Enterprise Risk Management

 

 

Fake News. Real Threatshttps://sm.asisonline.org/Pages/Fake-News-Real-Threats.aspxFake News. Real ThreatsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-11-01T04:00:00Z<p>​In November 2016, a man armed himself with an assault rifle and drove six hours from North Carolina to Washington, D.C. His goal was to storm Comet Ping Pong, a D.C. pizza restaurant, and rescue children being held captive and abused by Hillary Clinton. Once inside, the man fired on the restaurant, but no one was hurt. </p><p>The Comet Ping Pong story was one of many deliberately false news stories circulating in 2016. After the story was exposed as a hoax, “a post on Twitter by Representative Steven Smith of the 15th District of Georgia—not a real lawmaker and not a real district—warned that what was fake was the information being peddled by the mainstream media. It was retweeted dozens of times,” according to The New York Times.</p><p>The concept of fake news entered the popular vocabulary during the U.S. presidential election in 2016. While intentionally spreading false news reports for financial, political, or psychological reasons is not a new phenomenon, the practice has expanded significantly in the last year. During the particularly divisive U.S. election, numerous hyper-partisan blogs and websites posted a wide range of rumors, conspiracy theories, and fabrications, which have collectively been labeled fake news. Far from its original meaning—articles that are blatantly untrue—the term fake news has been embraced by all sides of the political divide to denigrate reporting that they feel is biased or incomplete.</p><p>While primarily political in nature, fake news has been used against various organizations and poses a real and increasing threat to private sector organizations of all sizes. It is important for security professionals to explore the relationship between fake news and corporate security, and determine how they can begin to address the threats posed by the release of false news and information.</p><h4>Transmission<br></h4><p>There has been an explosion in the creation and distribution of fake news through various online channels, including blogs, websites, discussion forums, and especially social media platforms. According to a 2017 survey, A Real Plague: Fake News, conducted by Weber Shandwick, Powell Tate, and KRC Research, approximately 7 in 10 American adults reported having read a fake news story in 2016. Research conducted by Hunt Allcott and Matthew Gentzkow and published in the spring 2017 edition of The Journal of Economic Perspectives also found that a database of 38 million shares of fake news stories on social media translated to about 760 million instances of clicking on, and reading, fake news stories. </p><p>The subject matter of these stories has run the gamut from political conspiracies to alleged criminal conduct by high-profile individuals to allegations of corporate political bias. A unique aspect of the current situation is that these stories are shared more widely, and more quickly, than ever before due to the ubiquity of social media. According to Allcott and Gentzkow, the list of fake news websites compiled by Stanford University received 159 million visits during the month of the election, while some 41.8 percent of individuals reported that they were exposed to fake news via social media.</p><p>Another important aspect of the current situation is that many of these fake news stories have gained a level of credibility among segments of the population that is surprising considering the sometimes bizarre nature of the claims made. In a study by Ipsos Public Affairs for BuzzFeed, 75 percent of respondents who reported remembering a fake news headline believed it to be accurate. In the study by KRC Research, 74 percent of individuals surveyed reported that it is difficult to determine what news is real and what is not.</p><p>The increased acceptance of baseless rumors and extreme conspiracy theories is due in no small part to a widespread decline in trust in media, government, academia, and most other forms of traditional authority. The falling levels of trust in media have been well documented by Gallup, Pew Research, and the Edelman Trust Barometer. This collapse of trust has led to the increased importance of the “people like me” category as a trusted source of news and information. according to Edelman’s 2017 global report. Because of these developments, sources such as Reddit, personal blogs, Facebook accounts, and quasi-official websites have gained credibility, while trust in traditional news media and government sources has declined. The fact that these fake news stories are rebroadcast many times, through cross-links and reposts on social media, further adds to the illusion of credibility. </p><p>If fake news were limited to stories about Area 51 or the JFK assassination, it would represent an interesting sociological case, but with limited relevance to corporate security. However, both the subject matter and the intensity of emotion elicited make fake news a real threat to corporations in terms of potential financial losses, reputational damage, and the physical security of facilities and personnel. This enhanced threat environment will require adaptation by corporate security professionals and the incorporation of new defensive and offensive capabilities to existing corporate security plans.</p><p>The increasingly widespread use of false or misleading information to cause confusion or harm to an individual or organization is not likely to disappear in the near term. The efficiency of this technique has been clearly demonstrated and the tools facilitating it are becoming ever more powerful, accessible, and easy to use. It is also difficult to imagine a significant increase in trust in traditional authority figures in the near future. </p><p>For corporations, some of the most serious fake news risks relate to stock manipulation, reputational damage, and the related loss of business—through boycotts for example—and direct threats to staff and property.