|A more strategic approach to corporate security can better align departments |
in an organisation to achieve better results of shared goals
The alignment of corporate security with the business strategy of an organisation is a topic that has been on the agenda of many senior security professionals. A corporate security department’s inability to demonstrate a clear thought process of how they arrived at proposing the strategic direction, or failing to make a compelling business case, may result in loss of credibility.
The lack of strategy alignment is counterproductive. The senior security executive can no longer make business proposals on intuition, present security strategy or recommendations that fail to stand the test.
The need for strategic alignment
Senior business executives argue that strategically aligned organisations achieve much better results if functions embrace a more strategic approach. Corporate security is both an operational and strategic activity. For example, security policies that are better aligned with the business generate a higher percentage of employees that are in compliance.
There is increased interest in the security profession to compliment technical expertise with business acumen. To be successful in your function, you must understand the business, its language and how corporate security contributes towards primary business objectives.
This article presents a methodical business process model that will facilitate the formulation of a corporate security strategy that is aligned with the strategy of an organisation.
Overview of strategy & strategic alignment
Corporate strategy is how the company intends to create more value from its collection of business units than if the business units operated independently. Functional strategy is a plan of action to strengthen an organisation's functional and organisational resources.
Organisational alignment is how the various component parts of an organisation coordinate their activities to create integration and synergy. The alignment process results in the linkage of organisational goals, processes, systems, resources and culture.
Alignment at a functional security department level requires you to have a clear understanding of the organisation’s strategic intent. At high level, you follow a common three steps strategic planning process, namely Strategic Analysis; Strategy Development and Strategy Deployment.
|A corporate strategy allows an organisation to create more value from its business |
units by linking goals, systems, resources & culture
Environmental scan: Understanding the business environment is an important step in the strategy development process. You should approach the environmental scan in a methodical way to ensure that all value-adding activities within the organisation have been evaluated and all the risks flowing from these activities defined.
Environmental scanning is critical so that the organisation or function can adapt to new trends. There are a range of analytical business models you can use for conducting environmental scans, such as PESTLE (Political, Economic, Social, Technological, Legal, Environmental) analysis, resource and capability (tangible, intangible and human resources) analysis, and a value chain analysis, which can be summarised and fed into an overarching SWOT (strengths, weaknesses, opportunities, threats) analysis of the organisation and/or function. A SWOT analysis can assist you to craft an aligned strategy.
A risk-based approach to security alignment starts with understanding the risks facing the organisation. For example, ISO 31000 describes a framework for implementing risk management. To be aligned, your security strategy should set out the objectives that risk management activities in the organisation are seeking to achieve.
Strategic conversations: Irrespective of the total number of steps you take in the strategy development process, the foremost common step is to define your organisational strategy. Alignment equals engagement. You need to develop your security strategy in partnership with organisational stakeholders by engaging in effective strategic conversations with business leaders. Do not ask them questions such as: What are your security issues? How many incidents have you had in your business? To understand the business strategy, rather ask them questions like: What are your visionary goals? What is the strategy for achieving these goals? What are your assumptions concerning the competitive environment? How does the organisation gain sustainable competitive advantage? What is the impact you seek on return on [security] investment? The result of such conversations will lead to better understanding of your organisation’s strategy.
Having argued that alignment is required, a second issue relates to how your function may become aligned. You may use various business management frameworks and techniques to align security strategies with the business. For example, some organisations use COSO’s (Committee of Sponsoring Organisations) enterprise risk management model for crafting an aligned strategy with risk.
This article presents you the Strategy Map and the Balanced Scorecard (BSC) for the development of an aligned security strategy.
Strategy map: Another step for understanding the strategic direction is the creation of a strategy map to decide on strategic objectives, appropriate measures and targets.
|(see bigger image) |
Example strategy map outlining all the cause-and-effect links between an
organisation’s strategy and the aims / purposes of its departments
Strategy maps outline all the cause-and-effect linkages (see sample) between what your organisation’s strategy is and what everyone does. For example, a highly skilled security team, using a risk based approach, would provide the customer cost effective security solutions, that result in loss prevention and reduced costs, which contribute positively to bottom line performance.
The balanced scorecard (BSC) approach: Developed in the 1990’s by gurus from Harvard, Robert Kaplan and David Norton, the BSC is an effective strategic management tool to help you gauge whether the security function is aligned for meeting the company’s strategic objectives. You can use the BSC to clarify and update strategy; communicate strategy throughout the company; align functional and individual goals with the strategy; link strategic objectives to long-term targets and annual budgets; identify and align strategic initiatives; and conduct periodic performance reviews to improve strategy.
The four traditional perspectives included in the BSC are:
- Financial - how the company is making money,
- Customer - how well customers are serviced and retained,
- Internal processes - effectiveness and efficiency, and
- Learning & Growth - organisational development. You should fundamentally base the choice of perspectives on what is necessary to tell the story of your organisation’s strategy.
The four primary components you should include in the BSC are objectives, measurements, targets, and initiatives.
- Objectives - specific actions to execute the strategy.
- Measurements - monitoring and tracking the progress of strategic objectives. Measures include both lagging indicators and leading indicators.
- Target - expected level of performance or improvement.
- Initiatives - projects to meet one or more strategic objectives.
Developing your scorecard
Financial Perspective: It is usually difficult for a non-profit generating function to demonstrate tangible contributions. But it is possible, for example, if the business strategy is to reduce costs and grow revenue, a security strategy may be to develop technology for replacing guard force. You may think of other initiatives that contributes tangible value. Or you may aim to review security costs as a percentage of sales.
Customer Perspective: You may want to gauge how the security function is doing to help the business grow while protecting company assets. Corporate Security mainly supports internal customers and employees. For example, you may decide to enable supply chain optimisation, which will result in [internal] customer satisfaction, and ultimately ‘shareholder’ value.
Internal Process: Your function may decide to drive operational excellence or develop a security management system. For example, you may include the security risk assessment programme.
Learning and Growth: Your function may decide to run relevant training program to ensure employees are equipped to successfully support the accomplishment of security’s purpose. For example, a well trained work force will effectively apply internal processes, such as conducting security risk assessments (SRA’s).
You can use your security metrics programme to demonstrate value such as increased protection and decreased cost; enhanced customer satisfaction due to cost effective security.
You should to take an all-inclusive strategic approach with organisational wide strategy. The nine-step strategy alignment process outlined hereunder is a methodical approach to assist you in crafting an aligned security strategy to achieve business success.
- Engage organisational leadership to understand, select and agree on key strategic objectives.
- Engage functional leaders to understand, select and agree key functional objectives.
- Assess and identify security risks that may impede the achievement of business objectives.
- Develop strategy map to establish the cause and effect linkages between the organisation’s strategic objectives and selected corporate security objectives.
- Identify and develop [leading and lagging] measurements and security metrics.
- Identify targets for each measurement.
- Establish initiatives to be assigned to appropriate staff and documented in their annual performance agreements.
- Get agreement [internal service level agreement] on measurements, targets, initiatives and strategy review process.
- Communicate and roll out and the strategy.
The BSC can effectively help you demonstrate alignment of the security function’s strategy and performance measures with your organisation’s strategic priorities.