Resilience

 

 

https://adminsm.asisonline.org/Pages/A-Failure-to-Plan.aspxA Failure to PlanGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-09-01T04:00:00ZIlya Umanskiy, PSP, and Sean A. Ahrens, CPP<p></p><p>A rare meteorological event occurred in 2017 when three Category 4 hurricanes were simultaneously ongoing in the Pacific Ocean. At the same time, wildfires swept across the western United States in California, Montana, and North and South Dakota.<br></p><p>Harvard climate expert James McCarthy indicated that "economic losses from extreme weather-related events are rapidly escalating," in an article for The Universal Ecological Fund.</p><p>Supporting McCarthy's finding, Swiss Re said in a report to its shareholders that "total economic losses from natural catastrophes and man-made disasters amounted to USD $175 billion in 2016, almost twice the USD $94 billion seen in 2015."</p><p>Global insured losses from disasters also totaled $54 billion in 2016, up from $38 billion in 2015, according to Swiss Re, a leading reinsurance company.</p><p>Yet many organizations continue to struggle with their emergency and crisis management plans. This article includes some case studies that provide insights into common challenges during an emergency and recommendations on how organizations can respond and recover, quicker.​</p><h4>Lessons Learned</h4><p>Recently, one of the authors was conducting a threat, vulnerability, and risk assessment for a large corporation on the East Coast of the United States. While at the corporation, the author met with the company's business continuity and emergency management director.</p><p>When asked about the company's emergency management program and response, the director produced a four-inch binder with a cover titled Emergency Operation Plan (EOP). </p><p>The director said the plan was developed by a consultant, who assisted in creating the National Incident Management System (NIMS) and the Incident Command System (ICS) framework, an operational protocol hierarchy that integrates public, private, and government resources to address domestic incidents across all phases of an emergency.</p><p>The EOP defined the scope of preparedness and incident management activities necessary for the organization. It described its organizational structure, roles and responsibilities, policies, and protocols for providing emergency support.</p><p>The plan was robust and capable of handling any type of emergency. The robustness of the plan, however, provided unfounded trust in the efficacy of response and presented some cognitive biases that were apparent when interviewing others beyond the director.</p><p>For instance, everyone interviewed knew of the EOP, but no one knew their role or how to activate the plan should an emergency occur. They relied on the director to provide that direction. </p><p>When the plan was tested, one of the authors introduced a wildcard element by removing the director from the response process. This drastically increased the response time of the organization and taught a lesson that the plan did not account for: staff redundancy. </p><p>The organization needed a more granular version of its response so employees and key members of the crisis management team would know how to activate it should the director be unable to do so.</p><p><strong>Communication. </strong>On August 23, 2011, in New York City shortly after 1:00 p.m. the high-rise building one of the authors was in began to sway. There was no communication about what was happening from building or security personnel.</p><p> A woman yelled out "it's happening again!" in a reference to 9/11, and people began to run to the stairwells to evacuate the building.</p><p>With the evacuation in full swing, an announcement was made: "A vibration has been felt in the building. Please stay at your location. More information will be provided."</p><p>Most people, however, had already begun to evacuate. They were determined to get out of the building and disregarded the message. The author on site remained in the building until another announcement was made over the public-address system that a 5.8 earthquake had occurred in Virginia and everyone should evacuate the building.</p><p>The author evacuated the building, stepped outside, and began to look for a mustering point. But the streets were flooded with people, making emergency vehicle access impossible and presenting a dangerous situation with the thousands of pounds of glass from the building above.</p><p>This incident demonstrates that if there is not clear communication during an event, people will act—and will encourage others to do so—possibly putting themselves in an even more dangerous position.</p><p><strong>Leadership. </strong>One of the authors had the opportunity to tour a critical infrastructure situational awareness room recently. The large facility was tiered like a movie theater, supporting floor-to-ceiling monitors that were concave to allow sightlines from within the room.</p><p>During a review of emergency operations, the author was assured that the response program was sophisticated and included redundancies in staffing technology. </p><p>"Has the building ever lost power?" the author asked, after which the room went dark. Emergency lights activated and everyone in the room began to look to others to take charge of the response.</p><p>Once time had elapsed, people gathered their thoughts, regained their composure, and transferred the critical systems to an off-site backup. The incident showcased the lesson that there will be a lapse in response time while people reference their crisis manual to find out who's in charge—creating overall recovery delays.</p><p><strong>Changes.</strong> For every emergency plan the authors have tested, one of the key lessons is that an emergency action and crisis plan is a continual work in progress. As threats change, the plan must continue to adapt.</p><p>One example of this lesson in action occurred at a California hospital five years ago. The hospital decided to conduct an active shooter drill with the help of its patients. However, it announced that it was conducting the drill by issuing a "code silver" over the public-address system.</p><p>The emergency department staff began to respond, but patients and visitors were confused because they did not understand what a code silver meant. To include participation in the drill, the hospital needed to more clearly communicate what was happening so patients and visitors could effectively respond.​</p><h4>Effective Response</h4><p>Based on the lessons learned from the authors' experiences of testing emergency response plans, they recommend organizations conduct fidelity testing of their incident management planning and training. This will help organizations apply the right level of scrutiny to their plans and actions.</p><p>Applying fidelity testing to incident response training and execution can incorporate simple, but effective, gap analyses of critical program and process design qualities. This testing will help stakeholders understand their level of preparedness and response orchestration.