</p><h4>Stock Manipulation</h4><p>At the macro level, fake news has been used to move entire stock exchanges. This was the case in April 2013 when a tweet that appeared to come from the Associated Press (AP) Twitter account reported that there had been an explosion at the White House and that U.S. President Barack Obama was injured. The Dow Jones Index lost 145 points in two minutes, while the S&P lost $136.5 billion. The news was quickly disproved and the market corrected within minutes, but the potential for large-scale disruption was demonstrated. In this instance, the fake news attack was claimed by the Syrian Electronic Army, according to The Washington Post.</p><p>In October 2009, the Stock Exchange of Thailand (SET) fell 7.2 percent because of an online rumor related to the health of the Thai king. The market made up about half of the loss within the next trading day, and the Thai police made several arrests related to the case later that month, as reported by Reuters.</p><p>Fake news has been used to manipulate the shares of individual companies as well. In May 2015, a fake offer to purchase Avon Products led to a surge in trading and a significant increase in the share price, according to The New York Times. Then in November 2016, a fake offer to acquire Fitbit shares led to a spike in activity, and a temporary halt to the trade in Fitbit stocks as reported by The Financial Times. In 2013, a fake press release was posted claiming the Swedish company Fingerprint Cards AB would be acquired by Samsung. Company shares surged until trading was halted. </p><p>In the United States, the Securities and Exchange Commission (SEC) has taken an increasingly aggressive stance in combating this threat to market integrity. It has filed enforcement actions against 27 companies and individuals involved in “alleged stock promotion schemes that left investors with the impression they were reading independent, unbiased analyses on investing websites while writers were being secretly compensated for touting company stocks,” according to an SEC statement.​</p><h4>Reputation</h4><p>False stories, rumors, or statements taken out of context have led to both reputational harm, as well as to threats to corporate personnel and property. In this type of threat, a corporate statement or action that would be innocuous under normal circumstances has taken on an increased risk due to hyper-sensitive stakeholders.</p><p>A case in point was New Balance, when Matthew LeBretton, vice president for public affairs said, “The Obama administration turned a deaf ear to us and frankly, with President-elect Trump, we feel things are going to move in the right direction,” during an interview with The Wall Street Journal. The statement related specifically to President Trump’s plan to withdraw from the TransPacific Partnership (TPP), but was widely misinterpreted. This caused a twofold issue for New Balance. First, anti-Trump individuals saw the statement as an endorsement of the candidate and everything he was purported to believe. This in turn led to calls for a boycott, and many social media posts depicting the destruction of New Balance products as reported by CNBC. A few days later the same statement led Andrew Anglin, a blogger associated with the white supremacist movement, to write on his popular Daily Stormer blog that New Balance shoes were the “Official Shoes of White People.” New Balance was blindsided by the intensity of reactions to a single statement related to a proposed international trade agreement and was forced into reactive positions throughout the crisis.</p><p>Another executive statement that was taken out of context and twisted to fit a partisan narrative was made by Indra Nooyi, CEO of PepsiCo in her interview with Andrew Sorkin of The New York Times on November 9, 2016. Her statement included congratulations to President-elect Trump on his victory, while also indicating that some of her employees expressed concerns about their safety as a result of the election. Numerous fake media outlets exaggerated the statement by claiming that she and her employees were “terrified” of Donald Trump and his supporters. This led to a firestorm of social media protests against Pepsi, including calls for a boycott and threats against the company.</p><h4>Direct Threats</h4><p>As noted above, one of the most serious cases of threats to an organization based on fake news were the reports of child abuse allegedly masterminded by Hillary Clinton and carried out at a D.C. pizza parlor. While the story was repeatedly debunked, it nevertheless continued to circulate and was supported by Michael Flynn, Jr., son of then National Security Director General Michael Flynn, according to The Washington Post. The shooter was arrested immediately after leaving the pizzeria, where he found no evidence of any abuse. He later pled guilty to the interstate transportation of ammunition and a firearm, a federal charge, in addition to a D.C. charge of assault with a dangerous weapon, according to The Hill.</p><p>This case indicates that even the most ridiculous story, if repeated often enough, will find an audience that believes it, and possibly someone who is willing to take action based on its claims. It is possible that a less extreme story focusing on a corporate executive or brand would lead to similar examples of direct action.​</p><h4>Countermeasures</h4><p>Countering fake news is difficult when the target audience finds it easy to discount facts and the usual sources of information are distrusted. However, there are a number of actions that corporate security teams can take to mitigate the risks posed by this new threat.