Risk and Security Management E-Book

Table of Contents

Cover

Series

Title

Copyright

Dedication

Preface

Acknowledgments

CHAPTER 1: Risk Consultancy and Security Management

PROJECT PLANNING

BALANCING SERVICE DELIVERY

COMPANY AND VENDOR RELATIONSHIPS

CONSULTANTS’ OBJECTIVES

CONSULTANT SKILL AREAS

PRINCIPAL CONSULTANT ERRORS

CHAPTER 2: Initiating New Contracts

BUSINESS CYCLE

PROPOSALS

PROPOSAL CONCEPTS

PROPOSAL PROCESS

ANALYZING THE REQUEST FOR PROPOSAL

PROPOSAL

EVALUATING THE PROPOSAL

PROPOSAL PRODUCTION

CHAPTER 3: Service Delivery and Quality Assurance

COMMON VENDOR AND COMPANY FAILINGS

UNDERSTANDING THE ACTIVITY

SERVICE DELIVERY SUPPORT

MANAGING SERVICE DELIVERY

QUALITY ASSURANCE PLANS

REPORTS AND RETURNS

MANAGEMENT SYSTEMS

MANAGEMENT CONSIDERATIONS

COORDINATION WITH EXTERNAL AGENCIES

MEDIA MANAGEMENT

PERSONNEL AND TRAINING

CONTRACT MANAGEMENT

CHAPTER 4: Threat Evaluation and Risk Management

RISK AREAS

RISK MANAGEMENT PLANS

IMPLEMENTING THE RISK MANAGEMENT PLAN

RISK ASSESSMENT

IMPACT ASSESSMENTS

RISK LEVELS

PRESENTING RISK

CONTINGENCY PLANNING

CRISIS MANAGEMENT

CRISIS MANAGEMENT TEAM LEVELS AND STRUCTURES

CRISIS MANAGEMENT TEAM STRUCTURE

INCIDENT RESPONSE TEAMS

CRISIS MANAGEMENT TOOLS

TYPES OF CRISIS MANAGEMENT RESPONSES

POST-INCIDENT REVIEW

MONITORING THE RISK MANAGEMENT PROGRAM

CHAPTER 5: Scope of Risk

NONPHYSICAL THREATS

PHYSICAL RISKS

DOMESTIC TERRORISM

CHAPTER 6: Consultancy Services

DUE DILIGENCE

INVESTIGATIONS

FORENSICS

INFORMATION SECURITY

SCREENING

SECURITY MANAGEMENT DESIGN

SECURITY STRUCTURAL DESIGN

CRISIS MANAGEMENT

GOVERNANCE AND DEVELOPMENT

POLITICAL ANALYSIS

SECURITY CONSULTING SERVICES

AUDITING CONSULTANCY

CHAPTER 7: Project Management

PROJECT FAILURE

PROJECT LIFE CYCLE

PROJECT PLANNING

PROJECT DESIGN

PROJECT START-UP

PROJECT INITIATION

PROJECT MANAGEMENT STRUCTURES

RISK AND SECURITY PROJECT MANAGEMENT

MANAGEMENT CATEGORIES

PROJECT CONTROLS

PROJECT INTEGRATION

CHAPTER 8: Mobile Security Services

UNDERSTANDING THE NEED

PSD STRUCTURING

MANAGEMENT PRINCIPLES

PROCESS INTERFACES

INNOVATIONS

PSD TACTICAL PRINCIPLES

MOBILE SECURITY CONDUCT

PSD PERSONNEL SELECTION

MEDICAL PROVISION

VEHICLE CONSIDERATIONS

CONVOYS

CHAPTER 9: Facility Security Services

FIXED CAMPS AND FORWARD OPERATING BASES

MOBILE FACILITY SECURITY

FACILITY SECURITY MANAGEMENT

RELIEF IN PLACE

SECURITY CONSIDERATIONS

LAYERING SECURITY

PHYSICAL SECURITY STRUCTURES

SECURITY SURVEILLANCE AND LIGHTING

CONVENTIONAL SECURITY POLICIES

EVACUATION PLANNING

CHAPTER 10: Evacuation Planning

EVACUATION PRINCIPLES

EVACUATION PLAN ELEMENTS

EVACUATION MANAGEMENT

PROCESS PLANNING

EVACUATION TRIGGERS

ALERT STATES

EVACUATION PLAN COMPONENTS

RECOVERY MANAGEMENT

CHAPTER 11: Disaster Response Management

HUMANITARIAN OPERATING ENVIRONMENT

WORKING WITH GOVERNMENTS

MANAGEMENT PREPARATION

PRINCIPLES OF DISASTER RESPONSE

STAGES OF DISASTERS

DISASTER MANAGEMENT

PREPAREDNESS PLANS

MOBILIZATION

SUSTAINMENT AND DEMOBILIZATION

CHAPTER 12: Security Documents and Exhibits

CONSULTANCY PROCESS

INTELLIGENCE REVIEWS

THREAT ASSESSMENTS

SECURITY SURVEYS

OPERATIONS ORDER OR MOBILIZATION PLANS

SECURITY PLAN

SECURITY AUDIT

INCIDENT MANAGEMENT PLANS

CHAPTER 13: Government versus Commercial Contracting

DIFFERENCES BETWEEN U.S. GOVERNMENT AND COMMERCIAL CONTRACTS

GOVERNMENT CONTRACTING

MARKET SIZE AND SCOPE

U.S. GOVERNMENT STRUCTURE FOR ACQUISITION

ACQUISITIONS

FEDERAL ACQUISITION REGULATION SYSTEM

CONTRACTING AUTHORITIES

PROCUREMENT METHOD

RFP AND THE UNIFORM CONTRACT FORMAT

EVALUATION

CONTRACT AWARD AND ADMINISTRATION

TYPES OF CONTRACT

Index

End User License Agreement

List of Illustrations

CHAPTER 1: Risk Consultancy and Security Management

Exhibit 1.1 Risk Consultancy and Security Management Focus Areas

Exhibit 1.2 Balancing Service Delivery in Different Risk Environments

CHAPTER 2: Initiating New Contracts

Exhibit 2.1 Business Cycle

Exhibit 2.2 Proposal Pricing Foundation Elements

Exhibit 2.3 Price versus Quality Considerations

Exhibit 2.4 Simplified Proposal Process

Exhibit 2.5 Defining the Service

Exhibit 2.6 Vendor Self-Analysis

Exhibit 2.7 Complete Service Offering

Exhibit 2.8 Proposal Structure and Elements

Exhibit 2.9 Providing a Full Answer

Exhibit 2.10 Proposal Evaluation Cycle

CHAPTER 3: Service Delivery and Quality Assurance

Exhibit 3.1 Fundamental Requirements of Solid Service Delivery

Exhibit 3.2 Program Structures