</p><p><strong>Validity. </strong>Check the validity of the original incident management plan. A review is the first step because the plan sets the framework for incident management and articulates all actions before, during, and after an incident—including training. </p><p>The plan should be based on a proven model, such as NIMS, and incorporate actionable, strategic, and tactical direction for each designated participant.</p><p>The organization should also look for gaps and assumptions made in the plan. For example, a specific role in the plan may be assigned to a functional leader but lack substantive direction for execution. Or, the designated leader may not have the right level of composure to execute his or her tasks under pressure.</p><p>If the plan needs to be updated to address these issues, the organization should make those changes before carrying out the full fidelity test. This is because the test will only work if the plan is comprehensive and actionable in terms of preparation, execution, and training requirements.</p><p><strong>Vigilance. </strong>Check the current level of responders' vigilant behavior. A qualitative method for determining an organization's level of preparedness is to observe how quickly designated responders can switch their mental processes and physical actions from a state of normalcy to a state of active response.</p><p>A simple way to test this is through a surprise, scenario-based activation of each responder who is then timed from initiation to completion of the test. These tests should be conducted at least quarterly, and organizations should determine whether the desired outcomes were achieved based on the presented scenario.</p><p>In turn, this will help each responder retain information about the test results and make improvements in smaller, more manageable increments.</p><p>After re-testing, organizations should report on implemented improvements and their scale as part of established metrics, such as overall achievement of desired outcomes, reduction of time for task and process completion, and retention of information.</p><p><strong>Training. </strong>Organizations should assess their current training by assessing the design, frequency, and knowledge retention of that training. It's important to determine whether existing training is actionable and produces desired outcomes from each participant with a minimum number of assumption gaps. </p><p>Good training programs will include a blend of interactive and practical content designed to be emotionally compelling for participants; interactive and practical exercises with the element of surprise; well-researched, relevant, and comprehensive training scenarios; and strict time parameters for completion of individual and team tasks.</p><p>Additionally, training programs should have metrics tied to gaps between demonstrated execution and desired outcomes, such as time to complete tasks and processes, as well as quality of task completion relative to desired outcomes.</p><p>Along with these characteristics, training programs should also include immediate post-exercise documented feedback with follow-up actions, and continuous improvement demonstrated through metrics.</p><p><strong>Simplify. </strong>Each responder should have defined parameters of their responsibility during incidents. A well-designed fidelity test will identify these parameters—dubbed sandboxing—to assess how each responder executes the plan in relation to them. </p><p>To assist with this process, it's useful to create flowcharts of each responder's assigned process. This will help determine three findings: whether assigned tasks of each responder are simple enough to execute and connect well with processes of other responders; the abilities of each responder in executing certain tasks; and what skill gaps responders can close on their own with help from others.</p><p><strong>Recognition. </strong>Skill gaps are like assumptions. When unknown or ignored, they often serve as the root cause of incident management failures. This is why it's important to identify skill gaps as part of a fidelity testing exercise.</p><p>This exercise will make it easier to uncover skill gaps. It is difficult for individual incident responders to objectively identify skill gaps on their own because of inherent psychological biases, such as confirmation bias, overconfidence, or timidity.</p><p>According to multiple psychological studies, humans learn better from the mistakes of others or when their mistakes are noted by friends and colleagues.</p><p>Identifying and mitigating skill gaps helps the entire incident management program and demonstrates the organization's commitment to improvement and resilience. When expressed statistically, the mitigation of skill gaps can help demonstrate the overall program's value.</p><p><strong>Technology.</strong> Another benefit of well-designed and executed fidelity testing is the identification and mitigation of gaps in technologies used for incident management.</p><p>One of the most trivial—but often overlooked—issues is secure and interoperable radio communication. There have been numerous incidents, including 9/11, during which radio communication failed because of physical and electronic interference or other factors. Because radios were not interoperable, no one knew what others were doing.</p><p>In addition to radios, various other technological tools can be analyzed to understand their individual and collective benefits and shortcomings. It is always a good idea to demonstrate gap reductions or eliminations, both qualitatively and quantitatively, because this is most directly relatable to senior leadership.</p><p>Re-test. It is a natural process to re-test incident management programs. The key is to build habits for continual improvement because the main objective is to achieve optimal orchestration of human and technological performance during training and real incidents with minimal assumptions and skill gaps.</p><p>Real orchestration occurs when these components are present: a validated, justifiable, and actionable plan; scenario-driven, relevant, and frequently administered training that's timed and entails emotionally compelling interactive and practical content; continual program improvement; and meaningful metrics related to desired outcomes.</p><p>Incident management is best achieved through orchestration of individual components and responders and technology. Today, many organizations continue to struggle with achieving orchestration because of unaddressed skill gaps and assumptions in their planning. But this can be addressed and prevented in the future through fidelity testing. </p><p>"If you fail to plan, you are planning to fail," said Benjamin Franklin, and emergency and crisis management plans are no exception. </p><p>A well maintained and trained emergency management plan can provide significant dividends in recovery. Given the natural—and man-made—challenges ahead of us, emergency planning should be a staple in every organization.   </p><h4>​Sidebar: Reasons for Failure<br></h4><p>​There are many reasons that emergency response plans fail. Below are some examples of problem statements that can contribute to failure.</p><p><strong>It won't happen to me.