</p><p><strong>Risk assessment. </strong>As with any threat to corporate security, the place to start is with a detailed risk assessment. The corporate security team needs to look at both internal and external factors to determine both the level of risk, as well as the most likely points of attack. Internal factors include employee demographics, employee morale, and computer use policies. The external factors include the competitive environment, the current perception of the organization and its management, the level of openness and transparency, and the nature of current conversations about the organization. With this information, corporate security will be in a much stronger position to establish policies and procedures to mitigate the risks from fake news attacks.</p><p>A white paper by Accenture focusing on social media compliance and risk in the international financial industry highlights the importance of identifying areas where an institution has vulnerabilities and incorporating the findings into its risk mitigation plans. A survey of executives cited in the white paper, A Comprehensive Approach to Managing Social Media Risk and Compliance, found that 59 percent of respondents reported having no social media risk assessments in place, while only 36 percent reported being offered any training on social media risk mitigation.</p><p><strong>Monitoring. </strong>To have any hope of effectively countering fake news, the corporate security team needs to have as close to real-time visibility of its appearance as possible. This points to the requirement for a comprehensive monitoring program that builds on any existing media or social media monitoring capability the organization already possesses.</p><p>It is important that this monitoring program specifically focus on channels that are outside the organization’s norm. These channels may be antithetical to the values of the organization, targeted to a demographic that is generally not associated with the company, or linked to apparently phony information sources. It is also important to look specifically for negative references to the organization.</p><p>After experiencing a number of negative stories driven by news and social media, Dell Computer adopted an “everyone is listening” approach to social media monitoring. A Framework for Social Analytics by Susan Etlinger of the Altimeter Group discusses Dell’s hybrid model for media monitoring, which gives a large number of its 100,000 plus workforce some responsibility for monitoring social media channels related to their lines of business. The company also has a Social Media Listening Command Center, which employs sophisticated social media monitoring software to complement its traditional media monitoring program.  </p><p>A company’s monitoring system should also include an analysis component that helps vet the material, determining how it should be classified and its importance from a risk management perspective. This component would then ensure that any important material is routed to the key decision makers for immediate action.</p><p>Finance, investment, and hedge fund companies have been taking a lead in the area of monitoring and identifying fake news stories. The growth of organizations that can deploy multiple content generators focusing on specific companies poses a significant risk to stock market investors. According to reporting in Forbes, companies are also seeking to develop algorithms that can sort through large quantities of content and identify malicious fake news campaigns. One such company that has been widely cited in this regard is Houston-based Indexer LLC.​</p><h4>Response Plans</h4><p>Based on the results of the risk audit, the most likely fake news scenarios should be identified and used to create detailed response protocols that can be activated in the event of an actual fake news situation. At a minimum, these plans should include contact information for all crisis team members, checklists for key actions, prepared statement templates to be used with internal and external stakeholders, and escalation metrics in the event that the fake news situation is not immediately contained.</p><p>The importance of incorporating the social media environment into a robust crisis response system is shown in the Nuclear Energy Institute’s Implementing and Operating a Joint Information System planning document. The plan covers the importance of preassignment of roles and responsibilities, training and readiness exercises, and media monitoring and engagement. The last item includes specific information on the importance of ensuring that information on social media regarding nuclear facilities and incidents is accurate, and that rumors and falsehoods are flagged and corrected.​</p><h4>Training</h4><p>The weaponization of news represents an evolving threat for many organizations and is not often included in corporate crisis management plans or training programs. As examples of fake news incidents increase, corporate security professionals should build this new threat into security training that is offered in conjunction with the corporate communications and human resources functions. Members of the senior leadership team should also be involved in any fake news response training.</p><p>Countering fake news requires fast decision making and decisive action on the part of the organization. To be able to execute effectively, the relevant personnel should be exposed to these scenarios in a simulated environment.