Exhibit 3.3 Contracted Services versus Additional Areas of Support

Exhibit 3.4 Pillars of Service Delivery Success

Exhibit 3.5 Concealed Risks and Threat Perceptions

Exhibit 3.6 Typical Billing Cycle

Exhibit 3.7 Identifying Quality Assurance Targets

Exhibit 3.8 Setting Contract Goals

Exhibit 3.9 Personal Security Detail Work Schedule and Performance Plan

Exhibit 3.10 Resource Availability Audits

Exhibit 3.11 Simple Quality Assurance Grading Systems

Exhibit 3.12 Information Flow Management

Exhibit 3.13 Reports and Returns Scheduling Table

Exhibit 3.14 Efficiencies in Information Presentation

Exhibit 3.15 Formatting Weekly Reports

Exhibit 3.16 Specific Task Risk Assessment

Exhibit 3.17 Historical Risk Tracker Report

Exhibit 3.18 Serious Incident Reports

Exhibit 3.19 Travel Return Seating Plans

Exhibit 3.20 Presenting Serious Incident Information

Exhibit 3.21 Titling Reports

Exhibit 3.22 Information Flow and Management

Exhibit 3.23 Structure of Vendor Data bases

CHAPTER 4: Threat Evaluation and Risk Management

Exhibit 4.1 Risk Management Elements

Exhibit 4.2 Layering Risk Considerations

Exhibit 4.3 Risk Management Plan Considerations

Exhibit 4.4 Risk Management Process

Exhibit 4.5 Risk Management Cycle

Exhibit 4.6 Establishing Measurable Risk Evaluation Criteria

Exhibit 4.7 Incremental Risk Impact

Exhibit 4.8 Credible Risk Evaluation Criteria

Exhibit 4.9 Mapping Risk Ripples and Impact Effects

Exhibit 4.10 Establishing the Risk Picture

Exhibit 4.11 Trend Analysis Representation

Exhibit 4.12 Risk Management Calculation Models

Exhibit 4.13 Historical Risk Tracking Tables

Exhibit 4.14 Tracking and Accounting for Risk

Exhibit 4.15 Evaluating Mitigation Against Risk Impact Costs

Exhibit 4.16 Balancing Risk Costs Against Risk Impacts

Exhibit 4.17 Representing Risks

Exhibit 4.18 Risk Management Options for Corporate Leadership

Exhibit 4.19 Establishing a Risk Approach Matrix

Exhibit 4.20 Providing Simplistic Descriptions to Capture Risk Natures

Exhibit 4.21 Contingency Plan Structuring

Exhibit 4.22 Implementing Simple Policy and Permission Flows

Exhibit 4.23 Crisis Management Flow Example

Exhibit 4.24 Information Management Flows

Exhibit 4.25 Crisis Coordination Planning

Exhibit 4.26 Relationship between the IRT and CRT

Exhibit 4.27 Pragmatic Personnel Contact Sheets

Exhibit 4.28 Information Management: Incident Reporting

Exhibit 4.29 Information Management: Strategic Planning

Exhibit 4.30 Risk Management Considerations for a Contingency Plan

CHAPTER 5: Scope of Risk

Exhibit 5.1 Varied Impacts of Risk Factors

Exhibit 5.2 Improvised Explosive Devices Examples

Exhibit 5.3 IEDs Causing Critical Infrastructure Damages

Exhibit 5.4 Safety Table for Unexploded Ordnance and Suspect Packages

Exhibit 5.5 Differences between EFP and Platter Charge Projectiles

Exhibit 5.6 Small Workshop Machine Production of EFPs

Exhibit 5.7 MANPAD Capability Table

CHAPTER 6: Consultancy Services

Exhibit 6.1 Consultancy Work Flow

Exhibit 6.2 Simple Graphic Representations

Exhibit 6.3 Consultant Graphics

CHAPTER 7: Project Management

Exhibit 7.1 Aligning Business and Security Project Management

Exhibit 7.2 Mapping Process Impacts

Exhibit 7.3 Typical Project Failure Points

Exhibit 7.4 Stages of the Project’s Life Cycle

Exhibit 7.5 Exception Plans Resulting from Project Change

Exhibit 7.6 Simplified Gantt or Project Flow Chart

Exhibit 7.7 Visualizing Project Design Solutions

Exhibit 7.8 Project Management Structures

Exhibit 7.9 Project Flow Dependencies

Exhibit 7.10 Highlight and Exception Reporting

Exhibit 7.11 Project Data Management

Exhibit 7.12 Grading Intelligence Information

Exhibit 7.13 Intelligence Cycle

CHAPTER 8: Mobile Security Services

Exhibit 8.1 PSD Tiering Methodology

Exhibit 8.2 Bolting on PSD Resources

Exhibit 8.3 Configuration Table

Exhibit 8.4 Differences in Focus between Military and Commercial Security Groups

Exhibit 8.5 Augmentation by Quick Reaction Force Resources

Exhibit 8.6 Complex PSD Management Structures

Exhibit 8.7 PSD Management Scheduling Systems

Exhibit 8.8 Work Process and Output System Example

Exhibit 8.9 PSD Process Interfaces

Exhibit 8.10 Route and Spot Mapping

Exhibit 8.11 Close Protection Team Member Skill Set

CHAPTER 9: Facility Security Services

Exhibit 9.1 Mobile Site Security Planning Cycle

Exhibit 9.2 Tactical Operations Center Management Structure and Operational Interfaces

Exhibit 9.3 Reference Mapping and Grid Overlays. Copyright © Iraqi Military Satallite Image, 2004.