</strong> People often fail to recognize that a crisis can happen to them, and organizations are no different. People and organizations tend to be concerned with large ever-changing threats, while forgetting more closely related operational issues.             </p><p>L<strong>oose plans without governance, leadership, or skills. </strong>Many emergency plans are check marks for organizational certifications or accreditations. They are handed down by the board or C-suite without a complete understanding of organizational resources and the total economic impact of creating a well-orchestrated and functional plan. ​When a formal security organization does not exist, the edict and direction of the plan will fall to an existing employee or department, who may hire a consultant or conduct an online search to cut and paste a plan that is not relevant or applicable to the organization.</p><p><strong>Too much information.</strong> Emergency plans are not simple. And for large organizations, they can be lengthy and create information overload that increases the time it takes to respond to an incident.</p><p><strong>Lack of training.</strong> Live action drills can be costly and create productivity challenges. Organizations have taken to Web-based learning, which exacerbates the problem because employees rush to get through the training, often retaining little of what they have learned. However, the organization obtains a mark for conveying the information and considers itself prepared.</p><p><br></p><p><em>Ilya Umanskiy, PSP, RAMCAP, MA, is founder and principal at Sphere State, Inc. Sean A. Ahrens, MA CPP, CSC, FSyl, is security market group leader for AEI/Affiliated Engineers, Inc., and specializes in threat assessment, crisis management, and security systems design. He can be reached at sahrens@aeieng.com.</em></p>

Resilience

 

 

https://adminsm.asisonline.org/Pages/A-Failure-to-Plan.aspx2018-09-01T04:00:00ZA Failure to Plan
https://adminsm.asisonline.org/Pages/A-World-of-Risk.aspx2018-09-01T04:00:00ZA World of Risk
https://adminsm.asisonline.org/Pages/Book-Review-Adaptive-Business-Continuity.aspx2018-09-01T04:00:00ZBook Review: Adaptive Business Continuity
https://adminsm.asisonline.org/Pages/Survey-to-Explore-Use-of-Mobile-Forensics-Technology.aspx2018-08-24T04:00:00ZSurvey to Explore Use of Mobile Forensics Technology
https://adminsm.asisonline.org/Pages/Book-Review--Business-Continuity.aspx2018-08-01T04:00:00ZBook Review: Business Continuity
https://adminsm.asisonline.org/Pages/The-Future-CSO.aspx2018-07-01T04:00:00ZQ&A: The Future CSO
https://adminsm.asisonline.org/Pages/Book-Review---Rebuilding-Resilience.aspx2018-07-01T04:00:00ZBook Review: Rebuilding Resilience
https://adminsm.asisonline.org/Pages/A-Safety-Strategy-on-Campus.aspx2018-06-01T04:00:00ZA Safety Strategy on Campus
https://adminsm.asisonline.org/Pages/Space-Jam.aspx2018-05-01T04:00:00ZSpace Jam
https://adminsm.asisonline.org/Pages/Risk-Rising.aspx2018-05-01T04:00:00ZRisk Rising
https://adminsm.asisonline.org/Pages/Book-Review---Emergency-Planning-for-Nuclear-Power-Plants-.aspx2018-05-01T04:00:00ZBook Review: Emergency Planning for Nuclear Power Plants
https://adminsm.asisonline.org/Pages/Paving-the-Way.aspx2018-03-01T05:00:00ZPaving the Way
https://adminsm.asisonline.org/Pages/Book-Review---Mental-Health.aspx2018-02-01T05:00:00ZBook Review: Mental Health
https://adminsm.asisonline.org/Pages/Patients-Are-People-First.aspx2018-02-01T05:00:00ZPatients Are People First
https://adminsm.asisonline.org/Pages/Rethinking-the-Intelligence-Cycle-for-the-Private-Sector.aspx2018-01-26T05:00:00ZRethinking the Intelligence Cycle for the Private Sector
https://adminsm.asisonline.org/Pages/Disaster-Dominoes.aspx2018-01-01T05:00:00ZDisaster Dominoes
https://adminsm.asisonline.org/Pages/Book-Review-Disaster-Volunteers.aspx2017-12-01T05:00:00ZBook Review: Disaster Volunteers
https://adminsm.asisonline.org/Pages/Stress-Test.aspx2017-10-01T04:00:00ZStress Test
https://adminsm.asisonline.org/Pages/President-Bush-Shares-Leadership-Lessons-Learned.aspx2017-09-26T04:00:00ZPresident Bush Shares Leadership Lessons Learned
https://adminsm.asisonline.org/Pages/Security-Cares-Aids-the-Dallas-Community.aspx2017-09-25T04:00:00ZSecurity Cares Aids the Dallas Community

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/A-Shift-in-Global-Risk.aspxESRM: A Shift in Global Risk<p>​The quest to better understand the sources of global risk, and the effect those sources of risk may have on security, is of continuing importance to many practitioners of enterprise security risk management (ESRM). </p><p>And now, global risk has entered into a new era, with people around the world facing more political instability, more economic challenges, and the prospect that more national policy decision making will be driven by emotion rather than reason, a new study finds. </p><p>The study, The Global Risks Report 2017, is the 12th edition of one of the flagship reports issued annually by the World Economic Forum. The report postulates that the new era of risk began last year, a watershed time for instability when increasing economic populism and political polarization came to a head in unexpected election results and the disquieting rise of former fringe nationalist parties. </p><p>“The year 2016 saw profound shifts in the way we view global risks. Societal polarization, income inequality, and the inward orientation of countries are spilling over into real-world politics,” reads the study, which was conducted with the help of academic advisors from the University of Oxford, the National University of Singapore, and the Wharton Risk Management and Decision Processes Center at the University of Pennsylvania. </p><p>The report argues that five “gravity centers” will shape global risks moving forward, and it sketches out the challenges that will result from each of them.  First, continued slow economic growth, in tandem with high debt and demographic changes, will create an environment conducive to financial crises and growing inequality. Second, corruption and unequal distribution of the benefits of growth will convince a growing number of people that the current economic model is not working for them.</p><p>Third, the transition towards a more multipolar world order will put a greater strain on global cooperation. Fourth, the fourth industrial revolution—Internet-connected technologies—will continue to transform societies, their economies, and their ways of doing business. Fifth, more people will seek to reassert identities that have been blurred by globalization, so decision making and election choices will be increasingly influenced by emotions rather than reason.</p><p>There is no one silver bullet solution to these challenges. But the report argues that the problems “create the opportunity to address global risks and the trends that drive them.” In that spirit, the study sets out several actions that leaders should take to push forward in creating a more secure and stable world. </p><p>The report argues that political leaders need a deeper commitment to fostering inclusive development and equitable growth, on both a national and global scale, instead of allowing increasing economic inequality to further destabilize societies. And while the report praises innovation, it also argues for better management of technological change, so the growth of new uses for technology causes less disruption and leaves fewer behind. </p><p>Finally, at a time when multinational institutions like the European Union and NATO are under unprecedented attack, the report calls on leaders to redouble efforts to protect and strengthen systems of global collaboration. Destabilizing international events—which range from migration flows created by the Syrian war to major weather events that impact several countries to a potential global water crisis—all warrant more cooperation between countries.  </p><p>“It is ever clearer,” the report argues, “how important global cooperation is on the interconnections that shape the risk landscape.”</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/How-to-Build-a-Culture-of-Security.aspxHow to Build a Culture of Security<p>​<span style="line-height:1.5em;">“</span><span style="line-height:1.5em;">Security is everyone’s business” may be a popular truism in the industry, but how many security managers can honestly say this philosophy is practiced by their companies? Some organizations have regular incidents in which employees simply disregard security rules and regulations. Sometimes, even the leaders of a company will disobey security and safety rules out of a sense of entitlement—these rules are for employees, not executives.</span></p><p>These lapses can be costly. It is only when everyone associated with the company adheres to and executes security rules and practices on a daily basis that a firm can credibly claim that it maintains a true culture of security.    </p><p>To determine whether a company encourages an effective security culture, company leaders should start by determining whether it adheres to the appropriate best practices. The security department should develop and communicate security rules, practices, and procedures to employees, contractors, visitors, and vendors. Executives must lead by example and follow all security practices and procedures. Employees must take care of their security responsibilities at work, such as locking their work spaces and computers or asking to see a badge of a person in a secure work area instead of simply holding open an outer perimeter door for a stranger to be polite.   </p><p>If an organization follows most of these procedures, it maintains a robust culture of security. If not, the best practice advice and solutions stated below can be used by security leaders to strengthen security awareness in their companies and develop a culture of security. ​</p><h4>The Assessment</h4><p>A culture of security can only be built on a solid foundation. And that foundation is an effective security program. </p><p>However, if the security program is perceived as inconsistent or unprofessional, an initiative to build a culture of security around it will be doomed from the start. Thus, it is imperative to conduct an initial assessment of the security program to evaluate past security practices and present security operations. </p><p>The assessment must include, but should not be limited to, the following methodology:</p><ul><li><span style="line-height:1.5em;">Conduct interviews with security staff to determine past practices and to engage them in the assessment process.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate existing documents regarding past security missions.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate security staff job descriptions.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate security current procedures, processes, and guidelines. </span><br></li><li><span style="line-height:1.5em;">Review and evaluate the security budget to ensure that it is in line with the mission, and that funded programs are not obsolete.</span><br></li><li><span style="line-height:1.5em;">Spend time working directly with all security staff to obtain first-hand knowledge regarding daily duties. Get to know your people.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate any compliance tasks that have been assigned to security.</span><br></li><li><span style="line-height:1.5em;">Review, evaluate, and coordinate security requirements with heads of departments with security cross-functionality. Conduct collaborative meetings with other department heads and staff on their opinions of security.</span><br></li><li><span style="line-height:1.5em;">Obtain input from executive management on its vision of security.</span><br></li><li><span style="line-height:1.5em;">Define and document your company-specific security missions.</span><br></li><li><span style="line-height:1.5em;">Review the security requirements within these missions and analyze them for potential mission creep.<br></span><span style="line-height:1.5em;"> </span></li></ul><h4>The Blueprint</h4><p>Once past and present security operations have been assessed, organization leaders can plan for the future by improving and refining, based upon the factual analysis that has already been completed.</p><p>The first part of the blueprint process is to develop missions and objectives. This includes enlisting management for direction and involvement and establishing security goals and engaging security team members in ways to accomplish them. This part of the process also includes documenting security mission statements and assigning a leader to each one. These leaders must be capable and willing.</p><p>The second part of the blueprint pro­cess is to standardize operations and document these procedures in a manual of operations. This manual will serve as a central repository of security standard operating procedures and processes that cover core duties and responsibilities throughout the company. </p><p>Once the assessment is completed and the blueprint is in place, security managers must ensure that key attributes of the program are successfully maintained. These attributes include consistent pro­fessionalism, first-rate training and com­munications, a commitment to the program from upper management, and procedures designed to address violations.​</p><h4>Professionalism</h4><p>Professionalism is a crucial component of a strong security culture. The professional security staff and security officers should be a model for the organization’s general population. High standards of conduct should be set; staff and officers should be evaluated; and problems should be weeded out. Most important, security department leaders should live those high standards to set an example for others to follow. </p><p>Specific best practices can ensure that staff members and officers consistently project a strong level of professionalism to other company personnel. One of these is presence. Uniforms, if worn, should be consistent. Officers should engage all persons entering the facility with eye contact. Officers should not be texting or talking on their cell phones, or congregating in an area to smoke and joke.             </p><p>Security leaders must also be careful to prevent “mission creep,” or assigning nonsecurity duties to security personnel. This may distract security staffers from their core duties, to the detriment of the organization’s security culture.  </p><p>For example, one company used the security department to conduct security training as well as training in legal issues, compliance, and ethics. Security’s training duties also included tracking of annual requirements for all of the compliance-based training, for both employees and nonemployees. The two training avenues, employee and nonemployee, were not standardized between departments. Because of the lack of standardization, there were two completely different methods of administering, developing, and tracking training.   </p><p>In this case, the solution was to clearly define the security and human resources missions at the company. Once defined, human resources assumed control of the entire company training program and standardized the administration of training. Security was responsible only for content of any security-related training.​</p><h4>Training</h4><p>A strong security culture requires an effective training program for both existing and future security personnel. In addition, the process should ensure that security personnel are cross-trained in security position responsibilities and missions, to eliminate the potential for gaps in coverage should a critical team member be unavailable. </p><p>For example, if a company’s security missions are asset protection, compliance, and physical access control, the manual of operations would contain a section of step-by-step procedures and guidelines for each. This would allow the asset protection specialist to cover for the physical access control specialist for certain tasks, such as issuing badges, instead of waiting for the access control specialist to return. </p><p>In addition, companies should pay close attention to the processes and standards for granting and tracking access that are documented in the manual of operations. This can be an issue if companies have manual, cumbersome, or archaic methods for granting access. At many companies, this is an area that needs to be addressed. The granting of physical access should be automated to an electronic format.​</p><h4>Communication</h4><p>Communication is one of the critical keys to success in any security program, and it will be part of every component of the program. From the initial assessment of the program to the final phases of the implementation of blueprint plans, all affected parties should be kept informed and aware of the security program and how it will impact their operations at work.  </p><p>One company initiated a report that was sent twice a month via e-mail with the facts of any security incidents, so executives could track important issues. This communication also allowed security to remain within the scope of the executives while maintaining a successful program. As security expanded and implemented new initiatives, these were included in the bimonthly report. </p><p>For their part, the executives of the firm should be involved and engaged early on in the communications effort. Security should offer concise presentations, such as a PowerPoint presentation, that explain how the company benefits from the security program, be it through incident prevention or the preparedness to react and minimize negative impact to the company’s operations. Security goals, objectives, operations, procedures, and mission statements should be effectively communicated across the corporate footprint. Executives should understand the security role in their company and communicate their support for security programs to all company employees.  </p><p>Within the chain of command, the security leader must develop a system of communication to keep executives aware of the challenges faced by the security department and of the programs currently being used to protect the company’s physical assets. For example, at one company I worked at, security mandated monthly luncheon meetings with staff.</p><p>Company executives were also invited to these meetings, which they attended periodically. I documented each of these meetings in formal memoranda, including progress made on issues from the prior month, issues resolved, and problems currently being addressed. These memos were sent up the chain of command for executive review.  </p><p>Annual security awareness training is another effective communications tool. By delivering accurate, updated, and simple instructions regarding security rules, policies, and procedures, the company can effectively ensure that its workforce has been periodically exposed to security standards and the roles and responsibilities in daily operations. Security awareness posters that are updated quarterly can also help in communication efforts.   </p><p> Finally, do not underestimate the power of word of mouth. For any company, there is no stronger security tool than having a workforce that is security- minded and well informed of current security policies, procedures, and daily practices. ​</p><h4>Violations</h4><p>Even with a well-established culture of security, violations of an organization’s security policies will occur.   </p><p>There are slips and breaches even in the most secure environments—some caused by intentional acts; some unintentionally, through malaise or misfortune. And while the people who work for an organization are its greatest asset, they also can be its greatest vulnerability if they decide to inflict harm. They know how the organization operates, and they can circumvent the most sophisticated security systems.  </p><p>For private industry, the enforcement of security program policies requires a company to be fair, firm, and consistent. Take, for example, a company that has a clear security rule that all visitors must be escorted by the company representative who is responsible for the visitor while on premises. If a visitor is found roaming around by himself in a secure area, the employee who brought the visitor to the property should be disciplined.  </p><p>And the discipline should be consistent, whether the employee is the CEO or the janitor. The enforcement should be documented and tracked, to monitor patterns of behavior. If the violation is severe enough that it results in a loss of property or affects employee safety, the matter should be referred to the violator’s manager for evaluation and possible further action. </p><p>Consistent and fair enforcement of the rules across the entire organization will further solidify a culture of security. It will demonstrate that security matters to the organization, and that it plans to ensure that the rules are followed. To expand on an earlier example, if the CEO forgets his or her access badge and either goes home and gets it or signs for a temporary one, the standard is set at the highest level of the company.  </p><p>In the end, success in developing a culture of security at your company will mean the organization has established a robust, comprehensively assessed, and documented security program across the enterprise. Executive leaders are meaningfully engaged, and everyone is educated in the program’s components and follows them. </p><p>--<br></p><p><em><strong>Thomas Trier</strong> served for 25 years as a special agent of the FBI, where he attained the rank of assistant special agent in charge in the intelligence branch of the FBI’s Washington Field Office. Trier has also served as the leader of corporate security for a Midwestern electrical transmission-only utility company. He now provides advisory services through Security Intelligence Consulting L.L.C.