</p><p>The communications function at DePaul University in Chicago, recognized the importance of building a mix of true and false information on social media into its crisis response training program. The result was a multi-party simulation exercise involving real-time interactions with traditional media, Twitter, and Facebook, as well as direct stakeholder communications. One of the key challenges in this type of training is sorting through incoming information quickly while still ensuring that key facts are not overlooked.​</p><h4>Cross-Functional Teams</h4><p>By its nature, the threat posed by fake news needs to be met by a comprehensive organizational response. This implies a cross-functional approach to fake news management. While corporate security may take point, the expertise and resources available to the corporate communications, human resources, and legal teams will prove critical.</p><p>An executive from an international bank reported to Accenture that it was important for all key functions to participate in risk management planning, especially when it concerns social media. “However, it is always important to have a representative from risk sitting at the table—someone from compliance, someone from legal, and so forth, to provide guidance to the business and make sure what the company is doing is sound,” notes the Accenture white paper.</p><p>Because fake news is still a type of news, the communication and media relations skills of the corporate communication function will be needed to analyze the content and develop and distribute counter messages to all fake news reports. This function may also be the appropriate host for the monitoring program because it is a logical extension to standard corporate media monitoring activities.  </p><p>Employees are a critical audience for fake news and an important distribution channel for counter messaging. This being the case, the human resources department needs to be involved in the creation and execution of corporate security strategy with regards to fake news.  </p><p>To ensure that the organization’s rights are fully protected, and that it does not itself cross the line in terms of libel, the corporate legal team should be involved in the fake news strategy, and have a role in vetting counter messages.​</p><h4>Communications</h4><p>Because of the potentially serious morale and operational ramifications fake news can have on an organization, it is vital that employees are provided with clear and accurate facts and count­er messages as quickly as possible.</p><p>Beyond reacting to a fake news incident, the organization should seek to inoculate its staff against its effects by undertaking a comprehensive internal communications and employee engagement program. This can be incorporated into the concept of encouraging employees to be brand ambassadors.</p><p>Organizations that are most vulnerable to fake news are those about which little is known. Without a base of preexisting knowledge, stakeholders who are exposed to fake news cannot immediately discount it, which is where the seeds of doubt take root. It is thus important that the organization be as transparent as possible, which includes regular proactive external communications. Corporate actions and policies should be communicated, explained, and contextualized to establish the reality of the situation before a fake news story can present a false narrative.  </p><p>It is especially important to get in front of any bad news stories and ensure that the organization is seen as working to resolve the issue, rather than hiding it. The idea of a first mover advantage with releasing properly contextualized negative information is a central tenet of contemporary public relations practice, and it can help thwart attempts to create a scandal by fake news outlets. ​</p><h4>Trust</h4><p>While a full discussion of trust-based relationships is beyond the scope of this article, it should be noted that the establishment of trust with key stakeholders is one of the best defenses against fake news attacks. Creating trust goes beyond simply telling the truth. It involves a range of factors including organizational reliability, competence, and benevolence, along with honesty and transparency. Because trust building involves all aspects of organizational behavior, it must be seen as a strategic initiative and be driven by senior management. Trust’s relationship to fake news defense is likely to be a collateral benefit rather than a primary driver of the initiative.  </p><p>The use of intentionally false or misleading information distributed through online and social media channels to disrupt or harm organizations is likely to increase dramatically in the years ahead. These actions are increasingly easy and cheap to execute, and take advantage of current weaknesses in organizational capabilities and the fact that societal trust in most traditional authority figures is at a historically low level. It is thus imperative that responsible corporate security professionals develop the internal capabilities and protocols to deal with this new threat environment before they are faced with a fake news attack. The good news is that most of the necessary resources already exist to some degree within the organizational structure and only need to be oriented around the fake news threat. This will include proactive measures such as audits, monitoring, training, and proactive communications, as well as moving quickly to react to the emergence of damaging fake news to contain it and neutralize its ability to damage the organization.  </p><p>In today’s hyperconnected global information environment no organization is safe from a fake news attack. We have had ample warnings that the threat is real and is likely to get worse.  There is no time to waste in hardening the organization against this new type of assault.  </p><p><em>Jeremy E. Plotnick, Ph.D., is founder of CriCom LLC. He has worked in international communications consulting, public affairs, and public relations for more than 20 years. ​ ​ ​</em><br></p>

