than the business operation.

Enterprise resilience is a relatively new term and still foreign to most. Outdated risk management structures are functional silos of threat identification, budgets, management and risk mitigation with higher than average potential for duplication, wastage and blind spots not covered by the functional departments or managers. The people overseeing the strategy or implementing the objectives may also be inexperienced or lack authority to encompass all the necessary business aspects.

To further frustrate the process is the human trait that ensures the longer one is exposured to a situation, activity or location results in complacency or diminished ability to identify emerging risks. We have seen this in action most recently with companies operating in Thailand. Despite repeated and almost obvious changes in the situation across the country, but more so in the capital Bangkok, thousands of people and hundreds of companies were taken totally unawares when protesters blocked streets, business environment altered, airports closed and open violence on the streets. The situation was largely predictable and measured preparedness and planning would have negated any major disruption or continuity issues. Thanks to the legacy emotion of Thailand being a “great place” companies almost refuse to accept the new status and many have dismissed the past events as “isolated” and still remain vulnerable to what is the new order until resolution is evident. A similar situation is emerging in Malaysia at present. With a large foreign investment, multinational headquarters, expatriate placements and active international travel, the affects of the changing state in Malaysia will have similar impact on companies and personnel. The signs are there; rule of law, emergency services, crime, religious fragmentation, social unrest, health crisis and financial division are not easily remedied and constitute a here-and-now threat that must be mitigated accordingly.

Enterprise resilience begins at the top. If your board, C-suite or executive leadership is not engaged, the process is doomed from the outset. If the identification and preparation for threats are not inclusive of the enterprise and a representative counsel, the results will be similarly weak. Modern management and competitive advantage lays with those that are hard-wired to the assets and issues in parallel. To know what constitutes value, and the priority to the business along with emerging and dynamic incident surveillance rounded out with a replicatable and efficient decision making process will ensure survival of the fittest. This is an even more poignant issue for those with there manufacturing, management, back office processing or supply lines in developing economies where even the most basic of enterprise resilience strategies are specks on the horizon and not perceived to be an economic imperative. The vehicle is in motion, its speed increasing and the business may be depending on you as the designated driver. The question is, are you asleep at the wheel?

Penny wise, pound foolish-human capital risk management

Do you know the actual value?

In spite of the considerable investment and development around the preservation of assets and the mitigation of risks across conventional corporate assets such as facilities, information, equipment and products, the same methodology and motivation remains far less advanced in regards to human capital.

Before any organization even explores risk management strategies for their human capital it is fundamentally important that they first determine the value at risk. Not only is it a case of valuing the contributions of the individual or groups of personnel but differentiating the value in which they contribute to the company, whether it be through the provision of specific skills and services or the commercial value they present the company. These distinctions also need to be made between job functions or management/executive levels. No two individuals are contributing to the company in the same manner, much less two diverse business functions.  How many companies even know this definitive financial value of their people?

Following the basics of valuation, and any other unique considerations that the company may have (mobile work force, fixed laborers, knowledge capital, research and development) a unit cost can then be applied for prioritizing strategies or expenditure. For example, an individual that reflects a unit cost/investment per hour of $1 will be less likely to addressed as a priority when compared to an individually that presents a unit cost/investment per hour of $100. However, if there are significant numbers of the basic unit cost of $1 at risk, that group as a whole may be a greater priority than that of a single or limited $100 per unit cost individual.

Threats and residual risks associated with human capital are many and varied. Over time a detailed and thorough analysis can be conducted to determine the probability, velocity of onset and other governing factors that will provide a single or annual loss expectancy to the company. A single loss expectancy, such as death, may cost the company significantly more than just the forecast value identified in the first stages. Conversely, an annual loss expectancy, especially in light of the fact many companies are unable to even quantify this loss, may equate to millions of dollars in lost productivity, administrative burden or opportune costs.

To truly understand or appreciate the current or potential losses to a company through their human capital it is imperative to model the disruptions and time loss (inclusive of management and departmental support) to a cellular and group level. If someone falls ill, how long are they unproductive? What does it cost the company? Should the become a victim of crime or their business activity disrupted due to a natural disaster, what is the cost to the company? When applied to our entire human capital asset base, what is our single and annual loss expectancy?

“You can’t improve what you can’t measure” If you are making a truly informed decision on where your assets are distributed, you can then make informed decisions around strategies to preserve their value. You also enjoy the benefits of comparative investment/management. Most companies are surprised to discover that despite their commitment to their people, they actually devalue their contribution by not acknowledging them as an asset and preserving it accordingly. Are you one of those companies?

Companies that have undertaken to approach the management of their human capital consistent with other corporate assets have found the process highly rewarding and very confronting. Conversely, those adverse to such strategies or behind the curve continue to loose more money than the cost of such preparation and mitigation. They too find over time that penny wise turned out to be pound foolish.