After the alarming murder of an insurance company CEO last week, questions about protection and security for CEOs and other executives are suddenly high on the agenda for boards of directors. A big concern: will there be copycat attempts? According to a security officer for a threat management software company, quoted on CNBC.com, “Everyone’s scrambling to say, ‘Are we safe?’….This is an inflection point where the idea of executive protection is now raised to the board level. Everyone I know in the industry is feeling this.” This anxiety is only compounded by the volume of information available online disclosing executives’ addresses and itineraries. As discussed in this new article from the Harvard Business Review, while incidents of workplace violence are “unfortunately too common” in the U.S., CEO targeting is “relatively rare.” But that risk level may have changed: in “today’s world of grievance and anger, easy access to weapons and information, and high-profile attacks on public figures, companies must take seriously their duty of care for executives and employees alike.” The article presents a framework for C-suites and boards “to balance competing interests of need, efficacy, and cost to ensure executive protection….How does a company strike the right approach in preventing the low likelihood, but very high consequence of an attack on a CEO?”
The author, Paul R. Kolbe, a former director of the Intelligence Project at the Harvard Kennedy School’s Belfer Center for Science and International Affairs and a former officer and executive in the CIA’s Operations Directorate, advises that boards carefully examine three elements of risk: threat, vulnerability, and consequence.
Threat. To assess the level of threat, which the author defines as a combination of capability and intent, the author suggests a series of questions aimed at determining who might intend to harm the company, why, what could the company do to change that intent and what are the threat actor’s capabilities. Threats can be identified through client or customer communications, including social media; “[s]entiment analysis and prioritization of written or uttered threats is critical. Most will be noise,” he suggests, “but attuned security analysts empowered with rich data and AI can separate threat wheat from chaff.” If any threats are identified, a security team can study their histories and assess whether the threat actors might be prone to engage in violence or other illegal activity. According to one authority cited in the article, the “simple fact is that if you are a leader of a large organization, you are inevitably going to make decisions that upset people every day—which automatically makes you a target.”
Vulnerability. The author contends that vulnerability is a measure of the effectiveness of a company’s defenses. The security team should determine where the defenses are weak and make them stronger, adding multiple layers. The author advises that “assessments of executive residences, workplaces, travel plans, and public schedules are de rigueur for professional security teams.” Defenses may include “physical barriers, adaptable protocols, bodyguards, and comprehensive security planning for travel or events,” along with a “threat intelligence collection program which tracks bad actors as well as the overall security environment.” The author, however, identifies two “self-limiting factors”: first, potential executive rejection of bodyguards and other security and second, and, he contends, “more pervasive,” is cost: “[c]orporate security teams face perpetual cycles of cost cutting, must continually justify their existence, and face resistance in implementing sound risk-based plans. Companies fall into the trap of believing that because something hasn’t happened in the past, it won’t occur in the future.” The problem, one commentator cited in the article highlights, is understanding the “low likelihood, high-consequence risk.”
The author recommends that, in assessing the extent of “vulnerability,” boards and executives should ask the following questions:
- “Do we understand the strengths and weaknesses of our access controls, physical barriers, and security assessment process?
- Do our executives have public or social media profiles which may cause controversy, or which provide valuable targeting information to an attacker?
- Do we have the capability to collect general and specific threat intelligence?
- Do we have relationships with law enforcement, security providers, and industry organizations that will maximize our ability to protect our people?
- Do our executives listen to and accept security guidance?
- What additional resources or processes will provide the most important security enhancements?”
Consequence. The author advises that, to “effectively prioritize the nature and level of security measures to employ,” companies will need to work with chief security officers to understand the potential impact of a security event. Expending significant resources on a low-consequence event may not make sense. The author acknowledges, however, that it may be challenging to measure consequence. He suggests that companies employ tools such as war-gaming to better understand the “knock-on effects” of a potential security event.
The author recommends that boards and executives run through a
“series of ‘what if’ questions—and be particularly mindful to examine second- and third-order effects.
- For any given security issue, what are the worst-case scenarios? What are the various impacts they may generate across the company? Remember to not reject scenarios because you don’t see them as likely. The discussion is on consequence, not probability.
- What pre-planned responses can the firm take that will mitigate the impact of an event when it occurs? Active-shooter drills, evacuation plans, crisis management exercises, and rehearsed responses can help minimize the bad effects of a terrible day.
- In the event of an incident, are we ready with a communications strategy for our employees, shareholders, regulators, and the public?”
Careful consideration of these questions, along with appropriate allocation of resources and development and implementation, together with the security team, of a “risk-based security plan,” should help boards to “anticipate threats before they manifest, and to deal with them when they do.”
Be sure to check out this helpful article!