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/The-Dirty-Secret-of-Drug-Diversion.aspxThe Dirty Secret of Drug Diversion<p>​Controlled substances were going missing at Hennepin County Medical Center (HCMC), and the hospital’s security investigator, William Leon, was determined to get to the bottom of it. So, at 11 p.m. on a Friday, Leon settled in for a night of observation at the Level I trauma center in Minneapolis, Minnesota. He kept a trained eye on one registered nurse who was suspected of stealing hydromorphone, an opioid pain medication, for her personal use.</p><p>HCMC has cameras set up in the medication room to monitor controlled substances, and Leon watched as the nurse began gathering prescribed medication for a patient in the emergency department. The process, called wasting, requires the healthcare worker to take a fresh vial or syringe full of medication and then dispose of the excess, leaving only the correct dosage—all with a witness present. Leon observed the nurse dispense a syringe of hydromorphone from the medicine cabinet, and, while a fellow nurse was signing off on the withdrawal, she placed the syringe in her pocket and pulled out an identical syringe, which Leon later learned contained saline. The nurse held up the saline syringe and wasted the required amount, tricking her fellow nurse, and left the room.</p><p>At this point, Leon knew exactly what was going on, and watched with increasing alarm as the nurse headed to a patient’s room in the orthopedic area of the hospital. “In that area, I knew immediately, this patient could have a broken bone—they were in intense pain and requiring this medication,” Leon says. “I see a lot of doctors standing around and I’m thinking ‘uh oh, this patient is going to get saline.’”</p><p>Leon raced to the room and saw that the doctors had given the patient the saline the nurse had brought up. “The patient was still screaming in pain and the doctor was frantically asking the nurse, ‘Are you sure you got the right dosage? Are you sure it was hydromorphone?’ and she was insisting she had,” Leon says. He called the doctor and the nurse into the hall and explained that the patient had just gotten saline and still needed the proper pain medication because the nurse had diverted the hydromorphone in the medication room. The doctor went to properly treat the patient and Leon called the nurse manager and the local sheriff’s detective in to begin an official investigation into the nurse’s actions.</p><p>Drug diversion in the United States is a nebulous problem that is widespread but rarely discussed, experts say. Whether in manufacturing plants, retail pharmacies, hospitals, or long-term care facilities, healthcare workers are stealing drugs—typically for their own personal use—and putting themselves, patients, and coworkers at risk. </p><p>“I hate to tell you, but if you have controlled substances and dispense narcotics, you’ve got diversion going on,” says Cherie Mitchell, president of drug diversion software company HelioMetrics. “It’s just a question of whether you know it or not.”</p><p>The scope and frequency of drug diversion is almost impossible to grasp, due in large part to how diversion cases are addressed. A facility that identifies a diversion problem might bring in any combination of players, from private investigators and local law enforcement to state accreditation boards or the U.S. Drug Enforcement Agency (DEA). There is no overarching agency or organization that records every instance of drug diversion in the United States.</p><p>Controlled substance management is dictated by a number of laws, including the U.S. Controlled Substances Act of 1971, which classifies substances based on how they are used and the potential for abuse. It also dictates how the substances are dispensed, and a facility may be fined if it does not comply. </p><p>The closest estimates of drug diversion rates come from people or organizations who dig up the numbers themselves. The Associated Press used government-obtained data in its investigations on drug diversion at U.S. Department of Veterans Affairs (VA) medical centers. Reported incidents of diversion at about 1,200 VA facilities jumped from 272 in 2009 to 2,926 in 2015, the data revealed, and the VA inspector general has opened more than 100 criminal investigations since last October. John Burke, president of the International Health Facility Diversion Association, extrapolated data he obtained from facilities in Ohio to estimate the presence of 37,000 diverters in healthcare facilities across the country each year. </p><p>Mitchell points out that any statistic derived from officially collected data still wouldn’t accurately reflect the extent of drug diversion in the United States. “There’s a lot of people investigators really suspected were diverters but had to be chalked up to sloppy practice due to a lack of concrete evidence, so any statistic is talking about known diverters who are fired for diversion,” she tells <i>Security Management</i>. “Even if you did have a statistic, it would be off because how do you incorporate those so-called sloppy practicers, or diverters who thought they were about to get caught so they quit on you and left? No matter what number you come to, it’s probably bigger in reality.”​</p><h4>Addiction and Diversion</h4><p>Although more people are paying attention to drug diversion due to recent high-profile cases and the current opioid epidemic in the United States, experts say they have been dealing with the same problems their entire careers. </p><p>“I can personally tell you that I dealt with the same issues 15 or 20 years ago that the healthcare arena is facing today, specifically in the drug abuse and diversion by their own hospital healthcare employees,” says Charlie Cichon, executive director of the National Association of Drug Diversion Investigators (NADDI) and a member of the ASIS International Pharmaceutical Security Council. “There are different drugs today, of course, than there were 20 years ago.”</p><p>Susan Hayes has been a private detective for healthcare facilities for more than a decade and says the opioid epidemic has magnified the drug diversion problem in recent years. “The opioid addiction in America has lit my practice on fire,” she says.</p><p>It’s no secret that opioid addiction has reached epidemic levels in the United States. In 2010, hydrocodone prescriptions were filled 131.2 million times at retail pharmacies alone, making it the most commonly prescribed medication, according to the Mayo Clinic. However, those are just the numbers that were legally prescribed—about 75 percent of people who take opioids recreationally get them from a friend or family member. According to the U.S. Centers for Disease Control and Prevention (CDC), approximately 52 people in the United States die every day from overdosing on prescription painkillers.