Paul Wood writes of his research into security risk management methods and resilience in the private high net wealth, asset and wealth management segment of the UK’s financial services sector. Paul is MD of Emerging Risks Global: visit www.emergingrisksglobal.com. More from Paul on this link.
ABSTRACT
As an element of the U.K. Critical National Infrastructure, the asset and wealth management segment of the financial services may be under increased threat from terrorist actors, aspiring to cause harm to the UK. The high threat level in 2017 and the on-going development of new methods of attack by terrorist groups stimulates a necessity to constantly review security risk management, business continuity management design processes and the resources available to effectively counter the evolving terrorist threat. Security professionals are responsible for the subsequent design and implementation of physical security systems and processes, aiming to protect organisations from threats. The current study contributes to improvements to security risk management and resilience within the private high net wealth, asset and wealth management segment of the U.K. financial services, through identifying threats, evaluating existing security procedures and systems, and by evaluating the incorporation of the Resource Based View (Wernerfelt 1984, 171 – 180) into security risk management and business continuity management planning. Three observations at different organisations and seven interviews with different individuals from the security profession were performed. Terrorism was identified as a key threat to this business area. Differences were reported to exist between the security procedures and systems adopted to identify and counter threats, with challenges identified in gaining the support of senior business stakeholders in order to achieve the successful adoption and implementation of security systems. The Resource Based View was reported to potentially offer an effective means of identifying resources which contribute to an organisation’s competitive advantage, during the planning phases of security systems and for improving security professional’s ability to communicate with business stakeholders.
INTRODUCTION
Security research has focused on the threat of cyber crime upon the financial services in general, rather than physical attacks on specific areas (Cummings et al. 2012; Choo 2011, 1; Randazzo et al. 2005). Given the limited information available, the present research aims to consider ways to improve resilience levels against the threat of physical attacks by terrorists upon a specific sector of the U.K.’s financial services; high net wealth, asset and wealth managers (AWM). Although physical attacks have not been witnessed in recent times, AWM and the investment banking elements of the financial industry have historically faced the threat of physical attacks from terrorist groups. Irish Republican terrorists demonstrated a preference for choosing such soft targets by attacking the sector at the Baltic Exchange in 1992, Canary Wharf in 1992 and 1996, and Bishopsgate in 1993. Following the completion of security risk assessments, the security response to the threat posed by these groups resulted in collaboration between public and private security organisations. This included a target hardening strategy of installing measures similar to the ‘rings of steel’, a series of high metal gates placed around the central shopping area in Belfast. The result of these security measures increased the resilience of the City of London and alongside the peace process in Northern Ireland, may have contributed to the reduced number of attacks.
The terrorist threat to U.K. financial services from Northern Ireland related terrorist groups does however still remain at severe, or highly likely. The current threat level identified by the U.K. Joint Terrorism Analysis Centre (JTAC) stimulates a necessity to constantly review physical security systems, in order to effectively counter the evolving terrorist threat. While research has focused upon information security and data protection within the U.K. financial services (Webster 2006; Slater 1992), a gap exists in the research focused upon physical security systems for specialist AWM. As information provided by the U.K. government and lessons learned from previous attacks may support the view that this professional area may be vulnerable to terrorist attacks, the research aims to contribute to increasing physical security and resilience levels within this area, through improving asset identification within security risk management and business continuity planning processes. It aims to achieve this through evaluating the incorporation of Wernerfelts’ (1995, 171-174; 1984, 171-180) Resource Based View (RBV) within security risk management and business continuity design processes.
The RBV model identifies the tangible and intangible assets that provide an organisation with its competitive advantage. The incorporation of the RBV into security design processes may therefore improve security professionals ability to design and implement physical security systems for AWM. Designs which rationalise security systems are more likely to be approved and funded by private sector organisations, who may not have previously viewed physical security to be an organisational priority; arguably resulting in underfunded and resourced physical security systems, vulnerable to terrorist attacks.
High Net Wealth, Asset and Wealth Management
While any individual client can apply for asset and wealth management advice from this segment of the U.K. financial services, some AWM choose to solely provide their services to HNW individuals. Within the U.K., these HNW individuals are considered to possess a net wealth in excess of £20 million (HM Revenue and Customs 2014). Although it should be recognised that the paper defined HNW as already exceeding a net worth of $750,000, every individual within a cross sectional group of 1,200 investors from across France, Germany, Italy, Spain, Switzerland, Turkey, and the United Kingdom, with an average wealth of $1.4 million, was recorded to have a financial advisor or wealth manager, in a study carried out by Accenture (2015).
U.K. based AWM who are responsible for investing money for HNW individuals spend a mixture of their time office based or travelling to meet clients. AWM potentially provide an easy target for terrorists who aim to disrupt a CNI service and additionally to gain media attention for carrying out physical attacks upon members of the public. Successful attacks upon HNW AWM can create fear within the public, fear within a CNI workforce, which may lead to work absences, thereby impacting services within the wider U.K. It may also provide an opportunity for terrorist propaganda, given that such a physical attack would be upon a profession, which is arguably reflective of the capitalist values that some terrorist groups are opposed to. Furthermore, as AWM may not have effective physical security systems in place, they may offer a valuable soft target to terrorists, given that they have access to the personal details of HNW individuals who can be subsequently attacked and financially extorted, thereby additionally fulfilling the terrorists aim to gain media attention through attacks.
Although it is the U.K. government primary responsibility to protect the safety and security of citizens through a range of measures including installing physical security systems in key locations, the challenges faced by the U.K. Security and Intelligence Agencies and Law Enforcement in terms of the rapidly evolving terrorist threat and increasing financial restraints has resulted in a growing dependence by organisations including asset and wealth management businesses, upon private security advisors. While a large proportion of the U.K. AWM segment does adopt information security (Mallinder and Drabwell, 2014, 103 – 111), the adoption of physical security systems to protect against terrorist threats is not commonplace (Kroll, 2017; Neely, 2016). As highlighted in the introduction, this may be related to the larger volume of research considering information security within the financial services. This may also be due to inappropriate resource and asset identification during the early stages of security risk management and business continuity planning procedures, which subsequently determines the physical security recommendations made by security professionals
Research Objectives
Designed in response to the suggestion by Herbane, Elliott and Swartz (2004, 435 – 457), that processes aiming to improve business security and resilience, should focus upon protecting existing business resources which provide a “competitive advantage” or add “value” to an organisation (pp. 435), this research aims to contribute to improving security risk management and resilience within the private HNW asset and wealth management segment of the U.K. financial services, through achieving the following objectives:
1. To identify the physical security threats to the high net wealth, asset and wealth management segment of the U.K. financial services, perceived by individual security professionals, with knowledge of security within the research area
2. To evaluate the existing security risk management, physical security and business continuity management design processes within the high net wealth, asset and wealth management segment of the U.K. financial services
3. To evaluate the incorporation of the Resource Based View (Wernerfelt, 1984, 171-180) into security risk management and business continuity management planning, for the high net wealth, asset and wealth management segment of the U.K. financial services
LITERATURE REVIEW
While effective information security is vital to the financial services, physical security is of equal importance given the threat to life posed by terrorists. This importance is acknowledged by the fact that the overarching drive for the U.K. security infrastructure, is article 2 of the European Convention on Human Rights, that “everyone’s life shall be protected by law” (European Convention on Human Rights, 1950). It is therefore surprising that the present research focuses upon an area, which has not been studied in greater detail, given that members of the security industry argue that the levels of physical security within the business sector are not adequate enough to defend against terrorist and criminal threats (Neely, 2016). The present research will aim to make a valuable contribution to this area of work. In support of this, the literature review for this research focuses upon four pertinent areas.
Firstly a review is carried out of existing U.K. national security strategies and policies, in order to provide an indication of the U.K. government’s strategic responses to the threat of physical attacks by terrorist actors. This research area is vital given that security procedures to protect CNI against these high level threats requires collaboration between the public and private sectors. This initial section briefly considers how effective the strategies have been in countering the terrorist threats to all organisations. The second area considered is the private security industry’s response to the identified threats. This area will consider generic publications and articles predominately produced for the security industry audience, given the lack of research focused upon AWM. Similarly the third consideration of ISO 31000 Risk Management standards and security risk management (SRM) practices in particular, will contribute to the development of an understanding of the methods used to identify and anticipate potential threats, prior to the design of physical security systems. BCM procedures adopted to support the return to business after a disruption will then be considered. Each of the aforementioned areas will be considered in the fourth section of the literature review, which will review the incorporation of the Resource Based View into SRM and BCM procedures.
U.K. Government’s Strategic Response to the Threat of Physical Attacks by Terrorist Actors
Individuals and groups have historically orchestrated acts of violence aiming to cause destruction and to instill fear in the name of ideological and political beliefs. While it has been widely accepted that a comprehensive definition for terrorism does not exist at present, section 1 of the U.K. Terrorism Act (2000) acts as a recognised definition to guide the U.K. legal system. Those attempting to define the complex subject of organised crime have experienced similar challenges. The document “Local to Global: Reducing the Risk from Organised Crime” (HM Government, 2011) settled upon the description that organised crime involves “individuals, normally working with others with the capacity and capability to commit serious crime on a continuing basis, which includes elements of planning, control and coordination, and benefits those involved” (Home Office, 2011, pp. 5). This latter definition outlines a common theme between terrorism and organised crime; the commonalty being that groups of individuals plan and carry out actions for personal gain at the expense of the security of others.
The national security strategy for the United Kingdom, ” A strong Britain in an age of uncertainty” (HM Government, 2010a), ranks the threat from International terrorism upon U.K. interests both at home and abroad as a tier one threat to national security. The recognition of the potential impacts of this threat has not merely resulted in responses limited to the production of strategic guidelines, outlining the potential impacts and stating the governmental committal to protecting the United Kingdom, it’s interests and citizens, but also to an acknowledgement that they are a daily reality which threaten both U.K. physical and financial security. The acceptance that terrorism will remain a long-term threat to both U.K. physical and financial security and the recognition that the financial restraints and social challenges faced by governments may require for increased partnerships between public and private sector organisations, in order to design and implement effective operations against threats, has resulted in increased collaboration between public services that previously did not commonly operate together and more surprisingly the private security industry. This development is demonstrated by the adoption of identical themes for both the Counter Terrorist CONTEST strategy and the U.K. Serious and Organised Crime strategy, of Pursue, Prevent, Protect and Prepare.
How effective are the government strategies in countering the terrorist threat?
Recognising that it may not be possible to stop all attacks, Gearson and Rosemont (2015, 1038 – 1064) observe that the CONTEST strategy has been relatively successful in achieving its aims of preventing physical attacks by terrorists. The authors further support this view by identifying that U.K. officials consider it effective. However, elements of the U.K. CONTEST strategy to prevent and disrupt terrorist attacks are not without criticisms. The PREVENT element of CONTEST, which aims to stop people from becoming terrorists, has received criticism for targeting the Muslim community from both members within it and leading public servants (Halliday and Dodd, 2015; Githens-Mazer and Lambert, 2010, 889 – 901), with one former police officer stating that it had “become a toxic brand and is widely mistrusted” (Babu in Halliday and Dodd, 2015). Gearson and Rosemont (2015, 1038 – 1064) further argue that despite recognising the need for improving relationships with communities and private organisations, the U.K. government has failed to effectively achieve this, leaving a remaining need for a system of engagement between public and private organisations. Private enterprises including elements of CNI at risk such as AWM professionals, may need to take greater responsibility for identifying and mitigating the threats of physical attacks by terrorists. In addition, Gearson and Rosemont (2015, 1038 -1064) identify that although the area has been considered, structures and processes have not been developed which enable the private sector to contribute appropriately to the ensuring the safety and security of the U.K. CNI, which includes asset and wealth management businesses. While CONTEST may effectively outline the overall U.K. approach for countering terrorist threats and suggest the need for increased collaboration between public and private organisations, it does not provide guidance for how businesses can counter terrorism or document how the private sector will be engaged and effectively utilised in this process, neither does it consider concerns regarding how the risks associated with private-public partnerships within security will be managed. Such a limitation could hinder the effectiveness of private security providers in terms of the proactive intelligence gathering that they are able to perform, in order to investigate threats during the planning phase of physical security systems. Such providers are unable to perform detailed due diligence against identified threats by gathering private information and intelligence through covert surveillance, due to the risk of breaching Article 8 of the European Convention on Human Rights; a right to respect for private and family life. Under the Regulation of Investigatory Powers Act (RIPA) (2000), U.K. Security and Intelligence Agencies are permitted to breach this in the interests of national security, for the purpose of preventing or detecting serious crime and for the purpose of safeguarding the economic well being of the U.K.
