In a light office basement near London Bridge sit Andy Tomkins, a partner in i2a Consulting, and Nigel Carpenter, a former BP security man now a consultant working with i2a in CSR. The obvious question: in a recession, with job and budget cuts, why should a head of security do CSR, rather than put it to the bottom of a to-do pile? In reply, Andy Tomkins does not seek to second-guess the recession, but does say: if you make mistakes now because you cut back in an economic downturn, they will cost you for a considerable time to come. "What people are doing by cutting back now is making very poor risk judgements. They are over-estimating the value of shaving a little bit off their budget because it happens to be a difficult time." The i2a idea is that it’s good business - it gives a competitive advantage - to think about your impact on the environment. And where security comes into CSR and respecting human rights is where Nigel Carpenter comes in. A multi-national, by not engaging with the communities it is working in - exploiting minerals, mining, in the developing world - can find it has on its hands alienated neighbours, bad publicity and damage to the corporate reputation - and a falling share price. Andy adds: "So we are advocating you do things in the right way and by doing that you can manage your risk and enhance your reputation and ultimately you will gain competitive advantage over your competitors."

Say an oil or gas pipeline or a diamond mine goes into some part of Africa that, before the roads and thousands of workers and machinery, had seen nothing like it. What you can call traditional security is to protect people and assets - put up gates, perimeters and locks, bring in armed guards. As the multi-national is extracting a nation’s treasure, the state may well install its police or military to protect the mine or oilfield’s ‘footprint’. The local communities may feel alienated from sudden, drastic change and suffer from pollution. If their protests are not heard, they may turn to violence. Are the guards trained to deal with protests, and worker strikes, to western standards? Or is their first resort to bully and pillage? Before you know it, there’s bloodshed, filmed by human rights activists. It makes world headlines and your multi-national is accountable; it get hit in the pocket. The share price falls as investors flee from risk. There’s a bigger dimension to security, Nigel argues; security is inextricably linked with all parts of an organisation.

Nigel Carpenter was 23 years in the military before he went into oil, latterly working for the oil multi-national BP on its CSR. He points to 9-11: "I am not saying 9-11 was the thing that changed it, but it made people wake up and realise there is a lot more risk in the world these days." He speaks of engaging with those local communities so that they feel a sense of ownership. The mine or oilfield can stimulate local jobs and businesses; but how to bring it about? How to do good on the ground, rather than talk a good game on CSR, or publish a fine-reading document on the corporate website?

So: while you may dismiss CSR as airy-fairy stuff that comes (if at all) after you’ve done the serious business of protecting assets, Nigel and Andy argue that CSR is practical. It starts with risk assessment. It’s also about compliance; and the core values of your organisation, the way you want to do business. I offer the hypothetical example of perhaps the most profitable opportunity of all - a new diamond field - in perhaps the most dangerous country, Somalia. Nigel and Andy pick this up. What are the risks? What are the facts - what part of the country are the diamonds in, what are the roads like, where’s the nearest port? Who if anyone is fighting who? In a word, you seek to quantify risk, then you can recommend specifics. Your multi-national may be the sort that does see a return in such a scenario; or it may decide, it’s not for us, just as some (but not all) companies decide that (say) setting up in Russia or Angola or Burma, to give examples from three continents, is not for them. Nigel made the point that a company may have a vice-president of compliance, safety and security, who is not someone with security experience, and who does not know if he is getting value for money from his guarding or other contractor. There an informed buyer may be required. So CSR could be called for if a multi-national is thinking of going into a new market - whether to sell products, or to take advantage of cheaper labour and plant. Or, a company is expanding; or a country looks like going to the bad after a coup; are you as happy for its troops to be in barracks around your refinery or factory? Andy makes the point, in safety and security catastrophes - crashes or explosions or security incidents - that there is seldom one sudden reason. If soldiers turn guns on protesting locals, after someone goads a soldier to fire, there are lots of little, accumulating reasons beforehand. Is the company VP wearing perhaps several hats fully aware of conditions on the ground? Are your staff reporting civil unrest to the national office - and is the news reaching head office? Are guards trained in conflict management and respecting human rights? Are they complicit in abuse? It looks as if CSR, properly done, is the hard-headed thing to do; and doing nothing is the airy-fairy approach.

Taking a holistic view: by i2a Consulting.

Security is a fundamental need, shared by people and organisations who wish to operate in an undisturbed and orderly environment. Managing security in large corporations, however, has become ever more demanding. Today’s challenge extends beyond the protection of people and assets, requiring the management of multiple sources of risk and understanding the implications of one’s own actions.

As companies expand internationally they become exposed to different societies with different values and different governmental and legal systems. How a company responds locally to new challenges in unfamiliar contexts is important, because it can have both local and international impacts. In an era of growing media scrutiny, and an increasingly connected global media, the actions of a local contracted security company can affect a company at its corporate headquarters. For example, an over-reaction by a security guard to provocation by environmental/anti-capitalist demonstrators could prompt allegations of human rights abuse, with resultant legal and reputational damage for the visiting organisation.

Over and above the laws of any given country, much of the relevant regulation around security provision is still voluntary. However, despite its voluntary status, contravening, for example, the Voluntary Principles on Security and Human Rights 1 or the OECD guidelines 2 will negatively impact the reputation of any leading firm. Furthermore, many of the component elements of these are being incorporated into formal legislation: organisations had better assure their compliance now, or be exposed in the future.

To take a more holistic view of security management, an organisation must understand the risks to ‘visitors’ of the country/community, and equally, the risks to the host communities. Security should be considered from three angles: the community, government policy/practices, and the protection of people and assets. Many corporate security and human rights issues arise because companies fail to consider the potential impact of the business and their activities on people and communities. A company must take proactive steps firstly to conduct an in-depth assessment taking into account their spheres of influence and control, and then plan their activities and stakeholder engagement to mitigate these risks as far as possible.

Without effective stakeholder engagement it is not possible to truly understand community and government views or policies on security. Wide consultation ensures security is addressed in an appropriate manner. Communication is vital and should be carefully planned and managed to deal with cultural, legal and political sensitivities. If security is handled effectively, and stakeholder engagement is consultative and continuous, a positive security culture is created, creating a virtuous circle The integration of security and human rights policies into an organisation’s way of conducting business is often a major challenge. Leadership must send out the right
messages and lead by example, training is necessary to build awareness and ensure consistency, and a clear understanding of the risks and impacts of a situation is required to build the capability to respond effectively to security matters, therefore building trust within local communities and governments. This, combined with carefully selected performance metrics that encourage the right behaviours, enables security issues to be managed effectively.

Evaluation and reporting on security performance will become increasingly prevalent. Organisations should keep up-to-date with published security and human rights best practice and develop their performance metrics accordingly. These metrics combined with a ‘healthy’ security culture should jointly serve to influence behaviours of people on-the-ground.

The holistic identification, prioritisation and management of security risk is key. To do this effectively requires an experienced team with a breadth and depth of security and relevant industry experience. The assessment is further strengthened by having a robust process, independent facilitation and practitioners that are familiar with the comprehensive risk assessment.

In conclusion, taking responsibility for managing security effectively lies with every individual and every business; it is the right thing to do. Organisations have a responsibility for their community footprint as an employer, investor or provider.