CSO/Leadership

 

 

https://adminsm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspxPerformance Conversations: Checking In & Coaching UpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-07-01T04:00:00Zhttps://adminsm.asisonline.org/pages/mark-tarallo.aspx, Mark Tarallo<p>​The management revolution in the U.S. workplace has gained momentum. Performance management is out. Performance motivation is in.</p><p>The dreaded annual review process—bureaucratic, form-heavy, often dreaded by both managers and employees—is out. Performance conversations—frequent, agile, light on formality but heavy on coaching and two-way feedback—are in.   </p><p>With all this in mind, Security Management explores the roots and reasons for this trend and asks management experts to provide best practice guidance and principles on how security mangers may conduct effective and engaging performance conversations.​</p><h4>Annual Review Issues</h4><p>Many managers first became aware of significant changes in performance reviews around 2012, when the digital media company Adobe publicly announced that it was abolishing the traditional annual review process. </p><p>As a result, Adobe's voluntary turnover was reduced by 30 percent, according to a Deloitte report, and other firms began following its lead.</p><p>In late 2016, the movement received another big boost when one of the largest companies in the world, Accenture, announced that it was joining the revolt. </p><p>"Imagine, for a company of 330,000 people, changing the performance management process—it's huge," Accenture CEO Pierre Nanterme told The Washington Post. "We're going to get rid of probably 90 percent of what we did in the past." </p><p>Meanwhile, smaller organizations have taken their cue from these corporations. "People management practices tend to be a follow-the-leader game," says Phil Haussler, an HR expert at Quantum Workplace who studies workplace and management issues. </p><p>In one sense, the changes were understandable, given that so many workers on different levels—from front line employees to senior management executives—have expressed concerns about the annual review process. </p><p>"I think the revolution is at least acknowledging the underlying problems of performance reviews—such as that everyone hates them, and they are not that useful," says Jordan Birnbaum, the chief behavioral economist for ADP.  </p><p>Moreover, many of these concerns are supported by research, adds Birnbaum, a behavioral economist who is familiar with studies in his field (as is Haussler) that have shown that the annual review practice can be problematic.</p><p> For example, research shows that the common annual review process of linking a performance evaluation to a pay raise largely destroys the development aspect of the assessment. When this linkage is present, it is natural for an employee to switch into an impression management mindset, rather than focus on how the information can assist in professional growth. </p><p>"For the employee, it can become more about posturing, making sure that I show my best self," Haussler explains. </p><p>Another undermining effect of this linkage is that it negatively affects motivation. Research has shown that intrinsic motivation (doing something because it has inherent value) is a much more powerful and productive driver than extrinsic motivation (doing something in exchange for a tangible reward). </p><p>One study, for example, looked at children enthusiastically playing a game. When study supervisors told the children that they would receive a prize if they won, the children quickly lost interest, Birnbaum explains.   </p><p> It's also difficult to ensure that the annual review is based on sound, accurate data. Studies show that if managers or employees know that their performance feedback will be read by others, they are likely to inflate it, by a fairly large standard deviation, Birnbaum explains. </p><p>One reason for this is that it is often in the manager's best interest to give a glowing review—it can help the department look good in the eyes of senior management. Similarly, if the employee knows that senior management will read the review, he or she may not be honest with their criticism of a manager, for fear that it will cause a rift in their relationship.  </p><p>The other big issue that plagues the annual process is bias, which in this context researchers call the "idiosyncratic rater effect." </p><p>"We are all terribly biased," Birnbaum says. Studies show that in performance reviews, one behavior, good or bad, can have undue influence on the entire evaluation. </p><p>For instance, take an employee who is always late to meetings who has a manager that hates lateness. The employee may find that the manager's strong feeling about lack of punctuality may bleed into other unrelated areas of the evaluation, causing a lower-then-deserved ranking. </p><p>"The feedback is more about the person who's providing it, than about the person who's receiving it," Birnbaum explains. </p><h4>Transitioning</h4><p>Given these problems, the traditional annual review may now be "on life support," as Haussler says. But is not completely dead. Some companies are retaining the annual review but changing its evaluation methods and process in hopes of improving it.</p><p>But many companies that are retaining the annual review in some form are still making use of more frequent one-on-one performance conversations between managers and employees. These conversations range widely and include anything from once-a-month (or even once-a-week) casual check-in conversations to more structured quarterly meetings that incorporate two-way feedback, coaching, professional development guidance, brainstorming, and career advice.  </p><p>"There's not one single practice that we are seeing everyone move to—it's all on a spectrum, and each organization decides for itself how far it wants to move on the spectrum," Haussler says. ​</p><h4>Five Principles, Four Questions</h4><p>How can security managers adopt the practice of regular performance conversations? Leadership and workplace communications expert Skip Weisman provides some best practice guidance that may help in implementation. </p><p>First, Weisman lays out five keys to effective performance appraisals: Begin with clear expectations; have regular conversations; capture and log performance; provide "feedforward;" and focus on helping. </p><p>Second, Weisman suggests that one-on-one meetings themselves can be designed around four basic questions for the employee: What do you think you did well this month? What is something you feel you need to get better at? What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?