RIPA (2000) empowers government agencies to perform covert intelligence gathering operations in order to identify threats. The findings of such intelligence operations influence the risks recorded in the U.K. national risk register, a record maintained by the U.K. government, to ascertain the likelihood and potential consequences of a realised threat to National Infrastructure. In response to the growing threats, identified in the risk register, the CPNI (2016a) published the Operational Requirements series of physical protection advice, designed to influence security provisions for the U.K. national infrastructure, which includes the financial services. In addition the CPNI has produced a paper providing specific business security guidance to organisations entitled ‘Recognising the Threat’, released in October 2016. The limited resources available to the public sector to counter terrorist threats have resulted in a necessity for private security provision. In partnership with the British Standards Institution, this document suggests a series of standards, which it recommends organisations achieve through appropriate threat identification and security management methods. To supplement the overarching strategic responsibilities of the U.K. government outlined in the Strategic Defence and Security Review (2015) and the U.K. National Security Strategy (2010a), to protect the lives of the U.K. public and the CNI from state and non-state actors, ‘Recognising the Threat’ (HM Government, 2016) outlines how the existing national threat levels are determined and provides the intended audience of the U.K. public and businesses with the ‘Stay Safe’ principles, which have been designed to inform readers of potential actions in the event of a terrorist attack. In addition, the document describes response procedures following the discovery of suspicious packages and bomb threat communications. The value of this advice is supported by the incorporation of elements of the recommendations including the ‘Stay Safe’ principles within the Project Griffin and Project Argus counter terrorism education courses, delivered by the City of London Police to private security organisations, responsible for designing and implementing security solutions to protect businesses from the physical threat of terrorist attacks.
Although the introduction of initiatives such as Project Griffin and Argus may facilitate increased collaboration between public and private organisations responsible for security, the debate regarding the legal parameters within which private security organisations can operate remains, resulting in variance between the quality of security systems and the management of physical security solutions provided to private organisations within the U.K., including asset and wealth managers. A further challenge exists for the U.K. government regarding the adoption of the CPNI Operational Requirements. The recommendations are difficult to enforce across all businesses including those categorized as CNI, such as AWM, who do not receive direct police support and so rely upon the outsourced services of private security firms for physical security services. Dunn – Cavelty and Suter (2009) argue that the root of this discord is based upon the differing interests of public and private organisations; one being focused upon public service, while the other exists to generate revenue. As the largest companies within the private security industry predominantly compete over cost, rather than service levels, physical security systems may be minimally resourced as opposed to being designed to fulfil all of the security prescriptions outlined by CPNI’s Operational Requirements.
The challenge to effective collaboration between public services and private security providers is also evident during operational activities, particularly when organisations need to share information. Governments will not share sensitive information regarding security threats with private organisations, due to the risks posed to intelligence gathering assets from information being divulged. Although the topic has not been explored through research, private sector organisations may potentially be reticent to share information with government bodies, which could damage their reputation in the commercial market place. This situation and the ambiguity attached to the governance of the processes adopted by U.K. private security industry has provided businesses within it, degrees of freedom in the processes and systems they adopt, in order to design and implement security solutions, designed to counter physical threats. While the identified challenges may limit the effectiveness of public and private security collaboration within the U.K., the fact that the private security industry is not bound by the same financial restraints and the bureaucracy perceived to exist across U.K. public services, may provide it with the freedom to consider adopting new processes and innovative solutions, when employed to design physical security systems to protect asset and wealth management businesses from the threat of physical attacks by terrorists.
Private Security Efforts to Protect Against Physical Attacks by Terrorists
Private security provision has historically generated attention and concern regarding the potential risks attached to the ungoverned activities of private security contractors, which international law defines as mercenaries. While the activities of some private security contractors in conflict zones such as Afghanistan and Iraq may be questionable, the employment of private security employees has resulted in mixed opinions (Van Steden and Nalla, 2010; Button, 2007; Van Steden and Sarre, 2007). Within the U.K., a perception exists that elements of the private security industry are associated with criminal activities (Hobbs et al., 2003; Hobbs, 1999) and poor standards of work. Button (2007) however contends that the U.K. government has attempted to regulate the industry through the Private Security Act (2001) and the creation of the Security Industry Association (2016). While Button (2007) identifies a number of weaknesses with the present regulatory system in comparison to similar models in Europe, the growing employment of private security companies by both public and private organisations of all types has influenced the development of industry standards and governance. The industry has arguably encouraged these improvements within itself, given that the standard of service provided influences a security firms competitive standing, in an industry accountable to its clients, as opposed to the public.
An example of a highly respected service provided by security companies is threat and risk identification. One such survey by Securitas Security USA (2016) identified that corporate organisations, including financial services across North America and Mexico viewed the top five security threats to include; cyber and communications security, workplace violence, active shooter threats, business continuity planning / organisational resilience and mobile cyber and communication security. Each of these was identified alongside a growing concern for the global terrorist threat. The well-documented terrorist threat has encouraged an exponential growth in the employment of the private security industry across the world and has encouraged research by both security professionals and academics to consider security risk issues. In addition to the growth in large advisory firms offering security advisory services, growth has been observed in the manned security market, with the U.K. market value reaching in excess of £3.7 billion in 2015 (Ahmad, 2016). To support the increased demand for security by private organisations, a number of businesses such as Frontier Risks Group (https://www.frontierrisks.com/. Accessed 29th May 2018) offer professional security training to individuals who provide security to organisations
Research by Coaffee (2004) identifies that organisations are increasingly adopting the counter-terrorism measures in response to the perceived threats to safety and security. Although recommendations exist in the form of the CPNI’s Operational Requirements framework and the private sector has improved the structure of its training, responsibility for employing security professionals to lead on the implementation of security programmes still remains with private organisations and is not obligatory. The Operational Requirements guidelines do not provide detailed instructions on the most effective processes for organisations follow, in order to accurately identify business assets and the associated threats. Furthermore, it does not differentiate its security advice for AWM, which unlike other elements of the financial services, bar financial advisors, may allow employees to be located in a variety of locations, with varying levels of physical security. Both the identification of assets and the differences between locations is important to consider because it will result in the design and implementation of different security systems, designed to deter, detect, deny, delay and respond to physical threats. Following an incident, a plan designed by security professionals will be put into action to mitigate the risks to the organisation, including physical threats, with the aim of returning to a state of business as usual, as quickly as possible.
Business Continuity Management
ISO 22301: 2012 Societal Security BCM systems provides a framework to plan, implement and review a BCM strategy, designed to enable an effective response to an event. Research has suggested ways of successfully incorporating BCM into a range of industries, while maintaining the common themes outlined in the ISO 22301 (Bajgoric, 2014, 156 – 177; Drewitt, 2013; Estall, 2012; International Organisation for Standardisation, 2012). Recognising the importance of identifying the core products and services that a business requires in order to function, Torabi, Soufi, and Sahebjamnia (2014, 309 – 323) suggest that the business impact analysis phase of BCM planning could benefit from the incorporation of detailed business analysis tools, as a lack of detail within BCM exists in terms of determining features that are integral to an organisation. Such an improvement to the BCM process would help security professionals to prioritise the most important and valuable business areas to focus upon during the construction of BCM plans. This would particularly benefit security professionals providing physical security advice to organisations. Although they do not provide definitive models to follow, Herbane, Elliott and Swartz (2004, 435 – 457) emphasise the importance of preserving the most key components that an organisation possesses during BCM. Recognising the potential benefits of these suggestions, which would assist in developing an understanding of a business in order to improve the effectiveness of BCM, further methods adopted by security professionals will be considered.
The Adequacy of Security Risk Management for Protecting U.K. Asset and Wealth Managers from Terrorist Attacks
SRM may follow the framework and processes outlined in ISO 31000, Risk Management – Principles and Guidelines (International Organisation for Standardisation, 2009). This generic system provides a means for organisations, regardless of industry to manage risk. ISO 31000 is a procedural construct, which follows the principals of plan, organise, direct and control and has been adopted as a framework for security risk management professionals because of its consideration of the context within which a business operates, alongside the potential threats, risk and responses. Purdy (2010, 881 – 886) observes that the effective implementation of ISO 31000 requires an organisation to actively integrate risk management across its operational and planning processes. However Purdy (2010, 881 – 886) contends that many organisations do not successfully incorporate each of the stages of the model fully (Figure. 2.) and therefore suggests that it may be necessary to adjust elements of the risk management model to suit business processes and cultures. Baker (2011, 35 – 39) supports the suggestion that organisations differ in their approach to risk management and recommends that ISO 31000 is viewed as a framework to be followed.
Determining the context within which an organization operates and the distinct resources it possesses would improve a security professionals ability to design physical security systems that effectively protect assets from identified threats and enable a business to return to its previous form, as quickly as possible. The context phase of the SRM process includes determining an organisations geographical and physical location, micro and macro economic environments. Following the determination of these points and the identification of threats to an organisation, a security professional may implement appropriate physical security procedures. While ISO 31000, Risk Management is adopted across a number of industries, it does not prioritise protection for resources based upon their importance in providing a business with a competitive advantage. Such information may be vital to ensuring the ongoing and future performance of a business. Recognising the similarities between the initial planning phase of ISO 22301: Societal Security Business Continuity Management and the establishment of context phase within ISO 31000, Risk Management, alongside the importance of identifying the resources which provide greatest value to an organisation, both BCM and SRM could benefit from determining an effective model to adopt in order to elicit this information. The Resource Based View model (RBV) may be such a tool.
Incorporating the Resource Based View into Security Risk Management and Business Continuity Management Processes
The areas of business expertise, which distinguish a business within its market (Hamel and Prahalad, 1990, 79-91), result in what has been described as its core competencies. These have been further categorized by Kay (1995) as architectural, reputational and innovative abilities. Recognising that security professionals have experience of adopting business and market analysis tools into the design of security solutions and BCM programmes, a research opportunity exists to consider the use of a business analysis tool to identify these important resources, in order to improve security professionals understanding of the context and the threats associated with an asset and wealth management business. The RBV model, which considers the tangible and intangible resources providing a firm with a competitive advantage, is one such tool.
When reviewing the literature concerned with the RBV, it is important to consider the notion of a competitive advantage; a competitive advantage is something that an organisation possesses or performs, which provides an advantage over competitors (Peteraf, 1993, 179-191). A sustained competitive advantage is achieved when such an advantage exists and competitors are unable to replicate the benefits. It should also be considered that developing an understanding of a firm’s sustained competitive advantage has been recognised as a crucial element of reviewing its strategic management. Supporting the view of Herbane, Elliott and Swartz (2004, 435 – 457) that an effective BCM programme should preserve a firm’s most valuable and competitive attributes, the RBV model considers such resources that are integral to a service or product. Wernerfelt (1984, 171-180) further considers the minimum level of resource commitments required to provide a service. Although the research did not consider the design and implementation of security systems, Valentin (2001, 54-69) and Dyson (2004, 634-640) also argue that the analysis of an organisations strategic stance can be improved with the use of the RBV model. This may be relevant to security professionals determining what elements of an organisation to focus upon during the design of security systems. By doing so, recommendations can be made to enable an organisation to return to business as quickly as possible, following an incident.
The RBV is not without criticism. While Barney (2001, 41-56) counters the points raised, Priem and Butler (2001, 22-40) contend that a weakness of the RBV is its assumption that all things associated with a business can be viewed as a resource. The authors suggest that people within organisations struggle to effectively influence resources, which are inherently unknowable, such as tacit knowledge. Although their argument may be valid, some authors have viewed tacit knowledge, as a competitive advantage (Berman, Down and Hill, 2002, 13-31; Spender, 1993, 37-41). In this case, security professionals may want to consider the implementation of security measures, which protect organisations employees, given that they possess this knowledge resource (Garcia, 2007). The view that asset and wealth managers are themselves the key business resource is supported by Van Gelderen and Monk’s (2015) argument that success in the form of financial returns for clients, is determined by an asset and wealth managers’ knowledge of financial markets and processes, in addition to their ability to build and maintain relationships with customers (Chishty, Erasmus and Oberstein, 2011).