Exhibit 9.4 Developing Simple Facility Schematics

Exhibit 9.5 Floor Plans and Building Representations

Exhibit 9.6 Management Transition Plan Example

Exhibit 9.7 Illumination of Project Operations. Copyright © K. Smith, 2005.

Exhibit 9.8 Layering Facility Security

Exhibit 9.9 T-Wall Example. Iraqi Military Base. Copyright # M. Blyth, 2006.

Exhibit 9.10 Entry Control Point Structural Layouts

Exhibit 9.11 Hesco-Bastion Barriers Example. Iraqi Military Base. Copyright # M. Blyth, 2005.

Exhibit 9.12 Trajectory Considerations for Protecting Facilities, Personnel, and Assets

CHAPTER 10: Evacuation Planning

Exhibit 10.1 The Evacuation Principles

Exhibit 10.2 The Evacuation Planning and Implementation Process

Exhibit 10.3 Simple Alert State Table

Exhibit 10.4 Simplified Response Table

Exhibit 10.5 The Reoccupation Planning Process

CHAPTER 11: Disaster Response Management

Exhibit 11.1 Stages of a Disaster

Exhibit 11.2 Management Layers Example

Exhibit 11.3 Sandstorms Affecting Project Locations. Iraqi Military Base. Copyright # Peter Jones, 2004.

CHAPTER 12: Security Documents and Exhibits

Exhibit 12.1 Consulting Process

CHAPTER 13: Government versus Commercial Contracting

Exhibit 13.1 Differences between Government and Commercial Contracting

Exhibit 13.2 Contracting Process

Exhibit 13.3 FAR Parts

Exhibit 13.4 Typical Evaluation Team Structure

Exhibit 13.5 Different Forms of Government Contracting

Guide

Cover

Table of Contents

Begin Reading

Pages

cover

i

iii

vii

viii

ix

xxv

xxvi

xxvii

xxviii

xxix

xxx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

Mike did a great job of defining the significant areas relating to the management of risk into clearly defined chapters that offer a contracted consultant, the security professional or other senior management an easy reference guide. It provides a complete view of the potential pitfalls complex contracts may encounter with an eye towards helping both the consultant and client mitigate risk.

Robert G. Molina, Jr., Global Security Manager, LyondellBasell Industries

Mike has created an excellent handbook which provides the reader with a clear path through the labyrinth of industry procedures and practices so necessary to deal effectively with the business of protecting people and businesses as they set about operating in evermore challenging environments.

Dick Stiles, Program Manager Parsons Iraq Joint Venture

Whether an on-site visit or simply office-bound, Michael’s risk and contingency management procedures created the safest possible environment for staff to carry out their duties. Other security and risk professionals would do well to follow his lead.

Tim McNeill, Risk Analyst, Shell

Business is routinely conducted in dangerous and volatile regions of the world and companies often don’t know, or don’t understand, the associated risks and security management requirements. Mike Blyth’s excellent work addresses just this issue and provides a valuable one stop reference guide and primer for risk and security management. His book is a must read resource for business leaders pursuing opportunities around the globe, and risk and security management professionals seeking to hone their skills.

Wayne Ashcroft, Executive Vice President, Bowhead Technical and Professional Services

This book brings together all that is necessary to enable law enforcement agencies, the military, commercial companies, government agencies and prospective clients to work together with common understanding. Protecting people and assets to ensure business continuity requires a multi-disciplined approach, with significant investment of resources. Working with Mike and his company made me realize we were talking the same subject but with different words; this led Mike to draw together widely used methods and provided the comprehensive book for international cooperation and cross agency activity in this complex area of investment.

Paul Harries, Police Inspector, London England

Michael Blyth has used his deep knowledge and wide ranging experience of security matters to produce a timely and truly perceptive book in which he addresses the fundamental need for protective measures with a pragmatic and sensible approach to risk management. Having personal experience of working with him in the most demanding security environment, I cannot commend this book too highly.

Adam Peters, Commander British Forces Diego Garcia and Commissioners Representative for the British Indian Ocean Territory 2001–2003.

Just when you think you’ve seen the best and the brightest of the international security set, along comes Mike Blyth with one of the most comprehensive, useful books I’ve seen in my 35 years of mitigating threats worldwide. In fact, Mike has taken me to school on a couple subjects. His breadth of knowledge of the threat equation is superb, but more importantly, he has mastered the art of the elusive RFP. This book is a must for anyone who is serious about conducting security ops abroad.

Ray Baysden, International Security Expert

This volume astutely illustrates the need to ‘‘speak the language’’ of corporate executives in order to successfully indoctrinate risk management protocols into a business program. The guidelines and specific, actionable plans presented offer just the right tools for a corporate security professional to demonstrate their immense value to corporate executives.

Greg Hoobler, Senior Global Security Analyst

Michael’s breadth of experience comes out in this comprehensive look into the security and risk management world. The themes he has captured encompass the full spectrum of security consulting and management from concept to capture to execution.

Mark Cusick, Counterintelligence Agent, US Army

Mike brings a wealth of knowledge gained from both his military and corporate experience operating in many of the harshest regions of the world. He has managed to lay out this book in a clear and concise manner and offers practical advice for both the novice and most experienced security professional.

Gary Oliver, Director, BSG LLC

This book is both informative and thought provoking. It is an extremely helpful tool for all those, ranging from independent consultancy through to head of security for corporate organizations, who work in the security industry—Highly recommended!

