Most organizations would not go into business without insurance coverage, yet surprisingly few have systematic and integrated programs to address the issue of business continuity, or have qualified in-house expertise to support risk management and operational delivery. The globalization of commercial risk has led to a greater appreciation of the need for corporate planning to identify and manage a wide spectrum of threats to business success through the use of risk consultancy and security management.

Although no organization can prevent all crises from occurring, everyone can lower the odds of their occurrence while also mitigating the negative effects a particular crisis might have on brand confidence, business and operational productivity, market reputation, employee morale, and corporate liability. The importance of risk consultants and business managers in the field of business continuity—as a means by which to identify, address, and manage crisis events—has grown during recent decades, primarily because both government agencies and commercial businesses have suffered significant losses through inadequate risk analysis and the ineffective management of crisis events. Business continuity (and those security professionals who assist companies in the design and implementation of associated policies and plans) forms the foundation of how any organization prepares for situations that might cause business interruption, thereby jeopardizing the core mission and long-term health and sustainability of a group or enterprise.

Risk consultants and security managers manage the relatively unaddressed and widespread needs of convergence within an organization; they bring together often disparate groups and resources to achieve a unified and holistic risk solution. Given the current global climate, every business, regardless of its nature and geographic footprint, should hire qualified and experienced security professionals to establish comprehensive risk management policies and plans. Such plans allow companies to identify, avoid, manage, and recover from a crisis, sustaining business continuity under the most challenging circumstances.

Companies should also understand that risk consultants and security managers provide more than just security-related services. They can be leveraged as business enablers, allowing businesses to make better-informed decisions before committing finite company resources to a venture, allowing corporate leadership to map risks against potential commercial gains. Security professionals can positively affect all layers of an organization’s management, from supporting business managers in developing more competitive business solutions, to enabling project managers to design more efficient and productive project plans prior to investment or risk exposure.

As security professionals play increasingly important and elevated roles within companies and their corporate boardrooms, advising chief executive officers (CEOs) and executive leadership on their company’s risk exposure while concurrently coordinating multidisciplinary solutions, the importance of making risk management an integral element of a broader corporate strategy increases. Companies now better understand that they can choose to avoid, transfer, share, mitigate, or accept risk and that risk and security managers are evolving to bridge the gap between corporate leadership, strategic business units, program managers, and other company divisions.

While many of the benefits derived from risk consultants and security managers overlap, companies should understand that security consultancy and management services are entirely different in nature and scope. Each comes with unique and particular requirements and professional skill sets, both within a contracted security company, as well as among the managers or consultants the company may field. Companies should also understand the nuances of expertise connected to both categories; the selection of qualified management personnel should reflect the specific functions the company expects from them. By understanding the differences associated with each area, as well as how they might be merged to provide a combined service, companies will achieve more productive risk mitigation and security management, and therefore better business and operational results.

Often companies with limited in-house risk consultancy and security management resources seek external support on a case-by-case basis. The provision of successful security services as a whole often depends on a security provider’s ability to determine what the company wants as well as what it actually needs; many times companies require professional assistance with determining their security requirements. Both parties should have a clear understanding of consulting and management service expectations, capturing these needs under a contract that sets the parameters of services, both expected and funded. Although this may seem to be obvious, often companies are unsure of the scope of what is required and will seek more support than is either envisaged or funded during the life of a contract—effectively resulting in scope creep. This can present both positive and negative challenges for the security provider, as the company (or clients) becomes reliant on the provider and offers opportunities to further develop the relationship and explore new market opportunities. Conversely it also presents a challenge to contracted vendors, as the company’s management may make requests or create requirements for support outside of the contractual and funded agreement. Careful balancing of both factors is necessary to ensure success by both parties and also prevent the company from placing unrealistic expectations on their provider for work that does not result in revenue generation or, worse, results in financial or capability losses.

Fundamentally, consultancy and management are distinctly different services, although both may be required in unison under one contract. Risk or security consultancy is basically the provision of specialist security advice and guidance, whether it is providing security surveys, audits, policies, business recommendations, or procedures, often with an eye for concurrent business development opportunities. Risk or security management is effectively the managerial and administrative control and coordination of personnel and assets, providing advice and guidance in terms of how best to manage project operations, with a smaller degree of attention to business opportunity, as shown in Exhibit 1.1. These two services can be provided concurrently as a unified service, where the specialist supplies advice to establish the need and approach, then services or directs the resulting tasks.

The distinction between the two services, consultant¹ and manager, is, however, often unclear to a company, which may envision a combination of the two functions supporting their task when actually contracting for only one service. Both the company and the service provider must clarify and articulate the difference. Likewise, where a combination of both elements is required, and as the project grows in needs, both company management and the security provider should seek modifications to a contract to support the provision of unforeseen services. This is important to both parties, in terms both of staying within the parameters of the contract and in avoiding problems associated with providing services that could come with legal or reputational issues, or result in the provider breaching the contract’s service deliverable terms by focusing on the wrong task areas.

It is also easy for local vendor management to slip into a habit of providing more and more assistance, to the point where they are supplying a considerable amount of additional unpaid effort. This is more so the case for security managers, where they are asked to contribute to policies, plans, and strategies rather than focusing on running the security resources. For vendors and companies alike, this can be considered good business practice up until a point, but in some cases it can negatively affect both the company and the provider if a sensible balance is not struck. While clear distinctions and agreements should be made with regard to the funded services being contracted for, it is worthwhile to remember that it is often useful to provide additional services in the short term (until a contract modification can be made) in order to retain a healthy intercompany relationship. The service provider should seek to achieve the balance of helpfulness and pragmatism, without being taken advantage of or alienating the company’s management, and the company should seek to compensate the service provider to acknowledge the additional and often unfunded efforts undertaken.

The distinct differences between consultancy services and program security management are discussed in greater detail in the chapters that follow. This chapter is designed to set the scene regarding how security services, both consulting and management, operate between company and service provider or vendor organizations.