Literature Review Summary
The U.K. government has created a number of strategies, to outline and guide responses to the threat of physical attacks by terrorists. Although the present approach has arguably been successful in mitigating a number of potential attacks upon U.K. infrastructure and members of the public, attacks against individuals such as the soldier Lee Rigby, in London, 2013, suggest that improvements could be made in order to better prepare organisations against the terrorist threat. The private security industry is increasingly called upon to deliver both training and professional services to organisations, in order to provide this assurance and to develop resilience against the threat. Although the level of research is gradually increasing to support the design and implementation of physical security designs, the professional experience of the researcher has indicated that this area of practice could be improved upon by incorporating a means of identifying the resources, which are integral to a business within the planning phases. Recognising the lack of research considering physical security provision to the U.K. financial services, and in particular the AWM specialism, this research will aim to evaluate the implementation of the RBV model into the initial phases of security risk management and business continuity planning.
The identification of the resources and competencies that an organisation possesses, which provide it with its competitive advantage, could benefit security professionals responsible for identifying and assessing security risks, designing physical security systems and BCM programmes. Acting upon the suggestion of Herbane, Elliott and Swartz (2004, 435 – 457), that a programme to increase an organisations resilience to threats should preserve a firms “value” (p. 435), a series of observations and interviews with security professionals from both public and private sector organisations aimed to consider the existing threats to this sector, evaluate the current security measures in place to counter them and to evaluate the incorporation of the RBV model into SRM and BCM processes.
RESEARCH APPROACH
Introduction
A number of data collection methods were used and the findings corroborated through triangulation, including; interviews, observations and the review of secondary data. A key research method in this non-probability qualitative study was a series of elite interviews carried out with a group of individuals, known to the researcher. As the individuals were from discrete positions from within often impenetrable professions, a number of study subjects were identified through the referral effects of snowball sampling, encouraged by the existing contact network of the practicing researcher, an active security professional. The professional positions of the subjects within the U.K. AWM sector, public and private security services, supports the validity of the study and therefore improve its potential applicability. The result validity is further increased through the comparison of the information received.
Primary data
This research aims to determine the existing practices and the opinions of key stakeholders providing security advice to elements of the U.K. financial services at a specific point in time. In order to increase confidence in the validity of the information received, triangulation allowed for the research questions to be considered from different perspectives.
Semi-Structured Interviews
Given the sensitive nature of the information discussed and the roles of the participants, a one to one interview was an appropriate format, as participants may have felt more comfortable in expressing their opinions (Rabionet, 2011). The ability to stimulate a discussion may have been appropriate for a potentially subjective topic. However, the spontaneous nature of such a discussion can challenge researchers during semi –structured interviews to attend to both a response and the requirement to get all of the interview questions answered in sufficient detail. This was mitigated in this case by ensuring to review all of the questions after the interview, thereby ensuring that sufficient detail had been provided.
In addition to acting as a comparison to three observations at three separate sites, different to the ones where interview participants worked, the open ended questions used in the interviews provided an opportunity to gain more detailed information to determine the perceived threats to the professional area in question and the views of participants, related to the applicability of RBV model proposed by the research (Hannabuss, 1996, 22-30). The ability to ask probing questions may enable an interviewer to concentrate on particular topics. However, Johnson and Turner (2003, 297-319) state that interviews may result in guarded responses from participants that are conscious of being identified as providing information. This study aimed to manage this by protecting the identity of both participants and organisations, given that the aim is to investigate general industry themes rather than the performance of individual organisations. While the use of questionnaires was considered, this approach was avoided in order to mitigate the risk of a low response rates to the method, the vague answers often provided and the lack of opportunity to probe responses (Johnson and Turner, 2003, 297-319).
Following a successful pilot study with one security professional and the creation of a non-probability sampling group (Tansey, 2007, 765-772), semi-structured interviews were completed with seven different individuals. While access to these individuals supported their selection, they each had a wealth of experience in the topic area. This depth of experience was important as interviewees were asked to both to comment on the firms they worked for and their experience of the sector in general.
Although the distinct research objectives meant that non-purposive sampling was appropriate, it is not without limitations. In addition to the fact that not all members of the population have an opportunity to participate and therefore be represented in such a study, given its distinct parameters, limitations with such non-purposive sampling include the difficulties posed in identifying possible bias and sampling variability (Vehovar, Toepoel and Steinmetz, 2016).
The questions were designed to provide data in order to achieve each of the research objectives; participants were questioned about threats to the research business area, existing security practices and to evaluate the use of the RBV in their methods. Participants were sent a copy of the peer reviewed article ‘A resource‐based view of the firm’ by Wernerfelt (1984,171-180) two weeks prior to interview and asked to consider and incorporate the use of the RBV model into security design planning processes. Verbal understanding of the article and the research process was confirmed on the telephone one week prior to interview. While this was an appropriate method to use given the limited opportunities to meet the participants, the researcher identified that a limitation existed with this approach in the form of potential differences between participants understanding of the model. This could have been overcome through the completion of a set of questions prior to the interviews, designed to determine participants’ level of understanding of the RBV.
Observations
The systematic observation of security risk management processes, the design of physical security systems and BCM processes at three different asset and wealth management business locations, provided the researcher with an opportunity to witness and record existing security systems. In line with Boud’s (2001) view that recording ones thoughts after an event is a means of improving one’s own practice, field notes were taken during observations regarding the setting and processes observed, in support of the research objective; to evaluate the existing security processes within the high net wealth, asset and wealth management segment of the U.K. financial services.
Advantages of research observations include the ability to observe people in real situations and in this case the ability to develop an in depth understanding of processes (University of Portsmouth, 2012). However the risk exists of participants performing differently while under observation, conflict can arise related to the role of the researcher and the findings can be subjective (University of Portsmouth, 2012).
Accepting that views of potential improvements may be subjective, Appendix 4 (Table 1. U.K. Asset and Wealth Management Office Security) outlines the observation criteria for physical security systems, recorded during visits. The observations were conducted during normal working hours and the researcher was escorted around locations. Documentation and computer spreadsheets were inspected to confirm the security methods adopted at locations. The experience of security possessed by the researcher, improved the ability of the researcher to effectively integrate with the observed group and to accurately analyse information gained. While managing the risk of observer bias by asking open ended questions, without suggesting any expectation related to potential responses, the researchers’ generic experience and understanding of physical security may have resulted in better lines of verbal communication with individuals at locations, when requesting to inspect security documentation and for confirmation of processes in place.
Given that the internal validity of the observational findings is determined by the degree of access provided to the researcher and by their ability to cognitively process information and meaning (Easterby-Smith, Thorpe and Lowe, 2002), the reliability of the information reflecting physical security across the asset and wealth management segment was improved through the performance of the previously described semi-structured interviews in this multiple methods approach. Although the interview participants were located at different locations to the three observations, the results of this process acted to corroborate findings of trends across this business area.
Secondary data
Secondary data can assist in answering research questions. In the present research it was compared with the research data, thereby contributing to the triangulation process. Secondary data was sourced through both open and closed source research to investigate the security design methods adopted by the wider security industry, in order to corroborate or refute the research findings. A number of U.K. government publications outline national security strategies and advise businesses of security practices. In response, organisations construct business continuity and security practice documentation and policies. To supplement these secondary data sources, online sources were reviewed such as blogs and speeches published by stakeholders including the Financial Conduct Authority, the National Crime Agency, the U.K. Government Communications Headquarters (GCHQ) and a range of private sector organisations. These sources of qualitative and quantitative data were reviewed to identify the security methods adopted across other private and public sector organisations.
Data Collection
Primary data was generated through interviews and observations. Existing practices and the views of workforces within the industry segment were compared and contrasted, grouped and answers displayed graphically. Existing theories and models were then used to analyse business practices, standards were compared to the standards encouraged by governments and the security industry, and the relationships which exist between businesses and their adopted practices were noted and considered.
DATA ANALYSIS
Introduction
The data gathered was analysed manually; Microsoft Excel version 14.1.0 (Microsoft Cooperation, 2010) and Microsoft Word version 14.1.0 (Microsoft Cooperation, 2010) were used to present data as charts and tables. Statistical software was not required.
Validity (Internal) and Generalisability
The validity of this research was improved through the adoption of words, which were understood by both security professionals and their asset and wealth management employers, such as ‘asset’ and ‘resource’ within the adopted RBV processes. It is however important to recognise that the small research sample size may increase the potential for the results being due to chance; a larger participant group could have overcome this limitation.
Like the research by Herbane, Elliott and Schwartz (2004, 435 – 457), the small sample size in the present study, limits its generalizability. Nonetheless, as an exploratory study, this research may generate positive theoretical inferences. In this particular case, the research findings may provide an indication of whether the RBV model could be incorporated into SRM and BCM processes across professional areas other than asset and wealth management.
Reliability
The main sources of error, which could have influenced the results in the present study, include observer error, observer bias, participant error and participant bias. Participant understanding of the RBV model and its application posed a threat through participant error, while participant bias may have influenced findings during security risk assessments and the identification of resources. The research attempted to mitigate participant error by speaking with participants, one week after they had received ‘A resource‐based view of the firm’ by Wernerfelt (1984,171-180), to determine that they understood the process. Participant bias was more challenging to control as a large part of the participants’ roles, is based around the subjective identification of threats. Similarly, observer bias was a threat during the observations. This was managed through the construction and completion of a set observation criteria (Appendix 4, Table 1. U.K. Asset and Wealth Management Office Security), which limited the scope for subjective data to be recorded. Observer error was mitigated through the review of findings and the confirmation of points with location stakeholders, if necessary.
Research Ethics
All study participants were briefed as to the purpose of the research and its audience. While material was treated as confidential, participants could still choose to withhold information. Information that was deemed to be too sensitive by participants was removed. Interviews took place in a safe and comfortable environment and contributors were not deceived, coerced or offered any financial incentive for their participation. In addition, individuals were treated in a fair and non-discriminatory manner, respecting both their differences and opinions. Freely available open source information was accessed. In addition non-sensitive information that the researcher had access to was considered.
FINDINGS
Respondent Profile
Information from ten different businesses was considered. This included seven semi-structured interviews and three separate observations of physical security and business continuity management systems at different asset and wealth management businesses. This provided data with which to draw conclusions and to make appropriate recommendations.
The participants had held physical security design responsibilities within the asset and wealth management segment of the U.K. financial services for an average of 9.14 years (SD ± 7.60). Three of the participants performed professional security roles within the public sector, while four were employed by private companies. One participant was a Director from an asset and wealth management business, responsible for providing oversight to private security contractors.
Semi-Structured Interviews
The interview findings were recorded under a series of headings, each corresponding to the different questions answered. The questions were designed to provide data to achieve the three research objectives.
Observations
The observations took place at three different locations. Notes were made against pre-determined criteria (Table 1., Appendix 4). The findings are outlined alongside the interview findings, under each objective.
Objective One
To identify the physical security threats to the high net wealth, asset and wealth management segment of the U.K. financial services, perceived by individual security professionals, with knowledge of security within the research area
“What do you perceive to be the key security threats to the asset and wealth management segment of the U.K. financial services?”
When asked the question, all seven participants identified that terrorism is a key security threat to the business area (Figure 5, Appendix 6).
Objective Two
To evaluate the existing physical security planning processes within the U.K. high net wealth, asset and wealth management segment of the U.K. financial services
“Tell me about physical security within the asset and wealth management segment of the U.K. financial services? To what extent is it adequate?”
Five of the participants did not view physical security systems to be adequate (Figure 6, Appendix 7). This was supported by the observations of the researcher at site C (Table 1). In addition, no effective SRM or business continuity plans had been produced at Site C. Following escorted inspections of the physical security systems in place at two further locations, Site A had an effective security system and site B had implemented some basic level of security in the form of an alarm system and an intruder detection system. Only one of the locations visited (Site A) incorporated ISO 31000 Risk Management procedures into SRM. The model was followed in full and business assets were appropriately identified in the initial phases of the process. The SRM procedures adopted at site B, designed by the individual responsible for security at the shared location, did not identify business assets.
“What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?”
Figure 7 Illustrates the challenges identified by the participants to the design and implementation of physical security solutions. Four identified that a key challenge was gaining the support of senior business stakeholders. Gaining this support was associated with the other two key challenge areas; culture and finances. Three of the interviewees identified cultural challenges to the implementation of physical security systems, through a lack of threat recognition and low levels of understanding of the responses required to counter threats; the participants implied that they may not have sufficient influence to implement security and three held the opinion that a reticence was held by the senior stakeholders within businesses to fund security systems.
Objective Three
To explore the extent to which the Resource Based View (Wernerfelt, 1984) can support the assessment of security risks and the planning phases of business continuity plans, within the high net wealth, asset and wealth management segment of the U.K. financial services
Six participants described the implementation of Wernerfelts’ (1984, 171-180) Resource Based View as useful. While participants identified that the RBV could be useful during the context building phase of ISO 31000 and in communicating the findings to business stakeholders, following its incorporation for the purposes of the research, one individual described the inclusion of the model within SRM processes as “valuable, given the identification of tangible and intangible assets”. The individual felt that the identification, labelling and prioritisation of resources in terms of their importance to a business, could improve the understanding of the SRM process amongst colleagues within an organisation. Another participant further stated that the RBV model could empower security professionals to effectively communicate the importance of human assets to businesses, by categorising employees as a resource that is critical to business continuity and performance.