Ian Daniel, Security Consultant

Risk and Security Management

Protecting People and Sites Worldwide

This book is printed on acid-free paper.

Copyright © 2008 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993, or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at http://www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Blyth, Michael, 1972–

Risk and security management: protecting people and sites

worldwide/Michael Blyth.

p. cm.

Includes index.

ISBN 978-0-470-37305-7 (cloth)

1. Risk management. 2. Emergency management. I. Title.

HD61.B55 2008

658.4 073–dc22   2008006391

To my wife, Kristen, who practiced poor contingency management when she decided to marry me, and has been crisis managing ever since. And to our children, Alex and Amber, who test our crisis management skills daily.

Preface

It is estimated that the risk management and security market could be valued at over $300 billion by 2010, fueled by rapid business intelligence needs and the growth of physical security service requirements that enable government and commercial activities to occur, especially in remote, volatile, and commercially challenging environments. Despite the significant market for these services, industry expertise is often developed within government organizations and then applied to the commercial sector with very little in the way of transitional awareness or appreciation of the unique principles of commercial application. Even the largest and most well established international risk management and security services companies often lack detailed policies, procedures, and information capture structures. The same is also frequently true for commercial entities with organic risk management and security departments working under pressure to manage multiple business and project activities, with limited resources and budgets. Few organizations provide adequate instructional programs, resulting in inefficient uses of time, effort, and resources, while concurrently risking business continuity and company resources and assets through inadequate project and management controls.

When entering the risk consulting and security management sector after 14 years as an officer within the British Royal Marine Commandos, I quickly realized that often both industry standards and internal company policies and procedures were limited or, at times, absent throughout the industry. The management teams across the leading security companies (and the contracting client companies) I worked with, for, or alongside were often populated with impressive leadership that brought dynamic, pragmatic, committed, and innovative solutions to support government and commercial projects under challenging and fluid conditions. I and many others gained commercial exposure and training while on the job, situations that at times in retrospect exposed the companies to avoidable risk when managing a wide spectrum of crisis events such as mass evacuations, complex attacks, and industrial accidents within critical infrastructures. It was also evident that support structures and the sharing of well-established materials, concepts, and information occurred mainly in a disjointed manner, and often through networking and relationships rather than through organized channels, policies, or information custodians. Many reasons exist for a lack of commercial risk and security structures: these include transient consultants flowing through dynamic and uncertain contracts; the fact that policy and procedure development frequently is viewed as a cost center rather than a business enabler; and the fact that the time and resources required to establish and maintain such systems can be considerable, often exacerbated by fastmoving, underresourced, and fluctuating commercial environments.

While in the Royal Marines, I led the development of some relatively complex and unique risk management policies and security plans for the protection of strategic facilities and large geographic regions with multinational and multiethnic security groups. These exercises provided me with a solid framework for running large and complex commercial operations at the point of delivery as well as managing the corporate requirements as the client interface. Like many ex-government employees entering into the risk management and security industry, the learning curve moving straight into volatile program management functions was steep, and many lessons came about through watching experienced and competent leadership and then developing new or adapted solutions to suit fluid, business requirements. Throughout my career I have been fortunate to work with professionals with a wealth of experience and knowledge, and much of my professional development has been gained through absorbing and adapting their expertise to evolving requirements.

As such, this book is designed to support executive company leadership, chief security officers, risk and security directors, program and project managers, and contract and procurement officers in understanding how risk management and security services can be used to enable business to flow seamlessly and productively, even under the most challenging conditions, bringing convergence to often complex and disjointed organisations. The content of this book is also designed to illustrate how business recovery can be better achieved following a crisis event, as well as to framework what companies might expect from security providers contracted to support projects in new, remote, or dynamic operating regions. It is also designed to support commercial and government bodies in enhancing and structuring policies, procedures, and project management groups to better identify and manage the spectrum of risk, whether companies face challenges supporting United States Agency for International Development (USAID) programs in the Federally Administrated Tribal Areas of Pakistan; are seeking to conduct health projects for the Department for International Development in Nigeria or southern Sudan; are supporting reconstruction, development, or hydrocarbon initiatives in Afghanistan and Iraq; are operating commercial enterprises in crime-ridden regions such as Mexico and Kazakhstan; or are entering new and uncertain market regions such as Libya. The book is also designed to support risk consultants and security managers currently operating within the industry, as well as those seeking to enter this dynamic and diverse field with concepts, frameworks, and observations that might provide additional ideas for enhancing existing structures and approaches. In addition, it brings further clarity on some approach methodologies, systems, and tools to make for more efficient and effective risk and security management.

The book captures some main themes of risk management and security provision in 13 chapters, most of which overlap in terms of implementation and impacts. A chapter-by-chapter breakdown of the topics covered follows.

Chapter 1. Risk consulting and security management services are two distinct but often overlapping fields, forming the basis of how security services are planned, resourced, and conducted. Inserting risk advisory support at the outset of the business cycle will likely determine the extent of a project’s success. Sound security management will then sustain the business enterprise, ensuring service delivery meets contractual expectations. This chapter captures how the company and its vendors should develop relationships, understandings, and quality assurance methodologies that will better support the management of risk and ensure the most productive business activities.

Chapter 2. Risk consultants and security managers play an increasingly important role in program design and business case justifications, especially as companies operate in more challenging or remote regions. By understanding the business process risk and security advisors can be better positioned to assist their companies in successfully entering new and challenging environments safely and productively. This chapter provides the premise for understanding business activities, which can then be placed into a risk management and security services context.

Chapter 3. Service delivery is the provision of agreed products or services within specified timelines and cost frames. It forms the basis for productive business activities. Both companies and security vendors must understand the specified and implied services contracted, collaboratively developing policies, systems, and regulatory mechanisms to ensure that highquality services are performed. Problem solving, accountability, and agreed methodologies will create the framework from which productive business results will flow. This chapter supports both companies and vendors in maximizing organic resources and leveraging supporting organizations in order to punch above their weight in terms of capabilities.