</p><p>Although brief, the four-question format makes the structure of the meeting clear to both the manager and the employee. It also provides an opportunity for an open, fruitful two-way discussion. </p><p>For example, let's say the employee thought his or her performance on a certain task was outstanding, but the manager believed it was subpar. Discussing this discrepancy gives the manager the opportunity to clarify task expectation, and it gives the employee an opportunity to explain what his or her day-to-day is like in the trenches.  </p><p>"In the workplace environment, the employee is seeing things and experiencing things from their own perspective," Weisman says. "The manager should be asking about this and be open to hearing it."  </p><p>This two-way concept is key, Haussler agrees, and it should apply from the beginning of the process because the manager should not dictate what will be discussed. The employee should be the primary driver of the agenda. </p><p>"The employee owns their career, and the employee earns their conversation," Haussler says. The process may work even better if both participants have a chance to confer days before the meeting and decide what will be discussed, he adds. This gives both the time to consider the points they would like to make, instead of "just showing up with a pad and pencil."</p><p>In terms of the frequency of the meetings, Weisman advises (under his second principle) that the conversations be frequent—at least quarterly, if not once a month. Haussler agrees, and adds that research his firm has conducted on employee engagement has found that the most engaged employees have meaningful performance conversations at least once a month, if not more frequently.</p><p>Another benefit of frequent meetings is that it can help transform managers into coaches, a common organizational goal. "A coach would never give performance feedback only once a year," Haussler says. </p><p>And some organizations are going all-in on this transformation by offering coaching training and resources to their managers, to help them move toward a continuous coaching practice that improves employee engagement. </p><p>Of course, in cases where a manager has a large staff, the manager may be concerned that having a performance conversation with 10 direct reports once a month will be too burdensome timewise. </p><p>But Haussler says that this time issue should be put into perspective. By one standard, an effective manager invests roughly 200 hours per year into coaching staff, which breaks down to roughly 16 hours per month. If the manager has 10 direct reports, a 20-minute monthly meeting with each of them should consume roughly four hours of coaching time every month. That should be workable; if the manager sees that as too burdensome, then "maybe they ought not to be a manager," Haussler says. ​</p><h4>Start Positive </h4><p>Under Weisman's four-question model, the conversation begins with a recognition of positive accomplishment. This is critical for a few reasons, experts say. </p><p>One is that many busy workplaces fall under a kind of unspoken rule: if employees are doing things well, they don't need to be recognized; feedback is only needed to point out and correct mistakes. "Typically, a lot of employees don't get a lot of positive feedback," Weisman says.</p><p>But this can lead to problems, such as employees who feel undervalued. Moreover, studies show that negative feedback is best processed and learned from when it comes with five to seven bits of positive feedback, Birnbaum says. </p><p>One 2004 study of teams, for example, found that the highest performing teams received 5.6 positive statements for every negative statement. Without these positives, the employee feels the feedback isn't fair because positive accomplishments are not recognized. </p><p>"Human beings' psyches are fragile. It's very tricky to provide feedback that is useful and not harmful," Birnbaum explains. </p><p>Thus, starting out the conversation with what was done well allows managers to recognize accomplishments, and explain how they matter to the organization's success, which bolsters employee engagement and helps trigger intrinsic motivations, experts say.</p><p>When the second question of "What is something you feel you need to get better at?" is discussed, Weisman recommends that managers use the "feedforward" approach, a concept attributed to management expert Marshall Goldsmith. </p><p>For example, if the employee brings up a task that he or she failed at, the manager should direct the conversation forward and focus on the coachable moment of how performance of the task could be improved in the future. </p><p>Brief summaries of the discussion of both these questions can be recorded by both manager and employee as part of an ongoing effort to capture and log performance. So, if the one-on-one meetings are monthly, and the company is retaining its annual review process, the 12 months of summary notes will make the end-of-year review paperwork much easier for both parties, allowing both to avoid trying to document a year-long evaluation in one review.    ​</p><h4>Two-Way Street  </h4><p>The last two questions of the performance conversation model—"What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?"—are critical, because they reinforce the open and two-way nature of the conversation, Weisman says. </p><p>One common employee criticism of the traditional annual review is that it can turn into a one-way grilling of the mistakes the employee has made throughout the year. However, the third question gives the manager an opportunity to walk a mile in the employee's shoes, and better understand what challenges he or she is facing, the overall working conditions, and the factors that impact his or her performance. </p><p>Building on this concept, the fourth question of "Where do you need help, and what can I do to help you?" keeps the focus on the employee's perspective and allows the employee to provide feedforward to explore how a process could be changed, or what a manager could do differently in the future. </p><p>For example, say an employee feels he or she is fighting burnout due to a heavy workload. This can lead to a discussion where the manager and employee go through tasks and decide which could possibly be minimized, jettisoned, or outsourced.</p><p>Such discussions fulfill Weisman's final principle of a focus on helping. They also reinforce perhaps the most important message of the performance conversation—it is a two-way street in which both parties try to help each other improve, regardless of rank or position in the company.</p><p>"No one stops learning. No one stops growing," Weisman says.  </p>