While positive about the incorporation of the RBV model into physical security design systems, one participant suggested that that the incorporation of the model could be further improved through the inclusion of a quantitative score, assigned to threats. Although they identified its potential merits, three participants were concerned about the practical implementation of the RBV, given the additional time requirement involved in using the model and presenting its findings. One individual further stated that the RBV model was not relevant to their roles as public servants advising on physical security systems. One individual, a serving public servant asked to consider the use of the RBV during the design of security systems and business continuity plans, stated that planning and issuing business continuity plans to private organisations was “not the responsibility of the public services”. The individual further stated that the public sector did not possess “the business understanding required” to utilise such models effectively. This opinion is however in contrast with the existing business continuity advice provided by the CPNI (CPNI, 2017a).
DISCUSSION
Objective One
To identify the physical security threats to the high net wealth, asset and wealth management segment of the U.K. financial services, perceived by individual security professionals, with knowledge of security within the research area
The research findings indicate that the research participants, responsible for the physical protection of HNW, asset and wealth management services within the U.K. financial services, view terrorism to be a considerable threat. A mixture of open source information and intelligence gained from Law Enforcement and security services has resulted in this view, which is further supported by terrorism being ranked as the main threat to national security (CPNI, 2017b). As described, the identification of these threats is outlined in the assessment of the U.K. security strategy ” A strong Britain in an age of uncertainty” (HM Government, 2010a), and attacks by international terrorist groups upon U.K. interests are categorized as a tier one threat.
The recognition of the scale of the threat by the U.K. government means that the threat level from terrorist activities against U.K. CNI and members of the public will not be reduced from severe, where an attack is deemed highly likely, over what is expected to be the next five years (Shaw, 2017). This finding is supported by the knowledge that the U.K. government records risks in the national risk register; determined in response to intelligence gathering operations and the increasing number of terrorist attacks that have occurred both globally and in U.K. territories.
Objective Two
To evaluate the existing physical security planning processes within the U.K. high net wealth, asset and wealth management segment of the U.K. financial services
“What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?”
Physical security solutions are required to defend organisations and people against terrorist attacks which may take the form of attacks using explosive devices, kidnappings, chemical, biological and radiological (CBR) attacks and as demonstrated more recently, against close quarter attacks using items such as firearms, knives or acid. Organisations design physical security systems to mitigate these threats and to reduce vulnerabilities, based upon the results of SRM processes. The findings indicate that the majority of the participants actively adopt the internationally recognised standards for risk management, ISO 31000 (International Organisation for Standardisation, 2009).
In support of the literature considered by Purdy (2010, 881 – 886), ISO 31000 provides a structured framework, which can be applied to a variety of organisations, including asset and wealth management businesses (Lalonde and Boiral, 2012, 272-300). The adoption of ISO 31000 by six of the interview participants and at one of the locations observed, demonstrates a positive effort to appropriately identify and analyse threats and subsequent risks, in order to determine appropriate measures to take, in line with the values and preferences of stakeholders and cost-benefit analyses. However the outcomes of the ISO 31000 processes completed by the research participants may be limited, by overlooking less conventional risks such as terrorist attacks on employees, while focusing upon standard, known risks such as theft.
While limitations were identified during the research, the overall approach towards the adoption of SRM processes by the research group was positive. However, the finding that only two participants and one observed location adopted the ISO 22301: 2012 Societal Security Business Continuity Management systems framework was concerning and identifies a key limitation in the existing security systems adopted by the research participants. Such a system would enable an organisation to maintain its critical functions following a terrorist attack and support a return to business as usual (Zawada, 2014). The paper by Herbane, Elliott and Swartz (2004, 435 – 457) identifies how BCM could benefit from the adoption of a process, which identifies and thus emphases the key components of an organisation. As previously discussed, this would benefit security professionals during the construction of BCM plans and therefore the overall physical security system.
“Tell me about security within the asset and wealth management sector? To what extent is it adequate?”
The research reviewed suggests that effective SRM and BCM programmes, can benefit the overall security system within an organisation, and that a physical security system can be designed in line with a number of areas, categorised as the five D’s (Draper et al., 2017). The findings indicate that while some improvements to physical security systems may have taken place within the wider asset and wealth management industry following the increased threat of terrorist attacks, some businesses still fail to identify that a threat exists. The finding that two of the five participants which held this view, argued that low levels of importance are placed upon physical security by their own asset and wealth businesses, and two others held the opinion that the industry segment in general does not consider physical security in as much detail within regional offices, compared to those in cities, suggests that the cultural barriers towards physical security, may exist at a high strategic decision making level of businesses within the sector. It should be identified that although interviewees were only asked to indicate whether they felt that the physical security provision at the business locations they were responsible for was adequate or inadequate, they all identified that improvements to systems were possible, particularly in terms of the inclusion of ‘innovative designs’ such as biometric entry or facial recognition systems. As identified both during interviews and observations at two of the locations, a key improvement that could be made, would be the adoption of improved ISO 31000 SRM and ISO 22301 business continuity processes. One such improvement would include more effective asset identification.
A strength observed at one site was the systematic adoption of ISO 31000 Risk Management procedures by the physical security team. This management standard provides a risk management framework, which is appropriately adopted across a range of industries (Lalonde and Boiral, 2012, 272-300). However, the effectiveness of the standard requires active adoption across all levels within an organisation. In addition, failings in stakeholder communications within organisations have been observed by previous research to negatively impact the application of the standard (Lalonde and Boiral, 2012, 272-300). A further concern identified in literature is the weakness of the framework in identifying an organisations assets (Myagmar, Lee and Yurcik, 2005). Myagmar, Lee and Yurcik (2005) argue that this is concerning given the importance of identifying assets which may be threatened, during the design of security protection systems. An additional concern identified in the findings of the present research is the failure to complete a vulnerability assessment during the design of physical security systems, as observed at two different sites. A vulnerability assessment must be performed after potential threats have been identified (Fennelly, 2016; Garcia, 2007), in order to consider the vulnerability of an organisation and its assets to an attack and the impacts upon an organisation. Physical security measures can then be installed in order to achieve target hardening, which aims to increase the level of deterrence and/or defence against such an attack. It is therefore concerning given the existing high security threat to U.K. CNI from terrorist attacks, that many of the research participants felt that existing physical security systems in this business area were inadequate and the observations at one site failed to identify any effective processes or physical protection systems in place.
While accepting that the small research sample size limits the ability to generalize findings across a wide industry group, a number of common factors were identified across the research group. A failure by firms to identify terrorist threats may be related to the small importance placed upon physical security in some asset and wealth management businesses (Two participants) and this trend may be more evident in regional locations (Two participants). One individual, a security advisor, stated that the decision makers within their organisation “did not pay enough attention to physical security improvements”. Furthermore, the individual held the opinion that large companies within the wider asset and wealth management sector may install adequate physical security in locations within areas such as the City of London, but not in regional offices away from cities. This particular view was supported by a number of participants. Three participants suggested that a reason for asset and wealth management offices outside of major cities within their own organisation, not being adequately protected was because of “ a case of out of sight, out of mind” (U.K. Civil Service Security Advisor, 7/11/2017). Improvements to SRM procedures through improved asset identification, the subsequent identification of threats to assets and asset vulnerabilities, and fundamentally appropriate styles of communication in order to ensure that information is appropriately shared with business stakeholders, may improve the ability of security professionals to design and implement adequate security systems, at all locations.
If these adjustments to the existing processes are not made, security professionals may continue to struggle to gain support for physical security systems. A contributing factor this situation may be related to limitations in the ability of the CPNI to enforce standards within physical security systems across businesses. The only inducement to businesses that may exist can take the form of insurance policies, regarding the installation and monitoring of alarm systems. Without any legislative requirement to install advanced physical security systems, the effective design and implementation of such solutions may be reliant upon the ability of security professionals to successfully gain the support of stakeholders within businesses.
“What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?”
The research findings identified a number of challenges to existing security planning processes and the design of physical security systems in this area. As illustrated in Figure 7 (Appendix 8.), a key challenge exists in gaining the support of senior business stakeholders. When asked “what are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services”, participants expressed the opinion that challenges existed due to limits in the levels of security awareness within organisations (2) and the “spend appetite” (6) of decision makers within asset and wealth management firms, thus reducing the ability of security professionals to successfully adopt new systems and implement changes to existing systems. It is possible that an inability of security professional to educate business stakeholders about threats and mitigation strategies may contribute to this finding. The possibility that communication between security professionals and business stakeholders may be responsible for this is supported by research by Leitch (2010, 887-892), which suggests that the vague and ambiguous terminology used in ISO 31000 may result in inaccurate risk management decisions.
Gaining the support of senior stakeholders was also associated with the other two key challenge areas; culture and finances. Three of the interviewees identified that a cultural challenge existed to the implementation of physical security systems in the form of a lack of recognition of threats to businesses and low levels of understanding of the security responses required to counter them; the participants implied that they may not have sufficient influence to change opinions. Overcoming perceived challenges in the form of existing business cultures will be determined by the ability of security professionals to gain the support of senior stakeholders. Fui – Hoon et al. (2001) contend that senior management within organisations must identify and communicate the importance of a project, in order to gain support across an organisation. This supports Purdy’s (2010, 881 – 886) argument that in order for risk management to be effectively incorporated within organisations, its processes may need to be adjusted to suit business cultures. The present research suggests that the effective incorporation of an asset identification process and the use of terminologies recognised by stakeholders within SRM and BCM processes, may overcome such challenges (Leitch, 2010, 887-892). This view supports Falkowski et al. (1998, 44-45), who stress the importance of effective communication strategies, in achieving the implementation of large- scale organisational projects.
The improvements to asset identification, SRM and the communication of findings may assist in overcoming the perceived barriers related to financial investment for physical security, as described by three participants, who held the opinion that a reticence was held by the senior stakeholders within businesses to fund security systems. The research suggestion that inappropriate communication techniques and low levels of persuasion within the participants, may be related to the reluctance within senior business stakeholders, to invest in physical security systems, is supported by research, which has argued that human behavior, in this case a lack of persuasive skill on the part of security professionals, can hinder the successful implementation of security systems (Lim et al., 2010; Pahnila, Siponen and Mahmood, 2007).
In summary, the consideration of SRM reviews and the implementation of physical security systems and business continuity programmes by senior stakeholders within U.K. based asset and wealth management businesses could potentially be improved through the adoption of appropriate communication methods and terminologies during security system design phases. Such an approach would aim to communicate appropriately to each management level within an organisation. The adoption of appropriate styles of communication is a valuable tool for mitigating the challenges experienced during the incorporation of new business processes and systems. The resulting generation of greater levels of stakeholder buy in for physical security systems, may support successful adoption and implementation. This could potentially be achieved through the incorporation of business models and terminology, which asset and wealth management business leaders may be familiar with.
Objective Three
To explore the extent to which the Resource Based View (Wernerfelt, 1984) can support the assessment of security risks and the planning phases of business continuity plans, within the high net wealth, asset and wealth management segment of the U.K. financial services
The RBV provides a means of identifying the resources and assets that provide a business with its competitive advantage (Peteraf, 1993, 179-191). Developing the suggestion by Herbane, Elliott and Swartz (2004, p. 435 – 457) that the effectiveness of BCM programmes can be improved through focusing upon protecting and preserving the resources which provide an organisation with a competitive advantage, the present research suggests that the RBV model (Wernerfelt, 1984, 171-180) can assist security professionals, to identify such assets during SRM and BCM design processes. The finding that six of the interview participants described the model as useful, particularly during the context building phase of ISO 31000 and in communicating the findings to business stakeholders, may support its use, as a means to overcome the key challenges identified through this study, to the effective design and implementation of physical security systems, within the sector. The value of the RBV model was described in further detail by one individual, who stated that the model benefits SRM processes through “the identification of tangible and intangible assets” (AWM Director, 7/11/2017). The accurate identification of assets and resources that are integral to an organisation could save both time and resources from being spent focusing upon less important areas, during the subsequent design and implementation of physical security systems. Crucially, the use of the model and the associated terminology may improve the ability of security professionals to communicate SRM findings to senior stakeholders within asset and wealth management firms. The finding that the classification of resources in terms of their importance to a business may increase levels of threat and security awareness across businesses and improve communication between security professionals and business stakeholders, is congruent with the views of Herbane, Elliott and Schwartz (2004, 435 – 457), that BCM programmes should be designed to focus upon preserving resources which provide an organisation with its competitive advantage.