Enterprise Risk Management

 

 

https://sm.asisonline.org/Pages/Fake-News-Real-Threats.aspx2017-11-01T04:00:00ZFake News. Real Threats
https://sm.asisonline.org/Pages/November-2017-SM-Online.aspx2017-11-01T04:00:00ZNovember 2017 SM Online
https://sm.asisonline.org/Pages/October-2017-SM-Online.aspx2017-10-01T04:00:00ZOctober 2017 SM Online
https://sm.asisonline.org/Pages/Klososky-Opines-on-the-Future-of-Technology.aspx2017-09-27T04:00:00ZKlososky Opines on the Future of Technology
https://sm.asisonline.org/Pages/Members-Discuss-Concerns-in-Town-Hall.aspx2017-09-26T04:00:00ZMembers Discuss Concerns in Town Hall
https://sm.asisonline.org/Pages/Security-Cares-Aids-the-Dallas-Community.aspx2017-09-25T04:00:00ZSecurity Cares Aids the Dallas Community
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspx2017-09-12T04:00:00ZLess is More: A KISS Approach to ESRM
https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspx2017-09-01T04:00:00ZFive Insights on ESRM
https://sm.asisonline.org/Pages/Book-Review---Soft-Targets.aspx2017-09-01T04:00:00ZBook Review: Soft Targets
https://sm.asisonline.org/Pages/Calm-in-the-Crucible.aspx2017-09-01T04:00:00ZCalm in the Crucible
https://sm.asisonline.org/Pages/A-Professional-Path.aspx2017-09-01T04:00:00ZA Professional Path
https://sm.asisonline.org/Pages/A-Shift-in-Global-Risk.aspx2017-08-01T04:00:00ZESRM: A Shift in Global Risk
https://sm.asisonline.org/Pages/Action-Needed-To-Better-Manage-Physical-Security-Risks-To-The-National-Mall.aspx2017-07-28T04:00:00ZAction Needed To Better Manage Physical Security Risks To The National Mall
https://sm.asisonline.org/Pages/Report--Most-InfoSec-Professionals-Think-Their-Companies’-Security-Solutions-Are-Outdated.aspx2017-07-14T04:00:00ZReport: Most InfoSec Professionals Think Their Companies’ Security Solutions Are Outdated
https://sm.asisonline.org/Pages/NIST-Releases-Digital-Identity-Guidelines.aspx2017-06-23T04:00:00ZNIST Releases Digital Identity Guidelines
https://sm.asisonline.org/Pages/Book-Review---Info-Risk.aspx2017-05-01T04:00:00ZBook Review: Info Risk
https://sm.asisonline.org/Pages/The-Roots-of-Risk.aspx2017-05-01T04:00:00ZThe Roots of Risk
https://sm.asisonline.org/Pages/Facebook-Takes-Action-To-Limit-Spread-of-Propaganda.aspx2017-04-28T04:00:00ZFacebook Takes Action To Limit Spread of Propaganda
https://sm.asisonline.org/Pages/Cinco-Acontecimientos-que-Moldearon-la-Gestión-de-Crisis.aspx2017-04-12T04:00:00ZCinco Acontecimientos que Moldearon la Gestión de Crisis
https://sm.asisonline.org/Pages/ERM-Best-Practices.aspx2017-04-01T04:00:00ZERM Best Practices

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Communication-in-Crisis.aspxCommunication in Crisis<p>​<span style="line-height:1.5em;">In the days following the derecho that ravaged a path stretching from Illinois to the Maryland-Virginia coast in June 2012, local companies and national aid organizations scrambled to organize and respond to the widespread destruction, death, and power outages across the route. Some 4.2 million citizens were left without power for several days. The storm coincided with one of the deadliest heat waves the region had seen in decades. Victims scoured social media websites for information about relief organizations and aid, and learned that the Federal Emergency Management Agency (FEMA) was deploying generators to provide electricity.</span></p><p>Hopeful citizens began flooding the agency with requests to have generators delivered to their homes. However, there was one problem: The giant, industrial-sized generators FEMA was delivering were intended to power community centers, firehouses, and shelters—not individual houses. </p><p>“We saw those conversations and wanted to help set expectations,” explains Shayne Adamski, senior manager of digital engagement with FEMA. “We wanted folks to know how we were being helpful, so we posted a photo of one of the generators and commented about how it would be used in an impacted area. Once folks saw that, they realized they weren’t individual generators that a person could go pick up at Home Depot and have running in their backyard.”</p><p>Adamski cites this example as a way FEMA leverages social media during a disaster. Indeed, people are increasingly turning to social media during emergency events to gather immediate information, and checking social media websites is becoming an alternative when traditional forms of communication have been less effective. Most of the messages transmitted through social media are from nontraditional media sources, such as FEMA. However, the medium has allowed traditional news agencies to leverage public experiences—every smart-device user in the world has the potential to be an information broadcaster.</p><p>Social media has completely changed the way people engage with one another and, more importantly, how businesses connect with potential clients and customers. Social media has become the one common denominator that the world’s wired citizens understand and use on a daily basis. The preferred online applications may change from country to country, but ability to reach mass numbers of people quickly has been accomplished through social media.       </p><p>The ASIS International Crisis Management and Business Continuity Council conducted a survey on how social media is being used in emergency management. The resulting study, Social Media Is Transforming Crisis Management, concludes that many security professionals around the world are using some aspect of social media for emergency notification, keeping stakeholders engaged, and making critical documents more accessible.