Section II
A Tactical Perspective
5 | Laying the Foundation and Setting the Ground Rules |
Shallow men believe in luck. Strong men believe in cause and effect.*
R.W. Emerson
5.1 FUNDAMENTALS OF CORPORATE DEFENSE
How does an organization go about addressing its corporate defense obligations? All organizations are faced with the possibility of potential hazards, and these can arise for numerous reasons. Examples of potential hazards include litigation, fraud, regulatory breaches, crime, espionage, and natural disasters, to name but a few. These hazards represent not only short-term financial risk to the organization, but also a potential knock-on reputational impact, not to mention the human implications and costs. Ultimately, all hazards can have a financial implication, be it in the form of additional costs, reduced profits, or impact on share prices, and so on. These hazards can typically be the result of deficiencies in an organizationās corporate defense program, whereby these deficiencies were either intentionally or unintentionally exploited.
5.1.1 CORPORATE DEFENSE MEASURES
Every organization is faced with its own unique set of risks, threats, and vulnerabilities, and these will vary depending on the organizationās philosophy and culture, the business sector it operates in, its geographic location, and so on. As a result, each organization in turn will need to take its own unique steps to defend against the occurrence of potential hazards in order to help preserve stakeholder value.
5.1.1.1 Corporate Defense Disciplines
There are a number of corporate defense components that are generally acknowledged to be required in order to help preserve value and safeguard stakeholder interests (i.e., governance, risk, compliance, intelligence, security, resilience, controls, and assurance). All organizations typically implement a diverse mix of these components to varying degrees in the operation of their business. Each of the critical corporate defense components will have certain specialist disciplines associated with its area of expertise that in themselves require specific technical skills and relevant qualifications. An organizationās existing corporate defense measures are a reflection of the extent to which each of these critical components is currently being addressed, and hopefully this mirrors the organizationās corporate defense requirements given its own unique circumstances.
5.1.1.2 Current Corporate Defense Efforts
Generally speaking, an organizationās corporate defense measures evolve over time as a reaction to its prevailing circumstances. In some organizations, it is acknowledged in advance that certain defense disciplines are necessary and that these require a specific level of experience and expertise. This can result in the setting up of specific departments or functions to act as competence centers for these disciplines (e.g., risk management or compliance functions). In other organizations, their level of experience and expertise in a particular discipline may simply develop organically over time based on the organizationās experiences in that particular area. Individual organizations need to be fully cognizant of the extent of its current corporate defense efforts in each of the critical corporate defense components and the level of experience and expertise available within the organization in relation to different corporate defense disciplines.
5.1.2 THE CORPORATE DEFENSE RATIONALE
Corporate defense is generally associated with taking appropriate measures to protect the organization and its stakeholders from the occurrence of hazard events. This can include measures to help ensure that its stakeholders are safeguarded from danger, attack, or harm. It can also include taking actions to help shield the organization from experiencing the impact of loss or damage, be it of a financial, physical, or reputational nature. The requirement to defend can be associated with an individual stakeholder, a group of stakeholders, or their associated tangible and intangible assets. Defending against the occurrence of loss or damage is no easy task as it represents an asymmetric challenge in so far as loss or damage can arise as a result of so many different events all of which need to be defended against, and yet only one needs to occur in order to incur a loss or damage. Corporate defense therefore requires constant alertness and continuous vigilance. From a stakeholder perspective, corporate defense represents a fundamental responsibility that is entrusted on their organization and its guardians.
If addressed in an appropriate manner, corporate defense measures can be effective in protecting the organization and its stakeholders from hazard events. These measures can also help support growth, sustainability, and profitability in the long term. If poorly or inadequately addressed however it can result in loss or damage, in poor performance, and lead to ongoing organizational decay in the long term. It can also result in the loss of stakeholder confidence and trust, which in itself can have either an immediate or a long-term catastrophic impact on the organizationās achievement of its objectives. The importance of an adequate corporate defense program should therefore never be underestimated.
5.1.2.1 Lessons Learned
Organizations can improve their existing corporate defense efforts by learning lessons from the past. Valuable lessons need to be learned from the organizationās own previous hazard experiences, and by ensuring that appropriate remedial action is taken to rectify issues that have been identified as contributing to the occurrence of previous hazard events. Equally valuable and less costly lessons can also be learned by the previous hazard experiences of other organizations. The identified failings of competitors or other similar organizations provide an opportunity to ensure that the organization addresses known vulnerabilities, weaknesses, and deficiencies. In doing so, it can ensure that it is adequately insulated against the occurrence of similar hazard events and help avoid the associated financial, physical, and reputational impact that can result. Learning lessons from past experiences however requires an inquisitive mind-set and a clear appreciation and understanding of the purpose of different corporate defense measures, and the capabilities of their associated specialist corporate defense disciplines.