It should be considered that the RBV model is not without criticism. Priem and Butler (2001, 22-40) argue that the process places too much emphasis upon the innate value of resources, contending that it is in fact the market environment that dictates their value. Similarly, the findings of the present research suggest that details regarding the business value of resources, offered by the model, might not be viewed as beneficial by public sector security professionals who do not view BCM to be one of their responsibilities. Furthermore, three of the participant group had concerns about the practical implementation of the model, given the additional time requirements required to effectively analyse a business and its resources.
While these limitations should be considered, it is acknowledged that participants who stated that the model was too time consuming, still identified the benefits of its incorporation, given its accurate identification of resources. Such identification can support the prioritisation of resources, during risk management and physical security provision This is congruent with Lalonde and Boiral’s (2012, p. 275) view of the ISO 31000 process, that “an order of priority should be established and should reflect the costs resulting from the implementation of the risk treatment measures, compared with the gains resulting from not taking such measures”. A priority resource can be people themselves, especially within businesses reliant upon the skills and knowledge of employees, such as asset and wealth management. The recognition that the RBV identifies a number of business elements to protect through physical security systems; the manager, customers and the resources involved in the financial trading process, is important to security professionals responsible for designing security solutions.
CONCLUSION
This research aimed to contribute to improving security risk management and resilience within the private high net wealth, asset and wealth management segment of the UK financial services. It identified the key threats to the sector and it further identified differences between the security procedures and systems adopted to counter these threats. Finally, the present research explored the incorporation of the Resource Based View, into the initial phases of security risk management and business continuity management processes, within the sector.
The study achieved its first objective by identifying physical attacks by terrorist as the greatest physical security threats to the high net wealth, asset and wealth management segment of the UK financial services. This finding was conclusive amongst the group of participants and is supported by both the present threat level of severe, which means that a terrorist attack is highly likely and its categorisation as a tier one threat to U.K. national security.
Differences were identified between asset and wealth management businesses, in the security risk management procedures, business continuity management programmes and physical security systems adopted to protect company assets against physical attacks by terrorists. Although improvements to physical security systems across the wider asset and wealth management sector were identified by participants, following the increased threat of terrorist attacks, the research findings demonstrated that security systems were still considered inadequate in a number of locations, particularly outside of cities. The suggestion was made that inaccurate threat identification and the inability of security professionals to effectively communicate security risk management findings to senior business stakeholders, thus persuading them of the need for physical security systems, did not empower them to overcome the potential cultural barriers to physical security systems within the sector or importantly the reticence to invest money in security systems.
The research participants suggested that the RBV model might benefit security professionals through identifying the tangible and intangible assets, which provide an organisation with its competitive advantage. In addition to improving the physical security systems, this identification may also improve BCM programmes. However, while six of the participants did view the model to offer benefits, mixed views were expressed regarding the practical implementation of the model, due to the time costs of completing it.
Although the small size of the participant group limits the ability to draw firm conclusions about all three objectives and the mixed views about the practical implementation of the RBV does not enable this research to make conclusive recommendations regarding its employment, the findings do indicate that Wernerfelt’s (1984, 171-180) Resource Based View has the potential improve both the ISO 31000 Risk Management and ISO 22301 2012: Societal Security Business Continuity Management frameworks adopted by security professionals, through identifying an asset and wealth management firms key resources.
Recommendations
Given the inability of the present research to draw firm conclusions, which enable the production of recommendations for the incorporation of the RBV into SRM and BCM planning procedures, it is suggested that further research be conducted, in order to build upon the present findings. In addition to evaluating the incorporation of the RBV into the security risk and BCM procedures of a larger number of asset and wealth management firms, in order to improve the reliability of the findings of the present study, the incorporation of the RBV model could also be assessed in security design procedures for other professional areas, in order to assess its generalizability, value and validity in these areas. In addition to incorporating the RBV, to determine the resources, which contribute to an organisations competitive advantage, a quantitative system could be considered, which justifies the prioritisation attached to different resources, for physical protection. This may further assist security professionals in justifying security systems to senior business stakeholders, thus gaining support and financial backing for the design and implementation of security solutions.
REFERENCES
Asal, V. H., Rethemeyer, R. K., Anderson, I., Stein, A., Rizzo, J. and Rozea, M. (2009) ‘The softest of targets: A study on terrorist target selection’, Journal of Applied Security Research, 4(3), pp. 258-278.
Baker, N. (2011) ‘Managing the complexity of risk: the ISO 31000 framework aims to provide a foundation for effective risk management within the organization’, Internal Auditor, 68 (2), pp. 35-39.
Bajgoric, N. (2014) ‘Business continuity management: A systemic framework for implementation’, Kybernetes, 43 (2), pp.156-177.
Bamford, B. (2004) ‘The United Kingdom’s “war against terrorism”’, Terrorism and Political Violence, 16(4), pp. 737-756.
Barney, J. B., (2001) ‘Is the resource-based “view” a useful perspective for strategic management research? Yes’, Academy of Management Review, 26 (1), pp.41-56.
Barney, J., Wright, M. and Ketchen Jr, D. J. (2001) ‘The resource-based view of the firm: Ten years after 1991’, Journal of Management, 27(6), pp. 625-641.
Bennett, T. and Gelsthorpe, L. (1996) ‘Public attitudes towards CCTV in public places’, Studies on Crime and Crime Prevention, 5(1), pp. 72-90.
Berg, H. P. (2010) ‘Risk management: procedures, methods and experiences’, Risk Management, 1(17), pp. 79-95.
Berman, S. L., Down, J. and Hill, C. W. (2002) ‘Tacit knowledge as a source of competitive advantage in the National Basketball Association’, Academy of Management Journal, 45 (1), pp.13-31.
Birt, Y. (2009) ‘Promoting virulent envy? Reconsidering the UK’s terrorist prevention strategy’, The RUSI Journal, 154(4), pp. 52-58.
Black, I. (2006) ‘The presentation of interpretivist research’, Qualitative Market Research: An International Journal, 9 (4), pp. 319–324.
Brydon-Miller, M., Greenwood, D. and Maguire, P. (2003) ‘Why action research?’, Action Research, 1 (1), pp. 9-28.
Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010) ‘Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness’, MIS Quarterly, 34(3), pp. 523-548.
Burgess, R. G. (1981) ‘Keeping a research diary’, Cambridge Journal of Education, 11(1), pp. 75-83.
Button, M. (2007) ‘Assessing the regulation of private security across Europe, European Journal of Criminology, 4 (1), 109 -128.
Button, M. (2011) ‘The Private Security Industry Act 2001 and the security management gap in the United Kingdom’, Security Journal, 24(2), pp. 118-132.
Carr, W. and Kemmis, S. (2003) Becoming Critical: Education Knowledge and Action Research. London: Routledge.
Cerullo, V. and Cerullo, M. J. (2004) ‘Business continuity planning: a comprehensive approach’ Information Systems Management, 21(3), pp. 70-78.
Chandler, M. & Gunaratna, R. (2007) Countering terrorism: Can we meet the threat of global violence? London, UK: Reaktion books.
Chen, S. J. and Hwang, C. L. (1992) ‘Fuzzy multiple attribute decision making methods’. In Fuzzy multiple attribute decision making (pp. 289-486). Berlin Heidelberg: Springer.
City of London Police. (2002) Crime and disorder strategy 2002 – 05.
Clas, E. (2008) ‘Business continuity plans’, Professional Safety, 53(9), p.45.
Coaffee, J. (2003) ‘Morphing the counter-terrorist response: Beating the bombers in London’s financial heart’, Knowledge, Technology & Policy, 16(2), pp. 63-83.
Coaffee, J. (2004) ‘Rings of steel, rings of concrete and rings of confidence: designing out terrorism in central London pre and post September 11th’, International Journal of Urban and Regional Research, 28 (1), pp.201-211.
Coaffee, J., Moore, C., Fletcher, D. and Bosher, L. S. (2008) ‘Resilient design for community safety and terror-resistant cities’, Proceedings of the ICE: Municipal Engineer, 161 (2), pp. 103 – 110.
Cockayne, J. (2008) ‘Regulating private military and security companies: The content, negotiation, weaknesses and promise of the Montreux Document’, Journal of Conflict & Security Law, 13(3), pp. 401-428.
Colwill, C. (2009) ‘Human factors in information security: The insider threat–Who can you trust these days?’, Information Security Technical Report, 14(4), pp. 186-196.
Combs, C. C., Cragin, R. K., Gunaratna, R., Jackson, B. A., Kenney, M., Ortiz, R. D., Ramakrishna, K., Schaper, A., Trujillo, H. R. and Weimann, G. (2006) Teaching terror: Strategic and tactical learning in the terrorist world. Maryland, USA: Rowman & Littlefield Publishers.
Cooper, D. R., Schindler, P. S. and Sun, J. (2003) Business Research Methods. London: McGraw-Hill.
Crenshaw, M. (1981) ‘The causes of terrorism’ Comparative Politics, 379-399.
Dalton, B., Martin, K., McAndrew, C., Nikolopoulou, M. and Triggs, T. (2015) Designing Visible Counter-terrorism Interventions in Public Spaces. Farnham, U.K.; Ashgate Publishing.
Debar, H. and Wespi, A. (2001) ‘Aggregation and correlation of intrusion-detection alerts’. In Recent Advances in Intrusion Detection (pp. 85-103). Berlin: Springer.
Denscombe, M. (2003) The Good Research Guide for Small-Scale Social Research Projects (2nd ed.). Buckingham: Open University Press.
Draper, R., Ritchie, J., Wilson, E. and Prenzler, T. (2017) ‘Best Practice in Physical Security and People Management’. In Understanding crime prevention: The Case study approach (pp. 151-166). Queensland, Australia: Australian Academic Press.
Drewitt, T. (2013) A Manager’s Guide to ISO22301: A practical guide to developing and implementing a business continuity management system. Ely, UK: IT Governance Ltd.
Dunn – Cavelty, M.and Suter, M. (2009) ‘Public–Private Partnerships are no silver bullet: An expanded governance model for Critical Infrastructure Protection’, International Journal of Critical Infrastructure Protection 2, 4, pp. 179-187.
Dyson, R. G. (2004) ‘Strategic development and SWOT analysis at the University of Warwick’, European Journal of Operational Research, 152 (3), pp. 631-640.
Easterby-Smith, M., Thorpe, R. and Lowe, A. (2002) Management research: An introduction (2nd ed.). London: Sage.
Eisenhardt, K. M. (1989) ‘Building Theories from Case Study Research’, Academy of Management Review, 14 (4), pp. 532 – 550.
Estall, H. (2012) Business continuity management systems: Implementation and certification to ISO 22301. BCS, The Chartered Institute.
European Court of Human Rights. (2010) European Convention on Human Rights. Strasbourg.
Fennelly, L. (2016) Effective physical security. Oxford: Butterworth-Heinemann.
Fiorentini, G., & Peltzman, S. (Eds.). (1997) The Economics of Organised Crime. Cambridge: Cambridge University Press.
Flint, C. (2003) ‘Terrorism and counterterrorism: Geographic research questions and agendas’ The Professional Geographer, 55(2), pp. 161-169.
Garcia, M. L. (2007) Design and Evaluation of Physical Protection Systems. Oxford, U.K.: Butterworth-Heinemann.
Gearson, J. and Rosemont, H. (2015) ‘CONTEST as strategy: Reassessing Britain’s counterterrorism approach’ Studies in Conflict & Terrorism, 38 (12), pp.1038 -1064.
Githens-Mazer, J. and Lambert, R. (2010) ‘Why conventional wisdom on radicalization fails: The persistence of a failed discourse’, International Affairs, 86 (4), pp. 889–901.
Goddard, W. and Melville, S. (2004) Research Methodology: An Introduction. Cape Town, SA: Juta and Company Ltd.
Goldstein, K. (2002) ‘Getting in the door: Sampling and completing elite interviews’, Political Science & Politics, 35 (04), pp. 669-672.
Grimes, D. A. and Schulz, K. F. (2002) ‘Bias and causal associations in observational research’, The Lancet, 359 (9302), pp. 248-252.
Hamel, G. and Prahalad, C. K. (1990). The core competence of the corporation. Harvard Business Review, 68 (3), 79-91.
Hammersley, M. (1987) ‘Some notes on the terms ‘validity’and ‘reliability’’, British Educational Research Journal, 13(1), pp. 73-82.