</p><p>The study confirms that social media is establishing its place in emergency operations planning and execution. However, emergency operations professionals require additional training to learn how to best create alert messaging; 52 percent of respondents have not used social media for an emergency event and 25 percent have never used social media at all.</p><p>Security professionals realize that additional learning will be required to fully embrace and exploit social media in crisis management situations. More than 75 percent of those surveyed agreed that more knowledge is required to expand social media to a wider audience in emergency operations. </p><p>However, many survey participants said they were reluctant to embrace social media. Several respondents expressed the need to preserve the old ways of doing things to ensure that the widest possible audience, including those people with no access to social media or newer technology, receives critical crisis management information. </p><p>Many federal agencies, such as FEMA, have been developing comprehensive social media strategies to communicate with citizens in emergencies. The U.S. Department of Homeland Security’s (DHS) Science and Technology Directorate has established working groups to provide guidance and best practices to emergency preparedness and the response community. </p><p>However, even with the millions of people who are flocking to social media sites, the government has yet to establish an emergency management platform, and security professionals are struggling to fully embrace social media as well, according to the ASIS study. </p><p>Below are six steps for companies to consider when using social media during a disaster. FEMA’s Adamski notes that security professionals should keep in mind that although social media is not a comprehensive solution—not everyone is on the same channels—taking advantage of multiple outlets helps get information out to a wider audience.​</p><h4>Technology </h4><p>Social media is being used in one of two ways during emergencies: to disseminate information and receive feedback, and as a systematic tool to conduct emergency communications. Although security managers may be reluctant to rely on social media for emergency communication, social media use during disasters is gaining traction.</p><p>However, some hesitancy is prudent because it is taking some communities decades to navigate new technology platforms—adopting Twitter as a communications device, for example. Managers should be mindful of their responsibility for employees during an emergency and ensure that advances in technology are included in procedures and processes. During an emergency in which social media is used to provide announcements and updates, there is an opportunity to include a wider audience than that reached by a simple public address system, but this requires planning.</p><p> For example, if smart devices are expected to act as one of the methods to facilitate a conduit between the company and employees, the details must be established and tested in advance. If specific phone numbers, media accounts, or Web pages are used to send out announcements, it is important that the contact details are identified and the people sending out the messages understand exactly what must be done.</p><p>Adamski explains that security managers should consider their audiences when deciding what platforms to communicate with. To reach employees, for example, a public social media channel may not be the best option. “Look at what tools or channels their customers are on,” Adamski says. “Not everybody is necessarily on one social media channel. If you’re trying to get on every single social media channel, you’re stretched too thin, and your core audience may not even be on that channel.”</p><p>Collaborative techniques are required, and building partnerships between emergency management professionals and individuals involved in the response will require new alliances to be successful. It is desirable to include local and regional governmental resources, nearby companies that may share the risk of an emergency, any organizations involved in a mutual agreement of understanding to provide resources during an emergency, any contractor or vendor relationships, and all of the various internal elements within the company. All of this must take place well before an emergency so that trust is developed and agreements are established among the stakeholders. Within the company, it may be necessary to break out of the silo environment and work collaboratively to establish plans and processes designed to facilitate a stronger response to an emergency.​</p><h4>Devising Strategy</h4><p>Emergency operations professionals may require additional training to learn how to best create alert messages and ensure that communication lines are established with citizens before, during, and after the crisis. A good starting point for developing a social media emergency response strategy is to adhere to the traditional four phases of emergency management: prevention and mitigation, preparedness, response, and recovery. </p><p>Although FEMA has a dedicated staff for crisis communication, Adamski says that businesses can often train an existing staff member to wear multiple hats and manage social media communications, even if it’s something they only work on for 10 percent of their time. </p><p>“Maybe that staff member does a lot of training before disasters, so that person can conduct their day-to-day responsibilities, and wear the emergency hat if necessary,” Adamski explains. “You’ve got to look at the internal organization and operation and skillset and where things can be moved around, and find out what’s best for that individual organization. Sometimes you’d be surprised how you can come up with good, creative solutions.”