</p><p>Healthcare workers are not immune to the draw of opioids. In fact, up to 15 percent of healthcare workers are addicted to drugs or alcohol, compared to 8 percent of the general population, according to the Mayo Clinic. </p><p>“Healthcare providers are in very stressful jobs,” Hayes says. “They all have problems. Nurses have emotional attachments to patients that they see die. Even orderlies have very stressful physical jobs, they’re lifting patients. Pharmacists can make mistakes that mean life or death. You have people that are already in very stressful situations, and now you give them access to drugs…. I think the combination is almost deadly.”</p><p>While a bottle of 30mg oxycodone tablets can sell on the street for up to 12 times its price in the pharmacy, most drug diverters are addicts using the drugs themselves. Because of this, diversion shouldn’t be considered just a security concern but a patient safety concern, Cichon says. He references several high-profile diversion cases in which the diverters used the same syringe full of medicine on both themselves and their patients, spreading bacterial infections and hepatitis. In one especially egregious case, a traveling medical technician with hepatitis C would inject himself with his patients’ fentanyl and refill the same syringe with saline, ultimately spreading the virus to at least 30 people in two states.</p><p>Unfortunately, experts acknowledge that most diverters don’t get caught until they have been diverting for so long they start to get sloppy. “The people who are your real problem are the people who are hiding in the weeds, not doing enough to get caught, and those are the ones you want to find,” Mitchell says. “The people they are finding now are the people that have the needle in their arm or somebody has reported them. You want to try to find them before that.”​</p><h4>Out of the Loop</h4><p>Hayes details the path of drugs through a hospital: a pharmacy technician orders the medication from a wholesaler, who will deliver them to the hospital pharmacy. The drugs are sorted and stocked in the pharmacy, where they will remain until they are brought up to the patient floors and stored in various types of locking medicine cabinets. When a patient needs medication, a nurse goes to the medicine cabinet and dispenses the drug for the patient. </p><p>Another ASIS International Pharmaceutical Council member—Matthew Murphy, president of Pharma Compliance Group and former DEA special agent—describes this as the closed loop of distribution. “Once a drug is outside of the closed loop, when it gets dispensed from a pharmacy or administered by a doctor, it’s no longer in the purview of DEA rules and regulations,” he explains. Drugs are most likely to be diverted during those times when they are in transit or exchanging hands, outside of the closed loop.</p><p><strong>Wholesalers.</strong> When fulfilling a pharmacy’s request for medication, wholesalers have just as much of a responsibility to notice if something is amiss as the pharmacy does. Whether it’s a retail pharmacy or a hospital pharmacy, wholesalers are responsible for cutting them off if they start to request unusually high amounts of opioids. </p><p>In 2013, retail pharmacy chain Walgreens was charged $80 million—the largest fine in the history of the U.S. Controlled Substances Act—after committing record-keeping and dispensing violations that allowed millions of doses of controlled substances to enter the black market. Cardinal Health, Walgreens’ supplier, was charged $34 million for failing to report suspicious sales of painkillers. One pharmacy in Florida went from ordering 95,800 pills in 2009 to 2.2 million pills in 2011, according to the DEA. </p><p>Hayes says the fine against the wholesaler was a wake-up call, and now suppliers use algorithms to identify unusual spikes in orders of opiates. Wholesalers can even stop the flow of medication to pharmacies if they believe diversion is occurring—which can be disastrous to a trauma center, Hayes notes.</p><p><strong>Pharmacies.</strong> To restock the shelves, pharmacy technicians compile lists of what medications they are low on to send to the wholesalers at the end of each day. Hayes notes that many pharmacies do not conduct a retroactive analysis on what is being purchased—which is why wholesalers must pay attention to any unusual changes in orders. She stresses the importance of constantly mixing up the personnel who order and stock medications. </p><p>“If you’re both ordering and putting away drugs, that’s a bad thing because you can order six bottles when you only need five and keep one for yourself,” Hayes notes. </p><p>Similarly, it is important to rotate who delivers the drugs to the patient floors. “John the technician has been taking the drugs up to the floors for the last 20 years,” Hayes says. “Well gee, did you ever notice that John drives a Mercedes and has two boats and a house on Long Island? He makes $40,000 a year, did you ever do any investigation into why?”</p><p><strong>On the floor. </strong>Experts agree that the most egregious diversion occurs during the wasting and dispensing process in scenarios similar to the incident Leon witnessed at HCMC. Mitchell explains that all hospitals have different wasting procedures—some require nurses to waste the medication immediately, before they even leave the medication rooms, while others may have a 20-minute window. Other hospitals may prohibit nurses from carrying medication in their pockets to prevent theft or switching. ​</p><h4>Investigations</h4><p>Any company involved with controlled substances, whether manufacturing, distributing, or dispensing, must be registered with the DEA and must adhere to certain rules and regulations—which aren’t always easy to follow.</p><p>Murphy, who worked for the DEA for 25 years, now helps companies follow mandates he calls “vague and difficult to interpret.” For example, DEA requires anyone carrying controlled substances to report “the theft or significant loss of any controlled substance within one business day of discovery.”</p><p>“This hospital had 13 vials of morphine that ‘went missing’ and someone called me in to find out why,” Hayes says. “They asked me, ‘Are 13 vials substantial or not? Do I really need to fill out the form?’ I counsel them on what’s substantial because the language is very loose.”</p><p>Depending on the frequency or significance of these or similar forms, the DEA may open an investigation, Murphy explains. “DEA will look at these recordkeeping forms and determine if in fact everything has been filled out correctly, that they have been keeping good records,” he says. “If DEA determines that they are lax or have not been adhering to requirements, there could be anything from a fine to a letter of admonition requiring corrective actions.” In more serious cases, DEA could revoke the registration because the activity or behavior was so egregious that it was determined that the facility is not responsible enough, Murphy explains. If a facility loses its DEA registration, it cannot dispense controlled substances.</p><p>However, DEA does not get involved in every suspected case of diversion. “There are only so many DEA diversion investigators, so they have to prioritize what they get involved with,” Murphy says. “It has to be pretty egregious for them to get involved to seek a revocation or fine.”