Chapter 4. The areas of contingency planning and crisis management have grown in prominence during recent decades as both governments and businesses suffer significant losses through a combination of inadequate risk analysis and poor management of emergency situations. Such losses have necessitated comprehensive risk management plans and crisis management structures. This chapter provides a framework for ensuring that business continuity is achieved through the protection of people, resources, and reputation, as risk management enables forward planning through the identification and management of risk, allowing businesses to weather, and recover from, a crisis most effectively.

Chapter 5. Business activities are susceptible to a variety of risks, ranging from the more intangible threats to a company’s reputation, to the harder physical risks resulting from criminal or terrorist threats or events. Understanding the spectrum of risks and how the risks might impact the company, employees, the business enterprise, and corporate reputation forms the basis for risk management and successful business continuity. This chapter provides insight into the scope of risk that many companies face, allowing managers to understand and navigate complex and changing risks to their company’s activities, enabling a greater degree of business continuity assurance.

Chapter 6. Risk consulting services require the greatest blend of intellect and expertise. Often such areas create the most frustration, or achieve the worst results within the risk management and security industry. Consulting services are complex and unique, requiring the application of well-grounded management skills, task-specific knowledge and the ability to capture information and recommendations in a concise, logical, and well-structured manner. This chapter explains the unique service of risk consulting, which often bridges the gap between risk management and project success in order to support business activities, often under challenging and shifting conditions.

Chapter 7. Project management is the discipline of organizing and managing resources to ensure a business goal meets its defined scope, quality, time, risk, and cost constraints. A project can be considered a temporary and one-time endeavor, with a defined exit strategy, undertaken to create a unique product or service that brings about beneficial change or added value to an organization. Even within conventional business environments, projects are prone to failure, and project risks are exponentially increased when companies operate in remote or challenging regions. This chapter demonstrates how the alignment of business and security project management is critical for activities to succeed in any business environment, especially where unconventional or unfamiliar risks are present.

Chapter 8. Mobile security is a term used to define the movement of people, assets, and materials by land, sea, or air. It presents some of the highest risks and most dynamic management activities faced by businesses today. Mobile security ranks as one of the most complex and challenging areas for risk management and security provision due to often prolonged risk exposure. This chapter illustrates how mobile security services must be subject to robust and comprehensive planning and service delivery oversight in order to best protect the company’s business interests and employees’ safety.

Chapter 9. Critical infrastructure or facility security protects the company’s assets, structures, personnel, and activities and should be viewed in a holistic manner, considering how the site operates within the larger context of surrounding and supporting communities and organizations, as well as how to best secure and manage the site itself, through a combination of structural, human, and technological measures. This chapter discusses how facility protection solution design should integrate organic resources, leverage external capabilities, and reflect both risk and business needs.

Chapter 10. Evacuations are singular events in that they can involve large numbers of people under stressful and difficult conditions, often without time for detailed planning or preparation. Evacuations impact both individuals and the company as a whole. This chapter discusses how evacuation planning is a significant element of any risk management plan and requires prescripted coordination, clear lines of decision making, and buy-in at all levels in order to be effective.

Chapter 11. Disasters come in many forms, from intrastate conflicts to catastrophic man-made or natural events. Companies with existing infrastructures or employees within disaster-struck regions, or those supporting disaster response requirements, are faced with unique challenges and a wide spectrum of risks. This chapter provides an understanding of the stages of a disaster and how they impact the company, requiring the development of tailored crisis management plans around postulated risk factors. Such plans enable companies to manage risks and ensure business continuity when these crisis events occur.

Chapter 12. Some companies have detailed and well-established security documents and exhibits, methodologies, and protocols, while others have limited structures in place or reinvent the process repeatedly. The unique nature of each task often demands a tailored approach to security documents. Often consultants are faced with the problem of not what to say but how to structure and deliver information in a consistent and concise manner. This chapter demonstrates how to avoid significant resource wastage and to enhance information capture through effective design, structure, and data management.

Chapter 13. Commercial and U.S. government contracting methodologies have many similarities. However, they also have fundamental differences that determine how both companies and their vendors undertake business activities within risk environments. This chapter introduces how business, contract, project, risk, and security managers must understand the nuances of each business approach in order to ensure that project activities are compliant and best support the overall business process.

For those wishing to comment or pose questions regarding this book, feel free to contact me at [email protected].

Acknowledgments

Many people have contributed either directly or indirectly to my professional growth and the content of this book. The list is long and spans those whom I have worked for and with, as well as those who have worked for me. It is impossible to recall all those who deserve some level of thanks, and so to all those I have missed and who have helped me in some shape or fashion throughout my professional life, my thanks. In particular, however, I would like to pay tribute to a select few who have helped develop my knowledge or professional capabilities at various strategic junctures of my life.

Foremost I would like to thank my father, Alexander D. Blyth, a retired army colonel whose stories and anecdotes led me to join the Royal Marines (he didn’t mention sleeping in muddy ditches during his stories!) and who has provided a continued source of muchrespected and sound advice throughout my various careers. I attribute much of my success to his counsel, although I would never admit this to him, as being a Scotsman he would seek some form of monetary compensation.

My thanks also goes out to Adam Peters, whom I worked for under the auspices of both the Foreign and Commonwealth Office and the Royal Marines. Adam gave me the latitude to develop territory wide security policies and plans that were then adopted by the U.S State Department. He also provided the rare environment in which a British officer could command several hundred U.S security personnel as well as strategic assets in what was a highly effective multinational operational group. Adam proved a levelheaded and effective leader under interesting and challenging conditions, and is now a lifelong friend.

For my civilianization to the risk world, my thanks to Tom Mulhall, Director of the Security Management Programme at Loughborough University, whose patience in bringing an academic approach to my militaristic style exposed me to different ways of perceiving the commercial security industry and led to the early commercialization of my professional skills. I continue to direct those seeking to move into management levels within the risk management field toward such valuable courses as run by Tom and Loughborough University.

