Feature

Auditing & Process Building in Security Industry

The culture of Auditing & Process Building in India: An Overview

 

The Indian economy saw a major emergence of both domestic and foreign MNCs within its political borders with the economic liberalization reforms of 1991. With this, while the inflow of foreign direct investments (FDIs) increased in various industry verticals of the economy, the inherent risks of the local environment remained ingrained in the newly set-up businesses and industrial zones. These risks primarily related to crime, terrorist activities, civic disturbances, natural disasters and likes. In short, while businesses opened up hastily and pro-actively in the new economic environment, the existing mindset regarding the culture of security did not necessarily change or follow the structural changes in the economy.

Decades later, the reluctancy of looking over the security aspect as an ‘additional’ cost to an organization have now shown near-tectonic effects. At the domestic level, the long and diverse nature of the unrest unleased by the Citizenship Amendment Act (CAA) brought business continuity to a standstill in different states across the country. Second, at both domestic and global levels, the benefits of the historical reforms of 1991 have been neutralized by the outbreak of the Covid19 pandemic.

The current scenario has now compelled businesses to re-assess that crisis plans are irrelevant, unless they can actually be implemented on-ground. The adoption of pragmatic and far-sighted processes and audits in security culture is a small but decisive step in this regard.

Why is a change in the current scenario needed?

 

The outbreak of the Covid19 pandemic has highlighted once again that business risks may be mitigated, but never be actually prevented in whole from occurrence. It may not be an exaggeration to state that the pandemic has exhibited apprehensions/ risks of unprecedented extent and nature, of which no business continuity or crisis management plans had ever envisaged while they were framed.

A survey carried out, in the midst of the pandemic, displayed the following outcomes from the respondents (mostly senior security managers of global firms in India).

 

While the above responses honestly display the current psychological mindset of professionals trying to gauge the pandemic effects on their organizations, the irony remains that global organizations had well-thought and drafted standard operating procedures (SOPs) on security and emergency response processes. Organizations, at their end, have also invested resources, time and capital to draft SOPs. Under such circumstances, it becomes more pertinent to assess whether these SOPs have been applied in reality, reviewed, up-graded or just have stayed on paper revisions?

Analysing key shortcomings in Security Audits and related SOPs

 

Having discussed the current state of affairs in the overall corporate security domain in preceding sections, assessments and experiences gathered across various industry verticals primarily display the common shortcomings as follows:

  1. Absence of simplicity and use of excessive jargons or technical words: Not every person is a security professional and SOPs must be understood by cross-functional teams.
  2. Recommendations provided by security auditors are not implementable: Solutions recommended are either too expensive or not precise to be understood by the auditee.
  3. Holding back of knowledge by the security auditor: The auditor feels that giving too much insight in one audit itself may lead to loss of future business generation from the auditee.

Below are few examples of the arguments put forward:

  • Vague recommendation: Increase the boundary wall to ensure that it is difficult to be accessed by anyone. The wall must be fenced appropriately to further increase the height and reduce the risk of unwanted intrusion.(Note:Recommendation does not specifically explain height, fencing etc).
  • Use of jargons: Installation of GPS in your official vehicles may be integrated with authorized SIGINT software, as legal under laws, to your centralized command centre (supported by back-end 24/7 embedded staff). (Note: Recommendation does not explain what elements like SIGINT, Embedded etc., mean for non-security professionals/ teams).

The way forward: Suggestions for Improvements

 

The simplest ways for building actionable SOPs are to be guided by the very principles that drive the business and people of that organization. These are the principles of simplicity, accessibility, transparency and consistency – to build processes towards business excellence which every global firm strives for. While this may look like an uphill task for an organization, it actually is not:

  1. A change in the psychological mindset is the first step. Auditors need to exercise transparency and act as trusted partners to the organization which calls them upon. Similarly, the organization/ auditee must not be afraid of an auditor’s findings when the findings are provided in an amicable, lucid and professional manner by the auditor.
  2. SOPs do not need a crisis to prove their existence. This means SOPs need to be carried out in action through mock drills and red teaming exercises. Such real-life scenario enactments are very essential to review and identify strengths and weaknesses in a real emergency
  3. SOPs can never be time-bound i.e., there must always be room for the unknown future. The bridge to integrate the present and the future is to review and identify weaknesses in current SOPs and supplement them with new wings i.e., new or supplementary SOPs. This is a continuous cycle and has to be carried out at least every 1-2 years (depending on size, total asset value etc., of the organization).
  4. The role of stakeholder engagement (right from first-response teams to emergency managers to board/ owners) is indispensable in building sustainable and well-communicated processes. Else, audits and SOPs just remain limited to control room logbooks.

Conclusion

 

The need of the hour for corporate India is to hence shed away pre-conceived notions regarding the negative attitude attached to security auditors and their scope of work. A confidence-building measure towards attaining this is the innovative concept of peer auditing (where security managers of different companies audit each other’s facility) as a voluntary and goodwill expression. Such audits develop a sense of comfort and familiarity to the idea of allowing an external party to have visibility and access to an organization’s internal state of affairs – primarily security.

For process building and security audits to emerge as a coherent function in overall business continuity of an organization, the role of a security auditor cannot be undermined. Security auditors need to be honest and precise in their audit findings, and present facts in a simple and amicable language. The ‘policeman’ image of the auditor needs to be replaced with the image of a ‘trusted advisor’ in the mind of the auditee.

The ongoing pandemic, while affecting global businesses adversely to unprecedented scales, also provides the opportunity for a change in mindset of corporate India towards security. History has never presented an opportunity of such magnitude before, and this needs to be capitalized and made sustainable for security processes to be adopted in near future.

This article has been compiled from a virtual presentation made by the author at the Overseas Security Advisory Council (OSAC), Delhi Chapter, on 4 June, 2020. Views expressed are those of the author



 

To top