It has often been said that it would make a genuine difference to security provision in UK plc if professional risk and security managers had a seat on the Board. Should they be included? If so, what’s the justification? Would such a move have a profound effect? David Gill goes in search of the answers.
The notion of appointing a security or risk management-focused professional to the Executive Board of a major company has been raised increasingly in many ‘security quarters’ over recent years and mainly, it has to be said, by those of us engaged in the world of corporate security itself.
The idea of appointing a qualified security professional on the main Board of some of our leading public and indeed private sector companies will become a renewed debate particularly in light of recent events, such as the atrocities in Paris and the increasingly huge concerns associated with cyber crime.
That said, is the FTSE arena convinced and/or willing to provide a new seat on the Executive Board for the security director? As yet, the answer is seemingly: ‘No’. There doesn’t appear to be any immediate appetite for such an addition to the Boardroom environment, which is actually no surprise to me at all.
Historically, the main Executive Boards of listed companies have comprised a chairman, CEO and chief operating officer supplemented with directors from core business functions such as finance, sales, corporate governance and compliance, the latter being the responsibility of the company secretary who generally reports directly to the chairman.
It’s pretty difficult to find any major listed UK company that doesn’t provide a seat for these ‘business-critical’ roles.
The composition of FTSE company Boards can – and, indeed, does – vary depending on the sector in which the business resides. For example, major oil and gas sector plcs will almost certainly have executive directors who are engineers, geo-physicists or geologists sitting alongside the sales and finance directors. The pharmaceutical giants will also have qualified, sector-specific Board members (namely chemists and doctors). Typically, the responsibility for security tends to be directed towards a Human Resources director or another less prominent core business directorship.
Proposing the business case
Security – notably of assets (with people being the most valuable) – has rocketed in terms of its importance in recent years, and now features high up on the agenda of many Executive Boards. However, to attempt to introduce the notion of creating ‘a new Boardroom seat’ occupied by the director of security is, I would respectfully suggest, very unlikely to receive Board approval at present.
Of course, few will question that security and risk management are extremely important factors for any FTSE business, but I remain sceptical that a strong enough business case can be made for a permanent seat for the director of security on an Executive Board of a FTSE 250 company, save for perhaps a listed security organisation such as G4S.
Having undertaken consultancy projects including major investigations for some leading international corporations, among them FTSE companies, the problem as I see it is that security is yet to be perceived as a ‘business-critical’ discipline and function, except perhaps among some High Street retailers. Important, most certainly, but not critical.
Financial management and cash flow are without question critical to the survival of a business. Indeed, cash flow is widely regarded as the lifeblood of a company. After all, without sales and effective financial controls in place no listed company would survive.
Through the eyes of many security practitioners, it could be argued that without effective security controls there’s a strong likelihood a business would also not survive, but in a hot air balloon debate who would be cast out first? Ultimately, the answer to that question revolves around risk appetite, business imperatives and priorities.
Degree of vulnerability
In the dealings I’ve had with business leaders, their primary focus is on the bottom line. Cash flow and sales are daily imperatives. It has to be acknowledged that, in essence, many businesses are successful in terms of returns and satisfying shareholder demands despite having only rudimentary levels of security and brand protection measures in place. Such companies are, of course, more vulnerable than a comparable business which invests in more stringent security levels, but security is a cost and not always easy to demonstrate in terms of business enablement and return on investment.
Many regular readers of Risk UK will have seen numerous studies and research reports in which security is often described as a ‘grudge purchase’, with many companies adopting a very reactive mindset towards incidents which affect the norm. How, then, might this mindset be altered, and particularly so among the heady echelons occupied by FTSE Board members?
In essence, it’s about educating the Board, in particular the chairman and CEO, and making a clear business case, but importantly from the perspective of an experienced and qualified security professional able to communicate in business language at the C-Suite level.
To conform to rules imposed on FTSE companies, non-executive directors must be remunerated and work to a specific brief and time frame. Unlike their full-time executive contemporaries, the non-executive director will typically work for only a limited number of days each month with a specific brief.
There’s a convincing case to appoint, for example, a Chartered Security Professional to a FTSE 250 Board in the role of non-executive director. Such an appointment would provide the Executive Board with qualified guidance in terms of security and risk strategies in order to deal with the rapidly shifting landscape particularly around technology, cyber crime and, of course, terrorism in all of its pernicious and ever-changing forms.
Corporate Governance Code
The UK’s Corporate Governance Code states that: “The Board and its committees should consist of directors with the appropriate balance of skills, experience, independence and knowledge of the company to enable it to discharge its duties and responsibilities effectively.” That Code also states: “The provisions supporting this say that the Board should have a ‘strong presence’ of both executive and non-executive directors so that no individual or small group can dominate its decision-taking. At least half the Board, not counting the chairman, should be independent non-executive directors.”
According to the Code, companies within the FTSE 350 should have equal numbers of executive and non-executives directors. For companies outside the FTSE 350, they’re urged to have at least two independent non-executive directors in situ if they’re to comply with the Code’s outlined requirements for committees.
The appointment of a non-executive director with a security brief is the next step towards gaining greater traction and integrating security with main Board-level strategic thinking. A pragmatic next step, if you will, which would introduce a new dynamic at the top table.
Perhaps through the organisations which make up the Security Commonwealth and others such as high-level executive recruiters, the sector ought to promote the fact that we have some hugely talented managers and highly qualified Chartered Security Professionals suited for the FTSE Boardroom.
That last point raises questions around what our sector has been – and is – doing to engage with big business, investment fund managers, institutional investors and even Government: those whom the Executive Board must listen to at length. If we want to make a difference, we need to educate right across UK plc and promote our worth such that FTSE companies will consider the merits of appointing their next non-executive director as someone who has a wealth of security and risk management expertise and, importantly, a brief to match.
The next step must be via the City. We need to engage with fund managers, institutions with powerful lobbying influence and the executive head hunters. As a sector, we must focus less on promoting the benefits of top level security provision to those within our own ranks and reach out beyond our comfort zone, not only to the City, but also other professional sectors which play a part in essential functions such as finance and corporate governance.
Ultimately, the aim must be to see more experienced and qualified security professionals as non-executive directors on the Boards of some of Britain’s leading FTSE companies. That outcome would be positive for business and security provision in UK plc.
David Gill MSc CSyP FSyI is Managing Director of Linx International Group and Registrar of the Register of Chartered Security Professionals