Hannabuss, S. (1996) ‘Research interviews’, New Library World, 97 (1129), pp. 22-30.
Hendricks, V. M., Blanken, P. and Adriaans, N. (1992) Snowball Sampling: A Pilot Study on Cocaine Use. Rotterdam: IVO.
Herbane, B., Elliott, D. and Swartz, E.M. (2004) ‘Business continuity management: time for a strategic role’?, Long Range Planning, 37 (5), pp.435-457.
Herbane, B. (2010) ‘The evolution of business continuity management: A historical review of practices and drivers’, Business History, 52(6), pp. 978-1002.
HM Government (2010a) A strong Britain in an age of uncertainty: The national security strategy. London: Her Majesty’s Stationery Office.
HM Government (2010b) CONTEST: The United Kingdom’s strategy for countering terrorism. London: Her Majesty’s Stationery Office.
HM Government (2011) Local to global: reducing the risk from organised crime. London: Her Majesty’s Stationary Office.
HM Government (2013) Serious and organised crime strategy. London: Her Majesty’s Stationery Office.
HM Government (2015) The strategic defense and security review. London: Her Majesty’s Stationery Office.
Hobbs, D. (1999) Bad business: Professionals and crime in modern Britain. Oxford: Oxford University Press.
Hobbs, D., Hadfield, P., Lister, S. and Winlow, S. (2003) Bouncers: Violence ad governance in the night- time economy. Oxford: Oxford University Press.
Hudson, L., and Ozanne, J. (1988) ‘Alternative Ways of Seeking Knowledge in Consumer Research’, Journal of Consumer Research, 14 (4), pp. 508–521.
International Organisation for Standardisation. (2009) 31000: 2009 Risk management–Principles and guidelines. International Organization for Standardization, Geneva, Switzerland.
International Organisation for Standardisation. (2012) 22301: 2012 Societal security. Business continuity management systems – Requirements. International Organization for Standardization, Geneva, Switzerland.
Jankowicz, A. D. (2004) Business Research Projects (4th ed.). London: Cengage Learning Business Press
Jenkins, B. M. (1974) International terrorism: A new kind of warfare. California, USA: The Rand corporation.
Johnson, B. and Turner, L. A. (2003) ‘Data collection strategies in mixed methods research’, Handbook of Mixed Methods in Social and Behavioral Research, pp. 297-319.
Kay, J. (1995). Foundations of Corporate Success: How Business Strategies Add Value. Oxford: Oxford University Press.
Kelly, P. and Ashwin, A. (2013) The Business Environment. Andover, UK: Centage Learning.
Kettle, L. and Mumford, A. (2017) ‘Terrorist learning: A new analytical framework’, Studies in Conflict & Terrorism, 40 (7), pp. 523-538.
King N. (2012) ‘Doing template analysis’, Qualitative Organizational Research: Core Methods and Current Challenges, 26, pp. 426.
Kinsey, C. (2005) ‘Challenging international law: A dilemma of private security companies: Analysis, Conflict, Security & Development, 5 (3), pp. 269-293.
Kuddin, S. and Hossain, L. (2011) ‘Disaster coordination preparedness of soft‐target organisations’, Disasters, 35(3), pp. 623-638.
Lalonde, C. and Boiral, O. (2012) ‘Managing risks through ISO 31000: A critical analysis’. Risk Management, 14 (4), pp.272-300.
Leahy, T. (2014) ‘The influence of informers and agents on provisional Irish Republican Army military strategy and British counter-insurgency strategy, 1976–94’, Twentieth Century British History, 26(1), pp. 122-146.
Levi, M. and Burrows, J. (2008) ‘Measuring the impact of fraud in the UK: A conceptual and empirical journey’, The British Journal of Criminology, 48(3), pp. 293-318.
Lim, J. S., Ahmad, A., Chang, S. and Maynard, S. B. (2010) ‘Embedding Information Security Culture Emerging Concerns and Challenges’. In: Pacific Asia Conference on Information Systems, p. 43.
Lord Carlile of Berriew. (2011) Sixth report of the independent reviewer pursuant to section 14 (3) of the prevention of terrorism act 2005. London: Her Majesty’s Stationary Office.
Lord Lloyd of Berwick. (1996) Inquiry into Legislation Against Terrorism. London: Her Majesty’s Stationery Office.
Lum, C., Kennedy, L. W. and Sherley, A. (2008) ‘Is counter-terrorism policy evidence-based? What works, what harms, and what is unknown’ Psicothema, 20 (1).
Mallinder, J. and Drabwell, P. (2014) ‘Cyber security: A critical examination of information sharing versus data sensitivity issues for organisations at risk of cyber attack’, Journal of Business Continuity & Emergency Planning, 7(2), pp. 103-111.
Matyas, S. M. and Stapleton, J. (2000) ‘A biometric standard for information management and security’, Computers & Security, 19(5), pp. 428-441.
Miles, M. B., Huberman, A. M. and Saldana, J. (2013) Qualitative Data Analysis: A Methods Sourcebook. London: Sage Publications.
Miller, C. (2005) Private security guards in Iraq operate with little supervision.
Los Angeles Times, 4th December, p. A2.
Nalla, M. K. and Heraux, C. G. (2003) ‘Assessing goals and functions of private police’, Journal of Criminal Justice, 31(3), pp. 237-247.
Nalla, M. K. and Lim, S. (2003) ‘Students’ perceptions of private police in Singapore’, Asian Policing, 1(1), pp. 27-47.
Needle, D. (2010). Business in Context. 5th Edition. UK: Cengage Learning.
Neuman, L. W. (2000). Social Research Methods: Qualitative and Quantitative Approaches. 4th edition. USA: Allyn and Bacon.
Nunes-Vaz, R., Lord, S. and Ciuk, J. (2011) ‘A more rigorous framework for security-in-depth’, Journal of Applied Security Research, 6(3), pp. 372-393.
O’donoghue, T. (2006) Planning your Qualitative Research Project: An Introduction to Interpretivist Research in Education. London: Routledge.
Omand, D. (2005) ‘Countering international terrorism: the use of strategy’, Survival, 47(4), pp. 107-116.
Pahnila, S., Siponen, M., & Mahmood, A. (2007) ‘Employees’ behaviour towards is security policy compliance. In: Proceedings of the 40th Hawaii International Conference on System Sciences – 2007, Hawaii.
Patton, M. Q. (1990) Qualitative Evaluation and Research Methods. London: Sage Publications.
Peciña, K., Estremera, R., Bilbao, A. and Bilbao, E. (2011) ‘Physical and Logical Security management organization model based on ISO 31000 and ISO 27001’, In Security Technology (ICCST), 2011 IEEE International Carnahan Conference on (pp. 1-5). IEEE.
Peteraf, M. A. (1993) ‘The cornerstones of competitive advantage: A resource‐based view’, Strategic Management Journal, 14(3), pp. 179-191.
Peters, B. G. and Pierre, J. (eds). (2004) The politicization of the civil service in comparative perspective. A quest for control. Abingdon: Routledge.
Phillips, C. (1999) ‘A review of CCTV evaluations: Crime reduction effects and attitudes towards its use’ Crime Prevention Studies, 10(1), pp. 123-155.
Pollitt, M. (2005) ‘Learning from U.K. private finance initiative experience’, The challenge of public-private partnerships: Learning from international experience, pp.207.
Porter, M. E. (2008) Competitive Advantage: Creating and Sustaining Superior Performance. New York: Simon and Schuster.
Priem, R. L. and Butler, J. E. (2001) ‘Is the resource-based “view” a useful perspective for strategic management research’?, Academy of Management Review, 26 (1), pp.22-40.
Private Security Act 2001. (c.12). London: Her Majesty’s Stationery Office.
Purdy, G. (2010) ‘ISO 31000: 2009—setting a new standard for risk management’. Risk Analysis, 30 (6), pp. 881-886.
Ray, G., Barney, J. B. and Muhanna, W. A. (2004) ‘Capabilities, business processes, and competitive advantage: choosing the dependent variable in empirical tests of the resource‐based view’ Strategic Management Journal, 25(1), pp. 23-37.
Regulation of Investigatory Powers Act 2000. (c.23). London: Her Majesty’s Stationery Office.
Reid, E. F. and Chen, H., (2007) ‘Mapping the contemporary terrorism research domain’ International Journal of Human-Computer Studies, 65(1), pp. 42-56.
Robison, K. K., Crenshaw, E. M. and Jenkins, J. C. (2006) ‘Ideologies of violence: The social origins of Islamist and leftist transnational terrorism’, Social Forces, 84(4), pp. 2009-2026.
Robson, C. (2002) Real world research: A resource for social scientists and practitioner researchers (2nd ed.). Oxford: Blackwell.
Rumelt, R. P. (1984) ‘Towards a Strategic Theory of the Firm. Competitive Strategic Management’. Competitive Strategic Management, pp. 556-570.
Sadgrove, K. (2016) The Complete Guide to Business Risk Management. Abingdon, U.K.: Routledge.
Sarre, R. (2008) ‘The legal powers of private security personnel: some policy considerations and legislative options’, Queensland University of Technology Law & Justice Journal, 8, p.301.
Sandhusen, R. L. (2000) Marketing. 3rd edition. Hauppauge, NY: Barron’s.
Sands, M. (2010) ‘Turn on the charm’, Operational Risk & Regulation, 11, pp. 35 -37.
Saunders, M., Lewis, P. and Thornhill, A. (2009) Research Methods for Business Students. London: Pitman.
Schmid, A. P. (ed) (2011) The Routledge Handbook of Terrorism Research. Abingdon, U.K.: Taylor & Francis.
Securitas Security Services USA (2016) ‘Top Security Threats and Management Issues Facing Corporate America survey. Published by Securitas Security Services USA, Inc.
Seo, T. W., Lee, S. R., Bae, B. C., Yoon, E. and Kim, C. S. (2012) ‘An analysis of vulnerabilities and performance on the CCTV security monitoring and control’, Journal of Korea Multimedia Society, 15(1), pp. 93-100.
Shoniregun, C. A. (2003) ‘Are existing internet security measures guaranteed to protect user identity in the financial services industry?’, International Journal of Services Technology and Management, 4 (2), pp. 194-216.
Slater, K., 1992. Information security in financial services. London: Springer.
Spender, J. C. (1993) ‘Competitive Advantage from Tacit Knowledge? Unpacking the Concept and Its Strategic Implications’, In Academy of Management Proceedings (Vol. 1993, No. 1, pp. 37-41). Academy of Management.
Stake, R. E. (1995) The Art of Case Study Research. London: Sage Publications.
Thomson, S. K. (1997) ‘Adaptive sampling in behavioral surveys’. NIDA Research Monographs, 167, pp. 296-319.
Tipton, H. F. and Krause, M. (2003) Information Security Management handbook. Florida, USA: CRC Press.
Torabi, S. A., Soufi, H. R. and Sahebjamnia, N. (2014) ‘A new framework for business impact analysis in business continuity management’ (with a case study). Safety Science, 68, pp.309-323.
Tripp, C. (2006) Islam and the Moral Economy: The challenge of capitalism. Cambridge: Cambridge University Press.
Turner, B.A. (1981) ‘Some practical aspects of qualitative data analysis: one way of organising the cognitive process associated with the generation of grounded theory’, Quality and Quantity, 15 (3), pp. 225-247.
Uddin, M. S. and Hossain, L. (2009) ‘Towards coordination preparedness of soft-target organisation’, In International Conference on Electronic Government (pp. 54-64). Berlin: Springer.
Valentin, E. K. (2001) ‘SWOT analysis from a resource-based view’, Journal of Marketing Theory and Practice, 9 (2), pp. 54-69.
Van Steden, R. and Sarre, R. (2007) ‘The growth of private security. Trends in the European Union’, Security Journal, 20, pp. 222-235.
Van Steden, R. and Nalla, M. K. (2010) ‘ Citizen satisfaction with private security guards in the Netherlands. Perceptions of an ambiguous occupation’, European Journal of Criminology, 7 (3), pp. 214 – 234.
Van Steden, R. and De Waard, J. (2013) ‘Acting like chameleons’: On the McDonaldization of private security’, Security Journal, 26(3), pp. 294-309.
Vinten, G. (1994) ‘Participant observation: A model for organisational investigation?’, Journal of Managerial Psychology, 2 (2), pp.30-38.
Vogt, W. P. (1999) Dictionary of Statistics and Methodology: A Non-Technical Guide for the Social Sciences. London: Sage publications.
