By Rachel Briggs. Source: Guild of Security Controllers Newsletter
The following article appears in the Spring edition of the Guild of Security Controllers' newsletter.
As the kidnapping of The Wall Street Journal's reporter Daniel Pearl reminds us, kidnapping is still a useful tool for holding companies and governments to ransom. In the first article in this series, we examined the kidnapping trends of recent years – who gets kidnapped, where, by whom and why. In the second article, we will address what companies can do to tackle the problem. I will argue that a three-pronged prevention pyramid model of risk assessment, security and advice to allow individuals to take better care of themselves should be at the heart of investment strategies for companies sending employees to the world's kidnapping hot-spots. But while prevention can help to significantly reduce the chance of kidnapping, companies must also always be prepared for the worst. Making the wrong decision in an on-going case can mean the difference between life and death.
THE PREVENTION PYRAMID
As we saw in the last article, kidnapping is a rational, and often predictable, crime with logical causes. It is possible to map it, to understand how and why the kidnappers act, and therefore to lower your own risk of the crime through an effective prevention strategy.
Risk assessment and management
In 1999 the introduction of the Combined Code on Internal Control, and the subsequent Turnbull recommendations on risk assessment and management, underlined both the inevitability of risk to the business community, but also the need for companies to understand their exposure and act to reduce and manage it accordingly. The boards of companies listing on the London Stock Exchange are now required to report whether or not they have audited their risk and whether they have taken the necessary steps to manage it.
To ensure their broad applicability across sectors and markets, the recommendations stop short of prescribing how companies should manage their risk. Where there are agreed concepts of best practice and minimum standards for risk this is not a problem. But in areas of risk management like kidnapping and personnel security, where these norms are still being developed, more guidance is needed. As a representative from a multinational commented in a survey carried out by Ernst & Young into business risk management, "we want to manage risk, but where are the guidelines? The structures? The tools? The techniques?"
For many companies, the most common tool for managing risk is insurance – and kidnapping is no exception. The kidnap and ransom (k&r) insurance industry has grown rapidly over the past 10-15 years, with reported annual growth rates of 15-20%. Policies cover their holders against the losses of a kidnap, in much the same way that home insurance covers losses such as burglary and subsidence. As well as the ransom payment, such costs might include consultants to advise on how to manage the case, any travel or living costs, the hostage's wages while they are being held, and any counselling the hostage might need on their return home. While the k&r insurance industry has been accused of encouraging the proliferation of the crime, the coverage could also bring positive benefits. Kidnap and ransom insurance, like all other types of insurance, includes incentives for 'good' behaviour and penalties for 'bad' behaviour in an attempt to reduce pay-outs. The pricing structure of k&r premiums is then related to the amount of effort that the policy-holder is prepared to make to reduce and manage their risk. Many underwriters also exclusively secure the services of security consultants for their policy-holders to advise on preventative action.
The industry has also taken steps to try to keep pay-outs as low as possible. Firstly, the total insurance coverage is relative to the policy-holder's ability to pay, and ransoms are only ever paid retrospectively. This means that the insurance recovers the amount that would have been paid without insurance cover. Secondly, policies cover the cost of an expert to handle the case, a role that may previously have fallen on a CEO, or regional manager with no previous experience of handling such a high-pressure incident as a kidnap. As the security manager at a large multi-national commented, "We as a company have a very strong central security and employee security capability. But we haven't had a kidnap since 1989 so we need the experience of people who have done this."
Security can, of course, be considered to be one element of an effective risk management strategy to tackle kidnapping. But attention tends to be focused on what measures and techniques need to be employed on the ground. While this is key, and we certainly need to encourage the accumulation and spreading of best practice, there are a number of processes and principles that need to be agreed first.
Firstly, security needs to enjoy a higher profile within companies. Security departments often suffer from an image-problem, brought about because they absorb rather than generate income, and there are often communication problems between them and their boards, who tend to come from different professional backgrounds and have very different ways of quantifying, communicating and managing risk. Since September 11th personnel security has moved up the ladder of corporate priorities. While overseas travel has fallen as a result, the option of "not going" is not feasible for many companies. We must therefore find systemic ways of raising the profile of security and ensuring it stays in focus for boards into the long-term.