In addition, Tom Valentine has been both a mentor and a friend from the outset of my commercial career(s) and has provided a source of pragmatic and candid advice and guidance since I departed the Royal Marines. I had the pleasure to work with Tom as he handled the corporate business for Control Risks Group, and I managed large program operations in Iraq. In addition, I had the pleasure of briefly working alongside him in Washington, DC, as he undertook the role of business director, and I assumed the position of director of operations. Tom is well respected and highly experienced within the risk management field, and he and his wife are good family friends.

My thanks also to Glenn McLea, the corporate security director for Parsons Corporation, with whom I worked closely in both Iraq and the United States. Glenn’s support as both a client and a friend within a complex and challenging operating environment did much to ensconce me into the commercial risk management and security services industry. His candor, balanced management, and pragmatic approach to ensuring both business success and safe project operations set a great tone for my commercial career. Glenn has been a good friend and an invaluable sounding board.

My personal thanks also to David Amos and Kevin Drake, whom I worked with closely during my time in Iraq as well as in the corporate world. Consummate professionals, bringing both balance and flair to some of the most challenging and complex projects, their advice and guidance was instrumental to my professional development within the commercial environment, and their friendship and comradeship made even the most trying periods both enjoyable and positive in nature.

I would also like to express my appreciation of Michael Frayne, one of the most professional senior operations managers and risk consultants it has been my pleasure to work with. Michael ensured the smooth and effective running of some of the most complex and dynamic commercial projects within Iraq, managing all tactical aspects of service delivery as well as maintaining a first-rate client relationship under challenging conditions. His professionalism, commitment, and ability to think around corners, combined with a good sense of humor and unruffled approach, especially under crisis conditions, was priceless, and made for a thoroughly enjoyable working environment in Kirkuk. Michael is a good friend and consummate professional.

Finally, I would like to thank Dick Stiles and his team at Parsons Iraq Joint Venture. Dick was the epitome of a good client, always willing to listen to advice and invariably implementing solutions that best met project and security needs. Dick maintained a levelheaded demeanor when most project managers would be seeking cover. Always calm, even when we conducted mass evacuations of remote sites. Never without a moment to discuss important issues and approachable despite a hectic work schedule and incessant project demands, he quickly became a good friend and respected client.

CHAPTER 1Risk Consultancy and Security Management

Most organizations would not go into business without insurance coverage, yet surprisingly few have systematic and integrated programs to address the issue of business continuity, or have qualified in-house expertise to support risk management and operational delivery. The globalization of commercial risk has led to a greater appreciation of the need for corporate planning to identify and manage a wide spectrum of threats to business success through the use of risk consultancy and security management.

Although no organization can prevent all crises from occurring, everyone can lower the odds of their occurrence while also mitigating the negative effects a particular crisis might have on brand confidence, business and operational productivity, market reputation, employee morale, and corporate liability. The importance of risk consultants and business managers in the field of business continuity—as a means by which to identify, address, and manage crisis events—has grown during recent decades, primarily because both government agencies and commercial businesses have suffered significant losses through inadequate risk analysis and the ineffective management of crisis events. Business continuity (and those security professionals who assist companies in the design and implementation of associated policies and plans) forms the foundation of how any organization prepares for situations that might cause business interruption, thereby jeopardizing the core mission and long-term health and sustainability of a group or enterprise.

Risk consultants and security managers manage the relatively unaddressed and widespread needs of convergence within an organization; they bring together often disparate groups and resources to achieve a unified and holistic risk solution. Given the current global climate, every business, regardless of its nature and geographic footprint, should hire qualified and experienced security professionals to establish comprehensive risk management policies and plans. Such plans allow companies to identify, avoid, manage, and recover from a crisis, sustaining business continuity under the most challenging circumstances.

Companies should also understand that risk consultants and security managers provide more than just security-related services. They can be leveraged as business enablers, allowing businesses to make better-informed decisions before committing finite company resources to a venture, allowing corporate leadership to map risks against potential commercial gains. Security professionals can positively affect all layers of an organization’s management, from supporting business managers in developing more competitive business solutions, to enabling project managers to design more efficient and productive project plans prior to investment or risk exposure.

As security professionals play increasingly important and elevated roles within companies and their corporate boardrooms, advising chief executive officers (CEOs) and executive leadership on their company’s risk exposure while concurrently coordinating multidisciplinary solutions, the importance of making risk management an integral element of a broader corporate strategy increases. Companies now better understand that they can choose to avoid, transfer, share, mitigate, or accept risk and that risk and security managers are evolving to bridge the gap between corporate leadership, strategic business units, program managers, and other company divisions.

While many of the benefits derived from risk consultants and security managers overlap, companies should understand that security consultancy and management services are entirely different in nature and scope. Each comes with unique and particular requirements and professional skill sets, both within a contracted security company, as well as among the managers or consultants the company may field. Companies should also understand the nuances of expertise connected to both categories; the selection of qualified management personnel should reflect the specific functions the company expects from them. By understanding the differences associated with each area, as well as how they might be merged to provide a combined service, companies will achieve more productive risk mitigation and security management, and therefore better business and operational results.

Often companies with limited in-house risk consultancy and security management resources seek external support on a case-by-case basis. The provision of successful security services as a whole often depends on a security provider’s ability to determine what the company wants as well as what it actually needs; many times companies require professional assistance with determining their security requirements. Both parties should have a clear understanding of consulting and management service expectations, capturing these needs under a contract that sets the parameters of services, both expected and funded. Although this may seem to be obvious, often companies are unsure of the scope of what is required and will seek more support than is either envisaged or funded during the life of a contract—effectively resulting in scope creep. This can present both positive and negative challenges for the security provider, as the company (or clients) becomes reliant on the provider and offers opportunities to further develop the relationship and explore new market opportunities. Conversely it also presents a challenge to contracted vendors, as the company’s management may make requests or create requirements for support outside of the contractual and funded agreement. Careful balancing of both factors is necessary to ensure success by both parties and also prevent the company from placing unrealistic expectations on their provider for work that does not result in revenue generation or, worse, results in financial or capability losses.