CSO/Leadership

 

 

https://adminsm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspx2018-07-01T04:00:00ZPerformance Conversations: Checking In & Coaching Up
https://adminsm.asisonline.org/Pages/Editor's-Note---In-Sync.aspx2018-07-01T04:00:00ZEditor's Note: In Sync
https://adminsm.asisonline.org/Pages/Editor's-Note---Dangers.aspx2018-06-01T04:00:00ZEditor's Note: Dangers
https://adminsm.asisonline.org/Pages/Bully-Bosses-Can-Inflict-More-Damage-with-Negative-References.aspx2018-05-17T04:00:00ZBully Bosses Can Inflict More Damage with Negative References
https://adminsm.asisonline.org/Pages/The-Science-of-Organizing-Security.aspx2018-05-15T04:00:00ZThe Science of Organizing Security
https://adminsm.asisonline.org/Pages/How-to-Lead-a-Diverse-Security-Workforce.aspx2018-05-01T04:00:00ZHow to Lead a Diverse Security Workforce
https://adminsm.asisonline.org/Pages/Certification-Profile---Douglas-Beaver,-CPP.aspx2018-05-01T04:00:00ZCertification Profile: Douglas Beaver, CPP
https://adminsm.asisonline.org/Pages/Editor's-Note---Awareness.aspx2018-04-01T04:00:00ZEditor's Note: Awareness
https://adminsm.asisonline.org/Pages/Four-Trends-That-Will-Shape-Recruiting-in-2018.aspx2018-03-22T04:00:00ZFour Trends That Will Shape Recruiting in 2018
https://adminsm.asisonline.org/Pages/Starting-from-the-End---Creating-a-Master-Security-Plan.aspx2018-03-19T04:00:00ZStarting from the End: Creating a Master Security Plan
https://adminsm.asisonline.org/Pages/Editor's-Note---Timing.aspx2018-03-01T05:00:00ZEditor's Note: Timing
https://adminsm.asisonline.org/Pages/Coachable-Employees.aspx2018-03-01T05:00:00ZCoachable Employees
https://adminsm.asisonline.org/Pages/Fair-and-Neutral.aspx2018-03-01T05:00:00ZFair & Neutral
https://adminsm.asisonline.org/Pages/Certification-Profile---Leon-Beresford,-CPP.aspx2018-03-01T05:00:00ZCertification Profile: Leon Beresford, CPP
https://adminsm.asisonline.org/Pages/Editor's-Note---Incentive.aspx2018-02-01T05:00:00ZEditor's Note: Incentive
https://adminsm.asisonline.org/Pages/Pamela-Cichon,-CPP.aspx2018-02-01T05:00:00ZCertification Profile: Pamela Cichon, CPP
https://adminsm.asisonline.org/Pages/Paved-with-Good-Intentions.aspx2018-02-01T05:00:00ZPaved with Good Intentions
https://adminsm.asisonline.org/Pages/The-Strategic-Leader.aspx2018-02-01T05:00:00ZThe Strategic Leader
https://adminsm.asisonline.org/Pages/Speak-the-Language-of-Payroll.aspx2018-01-18T05:00:00ZSpeak the Language of Payroll
https://adminsm.asisonline.org/Pages/Editor's-Note-Resolutions.aspx2018-01-01T05:00:00ZEditor's Note: Resolutions

