Security policies and procedures do not protect individuals or property! Anyone who has conducted a risk assessment of a facility realizes that the average employee does not understand or care about corporate security policies and procedures. Apathy and lack of understanding toward security is very common at all levels of a corporation. Apathy and ignorance are not limited to the employees—management suffers from the same conditions. Employee attitudes are formed by management attitudes and apathy. When managers do not care, why should the employees?
Other problems cause ignorance of safety and security issues. One of the major problems is management’s belief that it knows everything worth knowing. Many managers are totally ignorant of the security risks affecting their organization. They only become concerned when they are required to respond to a situation involving death or injury to an individual or one that reflects adversely on the corporate reputation. At that point, the pointing of fingers and the placing of blame is the corporate strategy to place management in the best light possible and put the blame on subordinates. This is nothing more than the abrogation of their management and supervisory responsibilities. Basically it is “pass the buck, pass the blame, and accept no responsibility.”
One of the major problems causing management apathy is that security personnel do not require that security policies and procedures be approved at management level. This requirement for management approval creates a situation where management becomes aware of security risks and the actions necessary to implement mitigation actions. Management approval also sends a message to others that security is a management concern and that employee compliance is required. This management approval can not be a “rubber-stamp” action—they must understand the underlying problems and agree that the preventative actions are appropriate.
Security policies and procedures cannot be static documents. Periodic review and analysis should be conducted at least annually. All policies and procedures should reflect the current situation and not be automatically updated without a current assessment of risks.
The most important aspect of obtaining compliance with policies and procedures is ensuring employee “buy-in”. When employees believe that the policies and procedures are important, the degree of voluntary compliance will increase. Additionally, management “buy-in” is a necessary ingredient to a successful security program. How to get “buy-in” is not a difficult process.
“Buy-in” can be easily obtained by addressing a questionnaire to all staff members to get their opinions on security risks and preventive measures. Staff members may have identified a security risk but for reasons known only to them, have not brought it to the attention of management or those individuals specifically responsible for the security program. The theft of property from offices or feeling of insecurity when traveling to the parking lot are just two examples of security risks not normally passed on to management. The reasons for non-reporting may be that the individual does not believe that it is a significant risk worth reporting, the fear of retribution, the belief that nothing will be done, or that they will be laughed at by others who do not agree with their perception of a problem.
A security suggestion program in concert with a reward program will stimulate employee participation and compliance with the security program.
Another method for obtaining “buy-in” is employee involvement in developing the policies and procedures. When employees feel that they can have input into something that affects them, they will be more apt to comply with the program. As part of developing appropriate security policies and procedures, the employees will provide input on what they consider to be realistic controls, while at the same time providing different perspectives on the impact of the policy or procedures.
To impact compliance, there must be a comprehensive and realistic explanation of the security program and the benefits to the employee and the overall business entity. Standing in front of a group of people and reading the policies and procedures to them is not an effective method of communication. The use of PowerPoint presentations, TV clips and reports of actual incidents will provide a more interesting orientation without putting people to sleep because of boredom. Another significant method is to have a speaker from a business that has suffered a loss due to a security risk who can relate the effects of a good security program from a realistic experience.
To establish creditability and to ensure understanding, policies and procedures must be periodically tested. Failure to do so will significantly increase civil liability in event of a security risk problem. All employees, and all tenants in the case of a multi-tenant building, must be required to participate in testing as required. For example, if there is a policy that requires periodic fire drills, they must be accomplished and all affected personnel must participate without exception.