5.1.2.2 Bullet-Proofing and Future-Proofing the Organization
Organizations are faced with a multitude of hazards that can be detrimental to the achievement of its objectives. In such circumstances, the corporate defense program can act as a buffer between the occurrence of hazard events and the potential impact that these events can have on your organization. An effective corporate defense program can in effect help bullet-proof the organization against the occurrence of hazard events so that your organization can not only survive but also thrive during periods of turbulence and chaos when other organizations are struggling or devastated. Bullet-proofing involves providing protection to the organization against the impact of a hazard event, and an effective corporate defense program can in effect act as the organizationās bullet-proof vest. The bullet-proof vest provides the organization with an extra level of protection that can actually allow the organization to take risks and reap rewards that other organizations are simply not in a position to do.
An effective corporate defense program can help future-proof the organization to ensure that it has developed measures to anticipate the occurrence of and safeguard against future hazards. Such measures can help minimize the impact of hazards. Future-proofing is concerned with delivering long-term sustainable value and developing the ability to accurately predict and prepare in advance for potential hazard events. It involves building durability, redundancy, flexibility, and adaptability into the organizationās structures, so that it is adequately prepared to address the challenges of the future rather than simply addressing the challenges of yesterday and today.
5.2 CORPORATE DEFENSE DOMAIN
The corporate defense domain refers to the entire field of expertise that can contribute to an organizationās corporate defense program. It relates to the critical corporate defense components and the related specialist disciplines associated with each of these components. It is concerned with the range of corporate defense-related activities, all of which contribute to the defense of the organization and its stakeholder interests. In effect it relates to the extent of the corporate defense jurisdiction and the areas that potentially need to be covered by a corporate defense program. The corporate defense domain can help an organization identify the different aspects of corporate defense that need to be considered when deciding on the corporate defense measures to be put in place.
5.2.1 CORPORATE DEFENSE-RELATED ACTIVITIES
Each of the critical corporate defense components has subcategories of defense-related activities that are associated with each component. It must be appreciated that in the modern era each of these components requires specialist skills and expertise that are essential to their effectiveness. Table 5.1 outlines the critical components and provides examples of the associated defense-related activities (Lyons 2009b). As can be seen, the corporate defense domain can encompass a broad range of areas, and as a result the corporate defense program can have a very wide scope. It is unreasonable to expect any one person to be an expert in all of these activities or to possess the deep level of technical knowledge required to be proficient in each of these areas.
TABLE 5.1
Corporate Defense-Related Activities
Governance | Security |
ā¢ Environment/culture/philosophy ā¢ Organization/design/structure ā¢ Ethics and integrity ā¢ Stakeholder relations ā¢ Strategy and planning ā¢ Frameworks and methodologies ā¢ Policies and procedures ā¢ Processes and practices ā¢ Responsibility and accountability ā¢ Oversight and supervision | ā¢ Physical security ā¢ Premises security ā¢ People security ā¢ Materials security ā¢ Facility security ā¢ Operations security ā¢ Information security ā¢ Endpoint security ā¢ Application security ā¢ Operating system security ā¢ Database security ā¢ Network security ā¢ Gateway security |
Risk | Resilience |
ā¢ Enterprise risk ā¢ Operational risk ā¢ Credit risk ā¢ Market risk ā¢ Strategic risk ā¢ Reputation risk ā¢ Financial risk ā¢ Project risk ā¢ Environmental risk | ā¢ Incident response ā¢ Emergency operations ā¢ Crisis management ā¢ Disaster recovery ā¢ Contingency planning ā¢ Continuity management ā¢ Interruption protection ā¢ Health and safety ā¢ Insurance |
Compliance | Controls |
ā¢ Regulatory compliance ā¢ Legal compliance ā¢ Workplace compliance ā¢ Industry codes ā¢ Best practice guidelines ā¢ Internal standards | ā¢ Internal controls ā¢ Monitoring controls ā¢ Operational/processing controls ā¢ Financial/compliance/security controls ā¢ Preventative/detective controls ā¢ Primary/compensating controls |
Intelligence | Assurance |
ā¢ Business intelligence (B.I.) ā¢ Operational intelligence ā¢ Market intelligence ā¢ Competitive intelligence ā¢ Knowledge management ā¢ Data/content management ā¢ Record management ā¢ Document management ā¢ Filing/storage/archive management ā¢ Communication ā¢ Monitoring and reporting ā¢ Telecommunications | ā¢ Inspection review ā¢ Internal/external audit ā¢ Regulator review ā¢ Rating agency review ā¢ Standards certification ā¢ Self-assessment review ā¢ Due diligence review ā¢ Fraud examination ā¢ Forensic investigation ā¢ Litigation support |
Each of these activities represents an important aspect of corporate defense in order to help the organization to address potential risks, threats, and vulnerabilities, which can arise both internally and externally to the organization. In fact, each of these activities should be considered to be an essential link in the chain, and effective corporate defense must be all inclusive as the chain is only as strong as its weakest link. To be most effective, all corporate defense-related activities need to be functioning in unison.
5.2.1.1 An I...