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/What's-New-in-Access-Control.aspxWhat's New in Access Control?<p>​Innovation in access control is quietly heating up. The industry is ready to implement innovations on a broad scale that have been just out of reach. Demand for virtual credentials is growing, facial recognition technology is both technically and economically feasible, and migration to the cloud is increasing—and increasingly beneficial. Over the next few years, market adoption of these advances will transform the ways security professionals operate and organizations benefit from their access control systems. </p><p><strong>Virtual credentials and mobile access technology</strong></p><p>The demand for virtual credentials and mobile access is intensifying, driven in part by younger members of the workforce who never go anywhere without their smartphones. Suffice to say, most employees wouldn't turn their cars around for a forgotten physical credential, but they'll certainly restart their commutes to collect forgotten smartphones. </p><p>The benefits are simple: convenience, compliance, and satisfaction of workforce demand. Everyone carries their phone, security professionals enhance their management capabilities, and employees can stay on the move. By including the credential in a mobile device, embedded in an app, organizations can also provide novel security capabilities, such as threat reporting and virtual photo ID. </p><p>The good news is that virtual credentials and mobile access technology have progressed to the point that they are easier to implement. Migration is straightforward, and implementation does not need to be all-or-nothing. Instead it can be taken in phases leading to an interim hybrid approach that includes physical and virtual credentials. </p><p><strong>Facial recognition</strong></p><p>Facial recognition offers the advantage of using existing access control rules, while reducing the friction of the user experience. </p><p>Picture a busy New York City high-rise office building with turnstiles that control access to an elevator lobby. There are always a few employees who have to search their pockets or backpacks to fish out a physical credential. Implementing facial recognition eliminates that bottleneck. The software scans people as they approach the turnstile and transmits a virtual credential to the access control system. Where a line might otherwise have formed, authorized employees now pass through turnstiles efficiently. </p><p>Facial recognition access control is no longer out of reach. Today's computing power can be combined with increasingly high-definition cameras and advanced recognition algorithms to bring the costs of implementation way down. </p><p><strong>Access control in the cloud</strong></p><p>The access control server is the nerve center of an access control system, but it no longer needs to physically exist. The increasing prevalence of the cloud eliminates that necessity. </p><p>Rather than dealing with the maintenance of a physical server, the speed and convenience of the cloud can handle everything a hardware box used to. This advance allows for increased scalability. And it provides flexibility in how security professionals purchase and use access control servers. Now the integrator or manufacturer can reduce end user burden and cost by ensuring that systems are backed up and updated remotely.<strong> </strong></p><p><strong>What's next?</strong></p><p><strong></strong>Innovations in access control systems will drive the industry over the coming years. Novel credentials, such as mobile access and face recognition technology, combined with cloud-based servers will deliver an altogether improved experience. </p><p><em>John L. Moss is CEO of S2 Security.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465