</p><p>Adamski also stresses the importance of training multiple people to use social media during a crisis, so that there are backup personnel who can be put on shifts during ongoing emergencies.</p><p>Emergency managers will need to create social media platforms they intend to use, and then popularize those sites so the public knows to turn to them in times of crisis. “Practice on those channels and use them before an emergency, so the first time you’re using them is not during an emergency,” Adamski advises.</p><h4>Managing Expectations</h4><p>Adamski refers to the 2012 derecho situation as a time when managing expectations became as important as standard crisis communications. A challenge FEMA often faces is educating people on its role during a disaster, and the organization turns to social media in an emergency to explain to affected communities how it’s helping, Adamski notes.</p><p>Focusing on one unified message will help maintain the ability to manage information. While crisis managers cannot control individual citizens’ input, the messages being relayed from authoritative sources must be consistent, reliable, and trustworthy. Multiple resources are needed to combine data streams that will ultimately improve data management. Creating in-depth feedback protocols will be necessary to understand developments and concerns from residents actively being affected by the crisis.      </p><p>Ron Robbins, who manages FEMA’s National Business Emergency Operations Center (NBEOC), says that another key to maintaining a unified message is engaging with other businesses and agencies that might be affected by the same emergency. Members of the NBEOC, for example, sign agreements to share information when they are faced with situations where the private sector may have operations that could be affected.</p><p>“You have to practice what mechanism you’re going to use and who your touch points are going to be,” Robbins explains. “There’s a lot of different angles you can work at this, and it’s paramount for everybody to understand who and what is needed to communicate, and to practice that.” </p><p>For example, when the NBEOC is activated, Robbins says FEMA starts reaching out to its partners, sharing situational awareness and information to organizations that may not have robust operations center capabilities. </p><p>“We try to be forward-leaning about what’s happening to keep our partners aware so that they can communicate with their employees and make decisions at their levels for what they’re going to do to initiate plans on their end,” Robbins explains.​</p><h4>Engaging the Community</h4><p>It is becoming increasingly common for people to connect with public officials by asking questions or posting information online when an event occurs, and for expecting emergency operation agencies to be just as responsive by replying to feedback or answering a question. </p><p>The ASIS study found that 55 percent of police departments surveyed actively use social media in performance of their duties, and it’s no longer uncommon to see law enforcement officers taking tips and answering questions on their Facebook or Twitter pages. </p><p>Adamski says that he engages in what he calls social listening, which he compares to attending a town hall meeting: he takes a passive role and listens to conversations and concerns from the public, but can also answer questions or point someone in the right direction for accurate information.</p><p>Positive, regular interaction with the public via social media will also encourage people to trust and rely on that organization’s social media presence during a crisis. Adamski says that regardless of what people may ask on FEMA’s social media sites, it’s important that they see someone responding to their questions.</p><p>“Sometimes, we’ll have someone posting on our wall saying, ‘hey, this is what I did this weekend to get myself and my family prepared,’ and we’ll reply back to that person thanking them for sharing,” Adamski says. “It’s so they know they’re not just sharing their information to a hollow account that isn’t monitored.”​</p><h4>Managing Misinformation</h4><p>One of the toughest dilemmas society has is balancing the huge amounts of data available with the trustworthiness of that data. Multiple resources are needed to combine data streams that will ultimately improve data management. </p><p>Rumor control is a regular part of crisis management on social media, Adamski notes. “If we see a rumor, we’ll coordinate with folks at a joint field office that’s open and say, ‘Hey, we saw this online, is it true, is it not, is there some validity to it? Is it a complete blatant rumor or did someone get a part of it wrong?’”</p><p>Whether bad actors are maliciously spreading invalid information or a simple misunderstanding has spiraled out of control, FEMA’s goal is to run the rumor into the ground and make sure only accurate facts are being shared, especially considering how quickly information can travel across the Internet. During bigger emergencies, FEMA may create a subpage on its official website that people on social media can refer to and share. </p><p>During the Texas floods in May and June, FEMA created a subpage dedicated to the disaster to provide accurate, consistent information, Adamski says. It helped regional FEMA employees disseminate up-to-date information right away. For example, right after the worst of the flooding occurred, reports surfaced that people impersonating FEMA employees were trying to collect citizens’ personal information. The subpage helps people know how FEMA is interacting with the community and what steps to take next.