</p><p>That’s where people like Hayes come in. “They want me to come in instead of DEA or law enforcement,” she explains. “I’m a private citizen, I understand law enforcement procedures, and I can help them get at the root of the problem before they call in law enforcement.” </p><p>After an investigation into a diverter is opened, it is unclear what happens to the offender. Hayes says that she typically gathers evidence and gets a confession from diverters, at which point her client calls in law enforcement to arrest them. Leon, who was in charge of diversion in­vest­igations at HCMC for 20 years before becoming a consultant for HelioMetrics, was able to investigate but not interview suspected diverters. He tells <em>Security Management</em> that he would call in a sheriff’s detective to interview the suspect.</p><p>Although most diverters are fired when their actions are discovered, they are not always arrested—it’s often at the discretion of their employer. Depending on the diverter’s role, state accreditation boards—such as those that license nurses and pharmacists—would be notified and could potentially conduct their own investigations. </p><p>Cichon cautions that some hospitals hoping to avoid bad press and DEA scrutiny may look for loopholes. “We found out through the course of investigations that if someone resigns and was not sanctioned it may not be a reportable action,” he says. “If we allow this person to resign rather than take action against him, then we don’t have to report it.”</p><p>Murphy notes that DEA typically has no role in individual cases of diversion. “If the diverter has a license from one of those state agencies, usually it’s required that they be reported, and then it’s up to the board how they proceed with the personal license of the individual,” he says. The DEA doesn’t regulate the personnel—that’s up to the state and the facility. </p><p>Cichon notes that the lack of standards when addressing diversion makes it more likely that offenders could slip through the cracks and move on to continue diverting drugs at another facility. “Unfortunately, there are different laws and statutes in every state that set up some sort of reporting requirements,” he says. “There are medical boards, nursing boards, pharmacy boards, and not every worker even falls under some sort of licensing board for that state.” ​</p><h4>Staying Ahead</h4><p>Due to the stigma of discovering diverters on staff, many hospitals just aren’t preparing themselves to address the problem proactively, Cichon explains.</p><p>“This is something that is probably happening but we’re not finding it,” he says. “The statistics I’ve seen at hospitals that are being proactive and looking at this are finding at least one person a month who is diverting drugs in their facility. If a 300-bed hospital is finding one person a month, and Hospital B has the same amount of staff and beds and is finding nothing…”</p><p>NADDI has been providing training for hospitals to develop antidiversion policies. Cichon notes that many hospitals throughout the country have no plan in place to actively look for diverters. “As big as the issue is, many of them are still just not being that proactive in looking at the possibility that this is happening in their facility.”</p><p>Cichon encourages a team approach to diversion that acknowledges diversion as a real threat. “Not just security personnel should be involved with the diversion aspect,” he says. “Human resources, pharmacy personnel, security, everyone is being brought into this investigation, because the bigger picture is patient safety. The diverting healthcare worker typically isn’t one who’s going to be selling or diverting his or her drugs on the street, but they are abusing the drugs while they are working.”</p><p>Leon worked hard on diversion prevention at HCMC after discovering a surprising pattern: almost all of the diverters he investigated wanted to be caught. “What got me on this path of prevention was observing the nurses as they would admit to what they did,” he explains. “More often than not the nurses would say, ‘I wanted somebody to stop me. I needed help, didn’t know how to ask for it, and I was hoping somebody would stop me.’ That’s pretty powerful when you’re sitting there listening to this on a consistent basis.”</p><p>Leon implemented mandatory annual training for everyone in the hospital—from food service workers to surgeons—to recognize the warning signs of drug diversion. “If a nurse or anesthesiologist or physician is speaking with you and telling you they are having these issues, then you should say something,” Leon explains. “It’s not doing the wrong thing—you’re helping them, and that’s the message we sent out. Look, these individuals are not bad individuals. Something happened in their lives that led them down this path.”</p><p>Leon also had cameras installed throughout the hospital that allowed him to observe diversion but also kept his investigations accurate. “We had a nurse who was highly suspected of diverting,” he says. “With the cameras I was able to show that she wasn’t diverting, just being sloppy. The employees appreciated the cameras because it showed they weren’t diverting medication, they just made a mistake.”</p><p>Over time, HCMC personnel became more comfortable coming forward with concerns about their coworkers. Before the facility started the annual training, Leon caught at least one diverter a month. Before he retired, he says, that number had dropped to one or two a year.</p><p>“The success of our program at HCMC was the fact that we paid more attention to educating rather than investigating,” Leon says. “You have to keep those investigative skills up, but you have to spend equal amount of time on prevention and awareness.”</p><p>Mitchell points to algorithmic software that can identify a potential diverter long before their peers could. Taking data such as medicine cabinet access, shift hours, time to waste, and departmental access allows software to identify anomalies, such as a nurse whose time to waste is often high, or a doctor who accesses patients’ files after they have been discharged. </p><p>“Most people are using the logs from the medicine cabinets trying to do statistical analysis,” Mitchell explains. “You find out 60 days or six months later, or you don’t see that pattern emerge by just using one or two data sets. That doesn’t help. The goal is to identify these people as quickly as possible so they are no longer a risk to themselves or the patients or anyone they work with.”</p><p>Murphy encourages facilities to be in full DEA compliance to mitigate diversion. “If somebody wants to steal or becomes addicted, they are going to find a way to do it, and sooner or later they are going to get caught, but then there’s a problem because the hospital has to work backwards to determine how much was stolen and reconcile all that,” he says. He also notes the importance of following up internally on each diversion case and figuring out what went wrong, and adjusting procedures to address any lapses. </p><p>“Every entity that has a DEA program should have diversion protocols in place because if they don’t they are playing Russian roulette with theft and loss and their DEA registration,” Murphy says.  ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465