Waard, J. (1999) ‘The private security industry in international perspective, European Journal on Criminal Policy and Research, 7, pp. 143-174.
Webster, M. (2006) Data protection in the financial services industry. Aldershot, U.K.; Gower Publishing, Ltd..
Weimann, G. and Winn, C. (1994) The Theatre of Terror: Mass Media and International Terrorism (pp. 17-50). New York: Longman.
Welsh, B. C., Mudge, M. E. and Farrington, D. P. (2010) ‘Reconceptualizing public area surveillance and crime prevention: Security guards, place managers and defensible space’, Security Journal, 23(4), pp. 299-319.
Wernerfelt, B. (1984) ‘The resource-based view of the firm’. Strategic Management Journal, 5 (2), pp. 171–180.
Wernerfelt, B. (1995) ‘The resource-based view of the firm: Ten Years After’. Strategic Management Journal, 16 (3), pp. 171–174.
Yüksel, I. (2012) ‘Developing a multi-criteria decision making model for PESTEL analysis’, International Journal of Business and Management, 7 (24), p.52.
Zhou, M., Zhang, R., Xie, W., Qian, W. and Zhou, A. (2010) ‘Security and privacy in cloud computing: A survey’, In Semantics Knowledge and Grid (SKG), 2010 Sixth International Conference on (pp. 105-112). IEEE.
Electronic Sources
Accenture (2015) ‘Serving the high net wealth investor’.
Available at:
https://www.accenture.com/t20150703T033306__w__/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_17/Accenture-High-Net-Worth-Investors-Gen-D-Europe.pdf
Accessed: 21st September 2017.
ADS Group (2017) ‘UK security sector outlook 2017’.
Available at:
https://www.adsgroup.org.uk/wp-content/uploads/sites/21/2017/09/SecurityOutlook2017-WebRes.pdf
Accessed: 15th October 2017.
Ahmad, A. (2016) ‘Growth of the manned security market for 2016’.
Available at:
http://www.intersecmag.co.uk/wp-content/uploads/2016/02/Manned-security.Feb2016.pdf.
Accessed: 17th December 2016.
British Security Service (2017) ‘Threat levels’. Available at:
https://www.mi5.gov.uk/threat-levels
Accessed: 7th November 2017.
Centre for the Protection of National Infrastructure. (2016a) ‘Guide to producing Operational Requirements for security requirements’. Available at:
https://www.cpni.gov.uk/system/files/documents/d5/76/Guide-to-producing-operational-requirements-for-security-measures.pdf
Accessed: 19th September 2017.
Centre for the Protection of National Infrastructure, (2016b) ‘Professionalising security’. Available at:
https://www.cpni.gov.uk/professionalising-security
Accessed: 19th September 2017.
Centre for the Protection of National infrastructure (2016a) ‘Reducing Insider Risk’. Available at:
https://www.cpni.gov.uk/reducing-insider-risk
Accessd: 8th November 2017.
Centre for the Protection of National Infrastructure, (2017) ‘Business Continuity’. Available at:
https://www.cpni.gov.uk/business-continuity-planning
Accessed: 17th November 2017.
Centre for the Protection of National Infrastructure (2017a) ‘National Security Threats’. Available at: https://www.cpni.gov.uk/national-security-threats.
Accessed 7th November 2017.
Centre for the Protection of National Infrastructure, (2017) ‘Protecting my asset’. Available at:
https://www.cpni.gov.uk/protecting-my-asset
Accessed: 22nd November 2017.
Centre for the Protection of National Infrastructure, (2017) ‘Reducing Insider Risk’. Available at:
https://www.cpni.gov.uk/reducing-insider-risk
Accessed: 17th November 2017.
Centre for the Protection of National infrastructure (2017) ‘Terrorism’. Available at:
https://www.cpni.gov.uk/terrorism
Accessed: 8th November 2017.
Chishty, Erasmus and Oberstein. (2011) ‘Winning in wealth management’. Available at:
http://www.bain.com/publications/articles/winning-in-wealth-management.aspx
Accessed: 20th October 2017.
College of Policing (2017) ‘Covert policing. Undercover policing’. Available at:
https://www.app.college.police.uk/app-content/covert-policing/undercover-policing/.
Accessed 15th October 2017.
Figure. 1. ISO 22301: Societal security. Business continuity management.
Available at:
https://www.iso.org/obp/graphics/std//iso_std_iso_22301_ed-1_v2_en/fig_1-optimized.png
Accessed: 20th September 2017.
Figure. 2. ISO 31000 Risk Management.
Available at:
https://www.google.co.uk/search?tbm=isch&source=hp&biw=1280&bih=666&q=ISO+31000&oq=ISO+31000&gs_l=img.3..0l10.627.3847.0.4299.11.11.0.0.0.0.158.758.3j4.7.0….0…1.1.64.img..4.7.754.0…0.BREaNQ7hTlI#imgdii=5u7_7faRQSSvtM:&imgrc=mErBu9jZIFqgcM:.
Accessed: 20th September 2017.
Fraud Act (2006). Available at:
https://www.legislation.gov.uk/ukpga/2006/35/contents/enacted
Accessed: 26th October 2017.
Frontier Risks Group (2017) ‘consultants course’
Available at:
https://www.frontierrisks.com/copy-of-srmc-course
Accessed: 15th October 2017.
G4S (2017) ‘Specialist training’
Available at:
https://www.specialisttraining.g4s.com/training-courses/
Accessed: 15th October 2017.
Halliday, J. and Dodd, V. (2015) ‘UK anti-radicalisation PREVENT strategy a ‘toxic brand,” The Guardian, 9 March 2015. Available at:
http://www.theguardian.com/uk-news/2015/mar/09/anti-radicalisation-prevent-strategy-a-toxic-brand
Accessed 15th October 2017.
HM Government. (2016) ‘Recognising the threat’.
Available at: https://www.gov.uk/government/publications/recognising-the-terrorist-threat/recognising-the-terrorist-threat.
Accessed: 17th December 2016.
HM Revenue and Customs, (2014) ‘How we deal with wealthy individuals’. Available at:
https://www.gov.uk/government/publications/issue-briefing-dealing-with-the-tax-affairs-of-wealthy-individuals/how-we-deal-with-wealthy-individuals
Accessed: 4th October 2017.
Home Office. (2011). ‘The National Crime Agency: A plan for the creation of a national crime fighting capability’. Accessed from:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97826/nca-creation-plan.pdf.
Accessed: 10th September 2017.
Intelligence and Security Committee (2013) Intelligence and Security Committee Annual Report 2012 – 2013. Available at:
https://www.gov.uk/government/publications/intelligence-and-security-committee-annual-report-2012-2013
Accessed: 20th October 2017.
Kroll (2017) ‘Global Fraud & Risk Report Building Resilience in a Volatile World 2016/17’, Available at:
http://www.kroll.com/en-us/intelligence-center/press-releases/building-resilience-in-a-volatile-world
Accessed: 20th October 2017.
MI5 British Security Service. (2017) ‘Threat levels’. Available at:
https://www.mi5.gov.uk/threat-levels
Accessed 10th October 2017.
Moran, M. (2015) ‘Security market growth continues’. Available at: https://sm.asisonline.org/Pages/Security-Market-Growth-Continues.aspx. Accessed: 17th December 2016.
National Crime Agency, (2017) ‘National strategic assessment of serious and organised crime’ Available at:
http://www.nationalcrimeagency.gov.uk/publications/807-national-strategic-assessment-of-serious-and-organised-crime-2017/file.
Accessed: 17th September 2017.
Neely, M. (2016) ‘Financial industry struggles to better their physical security’. Available at:
https://www.securestate.com/blog/2016/06/16/financial-struggles-to-better-their-physical-security
Accessed: 19th October 2017.
Parfomak, P. W. (2004) ‘Guarding America: Security guards and US critical infrastructure protection’.
Available at: https://fas.org/sgp/crs/RL32670.pdf
Accessed: 21st November 2017.
PricewaterhouseCoopers LLP. (2014) ‘Threats to the Financial Services Sector’. Available at:
https://www.pwc.com/gx/en/financial-services/publications/assets/pwc-gecs-2014-threats-to-the-financial-services-sector.pdf
Accessed: 3rd October 2017.
Rosemont, H. (2014) ‘Private sector engagement in the UK’s counter-terrorism strategy: A new agenda’, Behavioral Sciences of Terrorism and Political Aggression, 6 (2), pp. 147–161.
Schwartz, M. J. (2014) ‘Financial Sector Terrorism Threat Grows’.
Available at: https://www.bankinfosecurity.com/warning-cyber-terror-risk-to-banks-growing-a-7586.
Accessed: 3rd October 2017.
Shaw, D. (2017) ‘UK terror threat level severe ‘for at least five years’’.
Available at: http://www.bbc.co.uk/news/uk-41157175
Accessed: 7th November 2017
The Security Industry Authority (2016) ‘Home Office – Security industry authority framework document’. Available at:
https://www.sia.homeoffice.gov.uk/Documents/ho-sia-framework.pdf.
Accessed: 15th October 2017.
The Security Institute (2016) ‘Insight’. Available at:
https://www.security-institute.org/news/enews_2016_docs/newsletter_april_2016
Accessed: 13th October 2017.
The Terrorism Act (2000). Available at:
(https://www.legislation.gov.uk/ukpga/2000/11/section/1.
Accessed: 19th November 2017.
The Theft Act (1968). Available at:
https://www.legislation.gov.uk/ukpga/1968/60/contents
Accessed: 26th October 2017.
Tyler, G. 2017 ‘Financial services: Contribution to the UK economy’ House of Commons, SN06193. Available from:
http://researchbriefings.parliament.uk/ResearchBriefing/Summary/SN06193. Accessed: 16th September 2017.
Wueest, C. (2017) ‘ISTR Financial threats review 2017’ Available at:
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-financial-threats-review-2017-en.pdf.
Accessed: 17th September 2017.
APPENDICES
Appendix 1
The present definition of terrorism used in UK legal systems is to be found in
section 1, Terrorism Act 2000, as amended:
1 Terrorism: interpretation
(1) In this Act “terrorism” means the use or threat of action where—
(a) the action falls within subsection (2),
(b) the use or threat is designed to influence the government or an
international governmental organisation or to intimidate the public
or a section of the public, and
(c) the use or threat is made for the purpose of advancing a political,
religious or ideological cause.
(2) Action falls within this subsection if it—
(a) involves serious violence against a person,
(b) involves serious damage to property,
(c) endangers a person’s life, other than that of the person committing
the action,
(d) creates a serious risk to the health or safety of the public or a section
of the public, or
(e) is designed seriously to interfere with or seriously to disrupt an
electronic system.
(3) The use or threat of action falling within subsection (2) which involves the
use of firearms or explosives is terrorism whether or not subsection (1)(b)
is satisfied.
(4) In this section—
(a) “action” includes action outside the United Kingdom,
(b) a reference to any person or to property is a reference to any person,
or to property, wherever situated,
(c) a reference to the public includes a reference to the public of a country
other than the United Kingdom, and
(d) “the government” means the government of the United Kingdom, of a
Part of the United Kingdom or of a country other than the United
Kingdom.
(5) In this Act a reference to action taken for the purposes of terrorism includes
a reference to action taken for the benefit of a proscribed organisation.
[N.B. The words in subsection (1)(b)
“or an international governmental
organisation”
were inserted by the Terrorism Act 2006, s 34(a), and came into force
on the 13th April 2006.]
Appendix 2
Table One: Data Requirements Table
Research objective1. To identify stakeholders views of security threats to the high net wealth, asset and wealth management segment of the U.K.
Research questionsInformation requiredData sourceCollection method
What are the existing security threats to the UK financial industry?Qualitative data on perceived threats.Primary data.
Senior Executives from the financial Industry and the National Security Infrastructure.Semi – structured Interviews.
Which threats are the most prevalent?Qualitative data.Primary data.
Senior Executives from the financial Industry and the National Security Infrastructure.
Secondary data.
Security threat reports.Semi – structured interviews.
Literature publically available.
Who is responsible for preparing for and mitigating against these threatsQualitative data.Primary data.
Senior Executives from the financial Industry and the National Security infrastructure.
Secondary data.
UK Government White papers.Semi – structured interviews.
Literature from businesses.
Research objective2. To evaluate the existing security risk management, physical security and business continuity management design processes within the high net wealth, asset and wealth management segment of the U.K. financial services.
Research questionsInformation requiredData sourceCollection method
What are the existing strategies and procedures adopted?Strategies, policy and procedures documentation.Primary data.
Strategic papers.Business documentation.
Observations.
Semi – structured interviews
How do strategies compare to industry best practice and government guidelines?Best practice models.