Secondly, the relationship between UK companies and the UK government must be more clearly defined. Effective security strategies to tackle kidnapping depend on access to accurate and up-to-date intelligence – about emerging kidnapping trends, the practices of different kidnapping groups, and other political and economic developments that might have a bearing on the geography of the crime. Because national governments tend to be the natural suppositories of this type of information, it makes sense for them to co-ordinate a system that allows companies to access it on a regular basis. At present, all companies can see information within the public domain, but some individuals may be able to obtain more detailed briefings on an informal basis through personal or professional contacts. This creates an uneven playing field. Furthermore, the complicated architecture of government can act as a block to the spread of information to companies. The UK should examine initiatives like the Overseas Security Advisory Council (OSAC), set up by the US State Department in 1984. OSAC is dedicated to communicating with US companies on security issues such as kidnapping, and its mandate is from the business community itself. The OSAC model may not be a blueprint for the UK, but it could offer useful ideas to be explored further within the UK context.
Personal Employee Responsibility
While companies and governments have special responsibilities to manage the safety and security of their employees and citizens, the risk of kidnapping cannot be contained within the hours of 9-5. Instead, kidnappers generally take their victims when they are at their most vulnerable and exposed, such as in the car between home and work. Individuals must therefore take a certain amount of responsibility for themselves and their families when living and working in hot-spot countries.
That is not to absolve employers of their duty of care – but rather to add a new layer of responsibility to ensure their staff have the right information and guidance to be able to look after themselves out of office hours. In Brazil, the most common form of kidnapping is 'express kidnapping', where victims are temporarily detained and forced to withdraw large sums of money from cash points. In these cases, sensible travel advice and regular briefings on changing trends among criminal groups can generally enable employees to avoid the risk of kidnapping by changing their routine or behaviour. A co-ordinated communication system across a company is a useful way of minimising its risk not only of kidnapping, but many other personnel security problems, too.
However, age, sex, family status and experience of living overseas will all influence perceptions of risk, and companies must therefore find appropriate ways of communicating with different individuals and groups. Research by Paul Barker, Group Head of Security at BG underlines this point. After studies in Brazil and Egypt, he concluded that those who are overseas with their family are more likely to take security seriously and are therefore more receptive to information and advice about how to manage their risks. He summarises this logic as "the more one stands to lose, the more one will actively buy into the protection programme". Given that the traditional expatriate is now making way for new styles of travellers – international commuters, virtual expatriates, frequent flyers and short-term travellers – this poses significant challenges for companies in communicating risk with their staff.
Having a transparent structure in place to deliver this information is important on two levels. Firstly, it enables employees to take better care of themselves and their families and dependents. Secondly, though, it enables companies to show that they have exercised their duty of care, not just during office hours, but also in free time, too.
CRISIS MANAGEMENT – ALWAYS BE PREPARED
However, even when companies do all of the above, things can still go wrong. Like all business risks, the risk of kidnapping can never be eliminated altogether, which makes it even more important for companies to have an effective crisis response plan in place that can be activated at a moment's notice. Studies have shown that about 80% of companies without a workable recovery plan will fail within one year of suffering a major disaster. While kidnappings may not equate to a 'major disaster' in business terms, their impact can be significant – both financially and reputationally. The complications of a case, and the fact that a human life is on the line, mean that companies will respond far more effectively if they are not also having to invent management systems as they go along.
Secondly, as the nature of business contacts overseas becomes more complicated, with sub-contracting and consortia a common feature of most contracts, kidnappings are also becoming more complex. In a well-known case in Ecuador in 2001, ten individuals were taken at the same time – five Americans, two French (who later escaped), one Chilean, one Argentine, and one new Zealander. Between them they were employed by three separate companies, each of which had their own insurance policies and their own response consultants, and each nationality also brought the involvement of a different home country, too. This case underlines the need to prepare for such complications beforehand and also to co-ordinate well when the case is on-going.
There are no quick or easy solutions to kidnapping – but there are practical steps that companies can take to significantly reduce their risks. Prevention and crisis management plans should form the bedrock of any strategy for companies operating in kidnapping hot-spots. And as we will see in the next and final article in the series, the impact when things go wrong can be significant.
The Reality of Risk Management: Views from Across Europe, Ernst & Young, 1998
Judith Doyle and Max Nathan, Wherever Next? Work in a mobile world, Industrial Society, 2001, pg 5
Home Office, Business as Usual: Maximising business resilience to terrorist bombings, Feb 1999
Jim Wyss and Juan Tamayo, "Exhausted captives describe `terrible' ordeal in Ecuador", Miami Herald, March 2, 2001