</p><p>“We coordinate internally, we make sure we’re all on the same page, and we make sure we put the right information out there,” Adamski says. “Depending on the rumor, we may ask our partners to share the information—one message, multiple channels.” ​</p><h4>Challenges</h4><p>The ASIS study pinpointed three barriers that security professionals encounter when trying to develop a social media presence. These are a lack of personnel or time to work on social media, a lack of policies and guidelines, and concerns about trustworthiness of collected data. </p><p>“Look around and find out what companies are around you that are doing great things in communities and states,” says Robbins. “There’s a lot of activity, a lot of things going on that maybe companies aren’t aware of, that could be available bandwidth for them to piggyback on and could help get at some of those challenges that they are having in an expeditious manner.” He also recommends that private sector organizations apply to become members of FEMA’s NBEOC to take advantage of organization-to-organization emergency communications that can then be passed on to the public.</p><p>Social media is having a positive impact on emergency managers, but a clear reluctance exists to accept social media protocols wholesale. This technology is dependent on professional security managers and leaders who have the technical know-how to enhance operations internally, externally, and with key stakeholders. </p><p>Purposeful education programs are necessary if social media is going to be used wholesale in emergency management. The key to success is to ensure that those involved in presenting the information are experienced and knowledgeable. For example, the ASIS International Crisis Management and Business Continuity Council conducts an annual workshop on crisis management plan and program development. The council integrates social media techniques into the crisis communication phase of the workshop to help participants master the conceptual skills associated with this emerging technology.</p><p>The emergency operations industry should have a responsibility to create new methodologies, applications, and data strategies that will enhance overall contingency operations. Social media is making a positive difference in emergency operations, but has far to go before being completely transformed into common practice as a tool for emergency managers.</p><p>--<br></p><p><em><strong>James J. Leflar, Jr., CPP</strong>, CBCP (Certified Business Continuity Professional), MBCI (Member of the Business Continuity Institute), is a consultant for Zantech IT Services. Leflar is a former chair of the ASIS International Crisis Management and Business Continuity Council. He is also coauthor of Organizational Resilience: Managing the Risks of Disruptive Events—A Practitioner’s Guide. </em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/ERM-Best-Practices.aspxERM Best Practices<p>​With the rise of Enterprise Risk Management (ERM) programs in the security field, some leaders are on the hunt for ERM best practice guidance resources. One recent report, courtesy of the U.S. government, contains guidance that may be applicable to private sector security operations.​</p><p>Last year, the U.S. Office of Manage­ment and Budget (OMB) called on federal ag­encies to implement ERM so that federal managers could more effectively manage risks that could affect agency strategic objectives. Given OMB’s call, the U.S. Government Accountability Office decided to update the government’s risk management framework and identify good practices that some agencies have been using. </p><p>The new report, <em>Enterprise Risk Man­age­ment: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk,</em> identifies six components of successful ERM programs, and then describes best practices that apply to each.  <img src="/ASIS%20SM%20Callout%20Images/0417%20NT%20Safety_FB.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:479px;" /></p><p>The six components and their best practices are as follows:</p><p><strong>Element One: Align the ERM process to goals and objectives.</strong></p><p>Senior leaders are fully engaged and committed to the ERM process, and they support how ERM contributes to the agency’s goal-setting process. This engagement helps demonstrate the importance of ERM to agency staff. </p><p><strong>Element Two: Identify risks.</strong></p><p>Successful agencies develop an organizational “risk-informed” culture in which employees are encouraged to identify and discuss risks openly. This openness is critical to ERM success.</p><p><strong>Element Three: Assess risks.</strong></p><p>Successful agencies can integrate prioritized risk assessments into their strategic planning and organizational performance management processes. This integration of risk assessments helps improve the budget process, resource allocation planning, and other aspects of operations. </p><p><strong>Element Four: Select risk response</strong>. </p><p>Successful agencies establish an ERM program that is customized to fit their particular operations. Once established, risk factors are regularly considered, and leaders select the risk response that is most appropriate for the structure and the culture of the agency. </p><p><strong>Element Five:</strong> <strong>Monitor risks.</strong></p><p>Successful agencies are able to continuously manage risk by conducting the ERM reviews on a regular basis. Leaders also monitor the selected risk response with performance indicators that allow the agency to track results and the response’s impact on the mission. Leaders can then determine if the risk response is successful or if it requires additional actions.</p><p><strong>Element Six</strong>: Communicate and report on risks. </p><p>Sharing risk information and in­corporating feedback from internal and external stakeholders helps organizations better identify and manage risks. It also increases trans­parency and accountability to Congress and taxpayers. ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465