The calm in the storm
What journey did you take to get to your current roles?
I studied Arabic at university and then joined the Army, so I found myself working as an interpreter during and after the 1991 Gulf War, supporting British military operations in the Middle East. After that I moved to the Foreign Office and then worked for the banknote manufacturer De La Rue, with a focus on Iraq. Until now, I’ve always been Middle East focused.
My current role at Control Risks is to support the Security Incident Response (SIR) policy by delivering our services in the most efficient and effective way possible once the policy is activated. I'm the conductor of the orchestra if you like; conducting multiple teams within Control Risks to help the client.
I was also in the army but as an engineer, serving in Iraq and Afghanistan. When I decided to leave, a colleague working in the Lloyd's Market advised me to come and have a look at the insurance industry as some of the work was relevant to my skills.
I initially joined Special Contingency Risks at Willis, then moved to Deloitte because I was enjoying the consulting side of the work. Having developed a relationship with Hiscox over that time, I joined the business as Head of SIR in January 2018.
Is there anything you miss about the army?
I miss the teamwork and a sense of purpose - although I get those working with Hiscox of course! The private sector is a lot more nimble than the Army though – you can change focus quickly from one project to another while the Army is more risk averse. In the private sector it is expected that some initiatives will not succeed, but the consequences of failing in the Army are severe.
I learnt in the army that you need to commit to whatever you’re doing wholeheartedly. I don’t go into projects I don't believe in. I also learnt that you can achieve some tremendous things when you have a unifying purpose and everyone is pushing in the same direction. I like to create that same sense of purpose in the private sector because it is more satisfying to work like that.
How do you think the security situation has changed for businesses?
The perception of security is more nuanced today and we all seek to understand the wider implications outside the immediate physical threat. That could be understanding the political context in which the threat exists, the motives of the various stakeholders, as well as understanding the direct means by which a threat can be expressed or materialised.
Having moved from a comparatively uni-polar world with a dominant US, to a more multi-polar world – where a number of states have equal power and influence – the requirement to provide that analysis is even greater.
My observation – even when I was leaving the army seven or eight years ago – was that 'security was about defensive things like barriers, procedures; the bomb blast threat was at the forefront of peoples' minds. These days it is much more about security being an enabler for business in terms of understanding how you make investments and where you grow your business and, if you get the right security provisions in place, how you can capitalise on opportunities rather than putting up fences and barriers.
The other thing that has changed in recent years is the importance of technology and data and the related security aspects.
Once notified by a client of a crisis, what are the first steps you take?
The initial contact with the client is very important to get the fullest possible picture of the situation. You have to accept that that picture is very likely to change and evolve over the coming hours or days.
Secondly, it's important to help the client understand what the established facts are and distinguish them from assumptions, as well as thinking through scenarios as to how the crisis might evolve, so they can anticipate events rather than simply react to them.
It's a very emotional time for a client so our job is to provide dispassionate advice. One of the main issues in a crisis is that people often become defensive and, understandably, don't think as clearly as they could. Having an outsider join the crisis management team at an early stage brings objectivity and you start asking some of the questions that perhaps people are afraid to ask or they’re just blind to.
We'll use the facts of the situation as Control Risks investigates an incident as to whether a client’s insurance cover applies and we recognise that in the early stages, the client might not always know. Depending on the situation we'll be in regular contact with Control Risks to provide the insurance feedback that Control Risks and the client needs, without getting in the way of the operational management of the crisis.
How do you see the security picture changing for businesses?
Cyber is increasingly a feature of every situation that businesses face, whether that's the use of social media to threaten and affect the outcome of the situation, or whether it’s a cyber breach, theft of intellectual property, a data breach, or extortion.
Clients are perceiving threats less and less in the physical sense; they're not just thinking about bombs, or close protection, they're thinking about the wider implications.
One area of increasing concern to businesses is in effectively discharging their duty of care responsibilities to their employees. Where does duty of care for employers begin and end?
Clients do now see their duty of care as being more extensive than simply when an employee is travelling to a foreign location.
Employee safety in their offices in their home country for example is just as important, while those employers who extend support to the families of employees – not strictly under their duty of care responsibilities – will mark themselves out as the best employers.
In this era of social media, businesses have to have a clear view of their corporate social responsibility and their duty of care to people.
What's your message to CEOs and business leaders when it comes to thinking about the security and integrity of their business?
Anticipate what might happen to you by looking at what has happened to your peers. Think through how you would react. The mere process of thinking through different scenarios and preparing crisis management plans massively increases your ability to deal with the situation when it occurs.
The global business world moves fast and it’s impossible to predict all the eventualities. CEOs will have integrity, reputation and business opportunity at the forefront of their minds. Tools like SIR help provide confidence in taking risks in new areas by offering best in class support when the unforeseen materialises.
For more information on Security Incident Response contact [email protected]