Too much, already…
A small but very prestigious law firm in Los angles received several threats against its employees. The partners agreed to retain a protective-services specialist to protect their staff, their workplace, and their homes, without fully understanding the implications. The specialist began by setting up certain protocols for the office and its staff and professionals to follow. The procedures were, in fact, not entirely unreasonable (we aren’t really discussing the appropriateness of the suggestions here), and, had they been discussed with, understood by, and agreed to by the staff, probably would have, in a modified-to-produce-agreement form, worked well. As it turned out, things went well for the first few hours, at which point everything fell apart because the program successfully and simultaneously alienated the attorneys, the staff, and the clients.
For a client to come to the firm they needed both an appointment and a picture ID to enter the lobby of the building, and needed to be escorted to the elevator, and have all of the buttons pushed for them so they could not wander around the law offices. This may seem reasonable, since, as it happens, access control is the primary tool for building security. However, having picture ID has no more security value in getting to see an attorney than it does in getting onto an airplane (which is to say none).
Some celebrity clients did not want to show their driver’s license for fear their real date of birth might end up in a tabloid somewhere. Some demanded to see their attorney whether or not they had an appointment. Attorneys, not wishing to lose their paying clients, came down to the lobby to pick up their irate clients, apologizing for the problems and stated that “of course this doesn’t apply to you – you have been with us for years.” Since the attorneys knew their clients, this was a far more sensible way to deal with clients than was the implemented program.
The attorneys themselves had a fit that afternoon when they saw that all of the assigned parking spaces with names on the spaces were painted over, and they were told to find a random spot and to back in. The attorneys objected to the removal of a prestigious-and-always-available parking spot, and the parking management firm, which of course had not been consulted, objected to the backing-in of the cars, since that was against their policy. As it happens, named parking spots represent a real risk if there is an actual threat, as it positively identifies the target (much like being met at the airport by someone holding a sign with your name), but unless you understand the threat, the vulnerability, and therefore the risk, what you as the user see is a valued perk and bit of prestige being withdrawn.
By the end of day one, the primary life that was at risk was that of the well intentioned consultant.
So what do you do if you are in peril? Or think you may be in peril? Or think it sounds sexier to your clients if you are in peril…?
1.) Retain a professional that understands the nature of both their and your business, and the fact that all risk management, no matter how small, affects your freedom to work and act at will.
2.) Review all of the proposed policies and make sure they address a specific set of threats and vulnerabilities (i.e., they make sense based on the risk), and send these policies to your employees for their comment. If they understand the risk, your employees will probably be able to judge what will work, as well as what is overkill and what is actually appropriate.
3.) Send appropriate notices to clients and vendors who may visit the facility to alert them in advance of the changes of which they need to be made aware. Remember: You are giving people the information they need to know, not producing a full disclosure document.
4.) Review all policies and procedures daily for the first week, weekly for the first month, and monthly for the first six months. Subsequent reviews should be undertaken on a three-month basis, or any time major changes take place at the facility (such as construction, layoffs, new projects, end of projects, etc). If your countermeasures are appropriate for your risks, you will have minimum disruption and inconvenience.