Fundamentally, consultancy and management are distinctly different services, although both may be required in unison under one contract. Risk or security consultancy is basically the provision of specialist security advice and guidance, whether it is providing security surveys, audits, policies, business recommendations, or procedures, often with an eye for concurrent business development opportunities. Risk or security management is effectively the managerial and administrative control and coordination of personnel and assets, providing advice and guidance in terms of how best to manage project operations, with a smaller degree of attention to business opportunity, as shown in Exhibit 1.1. These two services can be provided concurrently as a unified service, where the specialist supplies advice to establish the need and approach, then services or directs the resulting tasks.

The distinction between the two services, consultant1 and manager, is, however, often unclear to a company, which may envision a combination of the two functions supporting their task when actually contracting for only one service. Both the company and the service provider must clarify and articulate the difference. Likewise, where a combination of both elements is required, and as the project grows in needs, both company management and the security provider should seek modifications to a contract to support the provision of unforeseen services. This is important to both parties, in terms both of staying within the parameters of the contract and in avoiding problems associated with providing services that could come with legal or reputational issues, or result in the provider breaching the contract’s service deliverable terms by focusing on the wrong task areas.

Exhibit 1.1 Risk Consultancy and Security Management Focus Areas

It is also easy for local vendor management to slip into a habit of providing more and more assistance, to the point where they are supplying a considerable amount of additional unpaid effort. This is more so the case for security managers, where they are asked to contribute to policies, plans, and strategies rather than focusing on running the security resources. For vendors and companies alike, this can be considered good business practice up until a point, but in some cases it can negatively affect both the company and the provider if a sensible balance is not struck. While clear distinctions and agreements should be made with regard to the funded services being contracted for, it is worthwhile to remember that it is often useful to provide additional services in the short term (until a contract modification can be made) in order to retain a healthy intercompany relationship. The service provider should seek to achieve the balance of helpfulness and pragmatism, without being taken advantage of or alienating the company’s management, and the company should seek to compensate the service provider to acknowledge the additional and often unfunded efforts undertaken.

The distinct differences between consultancy services and program security management are discussed in greater detail in the chapters that follow. This chapter is designed to set the scene regarding how security services, both consulting and management, operate between company and service provider or vendor organizations.

PROJECT PLANNING

Ideally the company will engage a security provider or individual consultant at the beginning of the business activity’s life cycle, prior to any actual work being started. Consultants therefore are best placed to gain a better understanding of the project requirements and dynamics before any plans are made and resources are allocated by the project team. This allows consultants to influence the strategic planning of the company from the outset, preferably in alignment and partnership with the business team targeting a specific opportunity. Consultants arriving midway in the business or project life cycle will face additional challenges; concepts and plans will have been developed independently of advice, and budgets and funding may have been set. As a result, it will be psychologically harder, and probably more costly, to modify such concepts and plans as resources may have already been contracted and mobilized, and changes may interfere with an activity or incur unaccounted-for costs. In the ideal situation, consultancy or management services will be provided before plans are made and resources mobilized, ensuring that the company’s and the project’s plans are developed and aligned with actual needs, saving time, money, and effort in the long run.

It is important for the consultant to understand the dynamics that affect different individuals within the company and project organization, not just in terms of the roles and responsibilities, but also regarding the organizational peculiarities, structures, human dynamics, and office politics residing in any group of professionals. By understanding the goals, objectives, and concerns of different company managers, the consultant will be better positioned to offer observations and recommendations in a manner more likely to gain traction. In addition, the security or risk management element of some companies might have an equal voice within the overall management structure, while in others they are relegated as an afterthought and might even fall under the health and safety officer or in the human resources department.

While security providers and their consultants may interface with multiple parties within a company, from the CEO to legal, contracts, and projects, typically there are three practical interfaces the consultant will deal with to complete the actual task itself:

Business manager

. Business managers are responsible for targeting opportunities and gaining board approval to enter new markets or expand existing regional business opportunities. Often business managers are motivated by financial targets and have quarterly or annual targets to meet in order to grow client portfolio and business revenues. They lead capture teams in order to present business solutions that meet client quality and cost needs, and often view security as a cost element that might undermine the probability of their success. Business managers who are grounded in risk and security management seek security as a component of their solution, understanding that it will increase the value of their proposal. Those who are unfamiliar with operating in remote or challenged environments will be less inclined to consider the applicability of risk and security within their approach.

Program/project manager

. Program/project managers normally seek to achieve the milestones set for the activity in terms of objectives, schedule, and cost. Their task is to ensure that the business activity achieves what is expected, when expected, and within budget. Aside from their professional responsibilities, most companies link the career and bonuses (perhaps a percentage of the actual contract value) of program or project managers to achieving these objectives, with every cost and delay to the project reducing the value of the personal incentive award. As such, poor management typically focuses on getting the job done rather than focusing appropriately on risk, while strong managers will seek advice and guidance to identify and manage risk as a proactive project approach. Both company risk managers and security vendors will need to balance the corporate and personal drivers against their own task of mitigating risk and providing good service. Good managers will balance both project goals and risk consideration; others may view risk and security an unnecessary hindrance.

Security providers or in-house security managers who are able to offer recommendations that directly focus on objectives, schedules, and costs, while concurrently mitigating risks, will better support the company’s project success and will more likely gain better traction with executive leadership. Those security providers or in-house security managers who focus on risk mitigation in isolation, and who do not consider the business objectives within every risk decision, will have a limited ability to place their role within the wider context and will not enable the most productive business results.

Security manager

. A company may assign a different name to the management position responsible for managing risk and coordinating security services, or may subsume the role within a more generic corporate position, such as under health and safety, human resources, or the legal department. For those companies operating within more challenging environments, a defined position is often required to directly focus on risk mitigation. Security managers are often in the difficult position of providing observations or recommendations that might be viewed as constraining the productivity and speed of the project as well as incurring unnecessary costs. Typically security is considered a cost center rather than a means by which to conduct productive business or project activities.