Primary data.
Business documentation.
Interviews with industry experts.
Secondary data.
Business documentation.
Semi-structured interviews with security professionals.
Research objective3. To evaluate the incorporation of the Resource Based View (Wernerfelt, 1984) into security risk management and business continuity management plannning, for the high net wealth, asset and wealth management segment of the U.K. financial services.
Research questionsInformation requiredData sourceCollection method
To evaluate the incorporation of the Resource Based View (Wernerfelt, 1984) into security risk management and business continuity management plannning, for the high net wealth, asset and wealth management segment of the U.K. financial services.
Subjective views of participants, related to the application of the RBVSecurity professionals working within the U.K. asset and wealth management businessesSemi- structured interviews.
Appendix 3
Observations
1. 26th October 2017
FTSE 100 bank. HNW private client office. City of London.
Security Advisor employed.
Followed ISO31000.
Identified assets owned by business that need protecting. Received training from City of London Police.
2. 3rd November 2017
Private asset and wealth management business. High Wycombe
Situated in private residence.
SRM followed by man responsible for security of staff. Failed to identify vulnerabilities of firm against threats.
No identification of the assets / resources possessed by business
3. 6th November 2017
Asset and wealth management regional office Chichester.
No security policy and no one responsible for security on site. Lack of Security Risk Management and physical security. Basic lock on front door, alarm system.
No real awareness of business continuity planning.
No identification of the assets / resources possessed by business.
Appendix 4.
Company Description:
SW. Director. Financial Asset and Wealth Management business. £ 20 Billion funds under management. Network of regional offices with one main hub in the West of England
How long have you provided security to the asset and wealth management segment of the U.K. financial services?
I have been responsible for security assessments to the business, alongside my role, for three years.
What do you perceive the three key security threats to the asset and wealth management segment of the U.K. financial services?
Insider risk – theft of information
Terrorism – attack impacting upon one of our offices and employees
Cyber crime
Tell me about security within the asset and wealth management sector?
To what extent is it adequate?
It has improved over recent years, in response to the terrorist threat. Our central offices have a greater security presence in the form of CCTV and manned guards, but many of our regional offices are still largely unprotected, without even a first aid trained individual on site. It is therefore inadequate.
The industry as a whole reflects this. There is a need for businesses to identify that there is a threat to them and their staff.
What are the challenges to the design and implementation of security solutions within the asset and wealth management
?
Cultural. There is a lack of belief that anything will happen to them. The segment does not perceive that a threat exists to it and therefore I reticent towards spending money on security.
Communication and education. Having completed security risk assessments and made recommendations, advice is still ignored because many stakeholders within the business and wider industry do not understand it.
What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?
Please describe and evaluate these methods.
ISO 31000. It is an appropriate system and is simple to use. However, the initial stages could be more detailed, to determine specific information about a business or location. At present it focuses on too many macro factors, which may not resonate with the business. This therefore impedes the ability to implement security processes.
Own business continuity planning system.
Describe and evaluate your use of the Resource Based View (Wernerfelt, 1984) within your security design and implementation processes.
I initially carried out a review of the resources possessed by the business. This is a very valuable tool that will assist in the planning phases of SRM and in addition improve the ability to communicate threats to stakeholders. The inclusion of tangible and intangible assets is something that my peer group understands.
The model could be improved through the inclusion of a ranking system, to determine which resources are more important. A means of quantitatively illustrating findings is always useful.
What could be done to improve the applicability of the RBV model?
The model could be improved through the inclusion of a ranking system, to determine which resources are more important. A means of quantitatively illustrating findings is always useful.
Do you have any additional suggestions?
No
Company Description:
CM. Security Advisor. Private Asset and Wealth Management.
How long have you provided security to the asset and wealth management segment of the U.K. financial services?
6 years
What do you perceive the three key security threats to the asset and wealth management segment of the U.K. financial services?
Cyber crime
Terrorist attack
Burglary
Tell me about physical security within the asset and wealth management segment of the U.K. financial services?
To what extent is it adequate?
It is not adequate.
There is a lack of attention paid to physical security. Cyber security systems are not updated frequently enough to maintain security against the ever-evolving threat.
Regional offices do not think that there is a threat to them and so do not plan for such an event. They believe that the police and security services (public) will provide all of the security that they need.
What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?
Getting the buy in from senior stakeholders to physical security programmes and the employment of someone to conduct security risk management reviews. If that was achieved, you would then need to effectively communicate with the workforce in order to ensure that procedures were followed.
What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?
Please describe and evaluate these methods.
ISO 31000 and 22301
They are both appropriate. ISO 31000 is used prior to employees’ trips away and before any large client events. It is an effective system for identifying threats and the post mitigation scores offer a good tool for gaining funding for security procedures.
ISO22301 was used to create a business continuity plan. It has not been updated.
Describe and evaluate your use of the Resource Based View (Wernerfelt, 1984) within your security design and implementation processes.
This was a very useful process, which effectively supports both ISO 31000 and 22301. It assisted in justifying that the employees of the business were in fact its greatest asset, as opposed to information stored on computers.
What could be done to improve the applicability of the RBV model?
NA
Do you have any additional suggestions?
No
Company Description:
DM. Civil Service. Security Advisor.
How long have you provided security to the asset and wealth management segment of the U.K. financial services?
24 yrs. support to the financial services. Met Police and National Crime Agency.
What do you perceive the three key security threats to the asset and wealth management segment of the U.K. financial services?
Cyber crime
Terrorism
Insider threat
Tell me about physical security within the asset and wealth management segment of the U.K. financial services?
To what extent is it adequate?
I believe it is, particularly within the city of London it is adequate. Systems should be regularly reviewed and updated in order to remain appropriate to the threat. The standards differ outside of London; large cities have similar standards but regional offices often do not have any security systems installed. This requires a review, as the threat is not confined to the cities.
CCTV systems within the City of London provide detailed coverage and the relationship between the City of London police and private security providers is good, resulting in quick response times.
What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?
Design – There is a risk of being too constrained by the processes outlined in security design systems, adopting different analysis methods may improve the ability to identify vulnerabilities and threats more effectively. This would improve the performance of a security system and reduce costs.
Implementation – It is mainly related to money. There is an ongoing debate as to who is responsible for paying for security; the state or the private business. The financial services may not want to spend money on something that they do not feel they need to. This therefore requires more focus, in order to determine effective ways of justifying the expenditures.
What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?
Please describe and evaluate these methods.
ISO 31000 Risk Management. CPNI Operational Requirements.
They are both appropriate and enable the design of effective security systems.
Neither considers costs, which is a determining factor in the design and implementation of security systems. This is a weakness.
Describe and evaluate your use of the Resource Based View (Wernerfelt, 1984) within your security design and implementation processes.
I have listed assets previously at the start of security reviews. However as a public service, we are primarily focused upon protecting the security and safety of people. It is beyond the scope of our roles to protect business assets or to suggest ways for a business to return to “business as usual”. This process would therefore not be an effective use of time.
What could be done to improve the applicability of the RBV model?
NA
Do you have any additional suggestions?
Security systems could be more effectively reviewed if assessments took place regularly and were assessed against common criteria. The SWOT analysis could be incorporated into reviews.
Company Description:
MS. Civil Service. Financial Investigator.
How long have you provided security to the asset and wealth management segment of the U.K. financial services?
14 years
What do you perceive the three key security threats to the asset and wealth management segment of the U.K. financial services?
Insider risk
Terrorism
Fraud
Tell me about physical security within the asset and wealth management segment of the U.K. financial services?
To what extent is it adequate?
The segment has not responded to the changing U.K. threat levels effectively. I believe that this is largely due to ineffective threat identification. Although large financial institutes and banks may have CCTV, barriers and security guards in place, smaller regional offices do not have these luxuries and therefore are vulnerable to attack.
What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?
Gaining the support of the decision makers within a business and ultimately with the person responsible for managing the funds required to install the security systems. This requires education and the ability to create a sense of urgency for the changes to take place, sooner rather than later.
What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?
Please describe and evaluate these methods.
ISO 31000 Risk Management.
It is an appropriate model to use but it is the strength of the person describing the findings to a client, which determines whether a business will pay for the recommendations.
Describe and evaluate your use of the Resource Based View (Wernerfelt, 1984) within your security design and implementation processes.
It is a useful tool, which adds more detail to the context phase of the ISO 31000 Risk Management process. It is however potentially time consuming and relies upon users having some understanding of a business and its processes. Security professionals may not always have this experience.
What could be done to improve the applicability of the RBV model?
To cater for security professionals that do not have a business background, some additional guidance could be included in order to support its use at the start of security assessments.
Do you have any additional suggestions?
No
Company Description:
LC. Civil Service. Intelligence Officer.
How long have you provided security to the asset and wealth management segment of the U.K. financial services?
9 years
What do you perceive the three key security threats to the asset and wealth management segment of the U.K. financial services?
Insider risk
Organised crime
Terrorism
Tell me about physical security within the asset and wealth management segment of the U.K. financial services?
To what extent is it adequate?
It is not adequate.
There is very little security assessment or physical security in place within the asset and wealth management segment of the U.K. financial services. There is not protection offered to HNW clients, which offers a potential opportunity to terrorists or criminals considering harming such individuals.
What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?
Money and the cultural change that would be required for the security improvements. The industry may not have the appetite to consider implementing such a change, for fear of it impacting upon their brand image or detracting away from their normal business.
What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?
Please describe and evaluate these methods.
ISO31000 (Risk Management) to assess the threats and then the Operational Requirements framework to support the security design process. Business continuity is the responsibility of the business and its private security providers.
Describe and evaluate your use of the Resource Based View (Wernerfelt, 1984) within your security design and implementation processes.
It is a useful tool. It rationalises the identification of an organisations resources. This can support the effective design of security solutions and will support efforts to make cost effective decisions.
What could be done to improve the applicability of the RBV model?
In order to improve its use for security professionals, it may be valuable to consider why particular assets are important to threat groups. This could add value to the justification case made to organisations that are responsible for funding the security responses.
Do you have any additional suggestions?
No
Company Description:
SC. Security Risk Manager. Private bank. £50 Billion under management
How long have you provided security to the asset and wealth management segment of the U.K. financial services?
5 years
What do you perceive the three key security threats to the asset and wealth management segment of the U.K. financial services?
Terrorism
Cyber crime
Theft
Tell me about physical security within the asset and wealth management segment of the U.K. financial services?
To what extent is it adequate?
It is not adequate, Many businesses do not think that it is important and therefore do not justify the expenditure. Many firms do not implement any physical security.
What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?
Convincing the board that security is needed, particularly if it involves an ongoing cost.
What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?
Please describe and evaluate these methods.
Self designed risk management and business continuity management plans. They have performed well previously and are simple to use.
Describe and evaluate your use of the Resource Based View (Wernerfelt, 1984) within your security design and implementation processes.
It was a useful tool for highlighting the need to identify a businesses assets and the importance of each.
What could be done to improve the applicability of the RBV model?
NA
Do you have any additional suggestions?
No
Company Description:
BG. Corporate Security Director. Investment bank. £ 30 Billion under management.
How long have you provided security to the asset and wealth management segment of the U.K. financial services?
3 years
What do you perceive the three key security threats to the asset and wealth management segment of the U.K. financial services?
Insider Risk
Terrorism
Fraud
Tell me about physical security within the asset and wealth management segment of the U.K. financial services?
To what extent is it adequate?
It is adequate in my own organisation. It differs across the industry, largely influenced to the oragnisations view of security. Threats are identified, assessed and security solutions recommended. However, as with all security, the suggestions are not always adopted fully due to cost.
What are the challenges to the design and implementation of security solutions within the asset and wealth management segment of the U.K. financial services?
This is certainly related to cost and the lack of acceptance that threats to security exist. This is due to the historic nature of the sector and its discrete nature.
What security design and business continuity management methods do you adopt within the asset and wealth management segment of the U.K. financial services?
Please describe and evaluate these methods.
ISO 31000 Risk Management and ISO 22301 for business continuity. The recommendations are strictly adhered to and have proven effective to date.
Describe and evaluate your use of the Resource Based View (Wernerfelt, 1984) within your security design and implementation processes.
It is a valuable addition to both ISO systems. We perform an asset analysis as part of our planning stage but have not followed a model such as RBV. The identification of tangible and intangible assets is valuable. There were no weaknesses with the model but it does add time to the existing procedures.
What could be done to improve the applicability of the RBV model?
Once it has been done, there is no need to repeat it. This therefore removes the time cost that was previously described.
Do you have any additional suggestions?
No.