The difficulty is further exacerbated as the security manager is embedded within the company, and thus the manager’s career and livelihood may depend on retaining a good relationship with the business leaders as well as the program and/or project manager, rather than offering frank but unpopular recommendations. The security manager will be focused on balancing his or her own company’s office and management politics, ensuring that the recommendations do not discredit him- or herself or increase activity costs. The security manager will also seek to ensure that any security vendors are best exploited on the company’s behalf, while also that ensuring risk is mitigated and security is provided at an appropriate professional level. The security provider should be aware of these factors in order to best support the security manager, as well as to identify the best approach to achieve the desired risk mitigation and security measures needed to protect the company.

BALANCING SERVICE DELIVERY

While every contract and project has unique needs, the general principles of security consultancy and management remain the same. There are three interconnected areas a company and their security provider must balance when managing a contract:

Contract requirements and company expectations.

Provider’s business needs and service delivery standards.

Project and environment risks factors.

The weight of each factor will differ, depending on the company’s business goals, expectations, and the corporate risk tolerances associated with both the project and the environment in which the contract operates, shown in Exhibit 1.2. The security provider will also bring its own needs to the task, including its business objectives and corporate risk tolerances. In a conventional or nonhostile project environment, the relative importance of these three areas will vary depending on the contract’s specific requirements. A consultancy or security contract in a conventional environment generally will focus more on the company’s expectations and the provider company’s business needs, with risk mitigation concerns being a smaller area of consideration. Conversely, in a hostile environment, the risk factors and mitigation measures play a more significant part of contract consideration, with company and provider business needs and project interests being proportionally reduced in relation to risk considerations.

Exhibit 1.2

Balancing Service Delivery in Different Risk Environments

Of course, all factors are interconnected and must be viewed holistically, as risk is connected to the company’s ability to perform project tasks to standard, on time, and within budget, and effective risk management protects the company from physical, financial, delivery, reputational, and liability risks. It is also important for both the company and the security provider to understand that every action creates a reaction, and that the project activities themselves may increase the risk factors by raising risk profiles or providing opportunities for unwanted attention and thus in turn influencing the contract requirements and subcontracted security provider’s business needs, creating a cyclic process of reevaluation and contract change.

Contracted risk consultants or security managers supporting a task will be most effective if they understand the business needs of both the company and the contracted vendor, placing these needs into the context of the varied risks faced by both, from corporate and strategic concerns to the more personal or granular levels. Balancing service delivery requires consultants to be positioned to offer the best advice and service, meeting as many individual and group interests as possible. For example, at the granular level, the consultant and the company’s risk manager may wish to identify where a project manager, whose bonus relies on the timely completion of a task, may be more inclined to place him- or herself and others at risk, increasing the focus on contract requirements while reducing the value of input from the security provider as well as the attention paid to mitigating postulated risks. Often robust service delivery management is necessary to balance business needs against those of risk management.

Alternatively, a company with a low risk threshold that is unfamiliar with a new environment or activity may view the risk mitigation advice and security services provided by a vendor as a means of operating within an environment that it otherwise would avoid, thus increasing the importance of the security provider’s input within a contract. Company risk managers should be cognizant of the vendor overtly or covertly imposing its own tolerance levels or risk perceptions to executive management and seek to ensure that the correct balance is achieved.

The table below offers some considerations to indicate how both the company and the security provider’s focus on each area of consideration may vary.

Expectations

Impacts

Risk Focus

Company payment tied to schedule

More inclined to take risks to ensure timely project completion

Low

Company payment tied to performance

More inclined to allocate monies to mitigate risks during contract

High

Company has low risk threshold

Likely to withdraw from project if risks increase or injuries occur, or invest in risk mitigation

High

Company accepts high risk threshold

Higher likelihood that risks are accepted; possible cavalier attitude and lower investment in risk mitigation

Low

Company defers security responsibilities to vendors

Company may force definitive provider agreements to achieve project needs and may demand unrealistic or high-risk services from security vendors

Low

Company dependent on security provider/vendor for decision making

Company reliance may result in greater acceptance of advice and guidance, limiting the ability to conduct quality assurance of security vendors

High

Security vendor values its own reputation

Security vendor may refuse work, or take a strong position on accepting risk in order to protect its reputation or liability exposure

Varies

Security vendor’s business development goals important

Security vendor may accept higher-thannormal risks in order to grow business quickly

Low

Security vendor has low liability tolerances

Greater focus on liability risks, especially injuries and deaths, thus driving more candid and realistic recommendations and approaches

High

Security vendor’s experience in service

Experience varies the balance of company/risk/business needs

Varies

Risks posed direct to project

Threats posed directly to a project result in greater focus on risk through specific project-targeting threats

High

General risks high for region

General risks may result in more balance between project needs and risk levels

Medium

Project faces low risks

Low risk levels may result on a greater focus on the business needs

Low

Only provider faces risks

Providers who face all risks focus on their own business needs; companies may accept higher risk levels as they will not be affected

Varies

The company effectively has the final vote on what level of security is provided, as it controls the budget and may change security providers who do not meet its requirements or expectations. That said, sound company management will consider the advice and guidance offered by security professionals, both internal and external, in order to strike the correct balance between business needs and risk management. Good security vendors will offer candid advice in order to provide the best service. However, human dynamics play a significant role in how effectively management decisions are made. Often the balance is not achieved and risks outside of corporate tolerance levels are accepted at a local level.

COMPANY AND VENDOR RELATIONSHIPS

The development of a strong professional relationship between the contracting company and the security provider’s management often underpins the levels of success of the business venture, as well as the ability to provide productive consulting and management services. Disjointed management relationships, groups operating in isolation, or the failure to understand the business needs or to acknowledge risk factors will place all personnel and companies at avoidable risk. As with any management structure and process, integration is vital, especially within hostile, remote, or new business environments.