When evaluating threat information, especially information received from subscription security intelligence services which are produced for a broad audience, it is essential to view them in the context of your company’s operations. Many, if not most providers, use a color and/or numerical rating to designate the risk level of a particular city or country. Different firms use different methods to determine their risk ratings. Regardless of the method used it is important to realize that while these risk ratings have their uses, especially as a starting point when evaluating risk, they can be very misleading depending on the nature of your organization’s operations. There are simply too many variables to use this as a cut and dried definitive resource. Not only do different neighborhoods and areas of a city or country frequently present greatly different levels of risk, so do different types of activities. An executive flying into the capital city of a developing country for a meeting, being picked-up at the airport by a company representative and staying at a five star hotel for two days for a meeting typically faces a very different risk level than an engineer traveling to the interior of the country for two weeks to review a new hydroelectric dam project.
The same is true of the travel advisories posted by the US Department of State, UK Foreign & Commonwealth Office, Australian Department of Foreign Affairs and Trade, etc. It is useful to be aware of these as part of the framework of your risk assessment but these are directed at far too general an audience to be useful in and of themselves in the decision-making process. It is also worth mentioning that these do warrant attention because the company’s employees have access to them and may have questions and concerns that need to be addressed by the company’s security department. As an example, the US State Department has a Travel Warning posted for the Philippines. The warning correctly states that terrorist groups such as Abu Sayyaf and Jemmah Islamiya are active in planning and carrying out attacks and warns against all but essential travel throughout the country. Under most circumstances a business traveler could visit much of the Philippines– particularly popular destinations like Manila or CebuCity- and providing that they use care in selecting hotels and transportation options and practice basic personal security measures do it relatively safely. What is not mentioned in the Travel Warning is the high level of crime in many areas and the innumerable scams that exist to separate the traveler from his or her money, although these are mentioned in the State Department’s Consular Information Sheet for the Philippines. Given the wide audience that these government bulletins address there is sometimes an “err on the side of caution” approach that may not realistically match your organization’s operations.
Regardless of the source, all security intelligence should be viewed through the prism of how it relates to your organization, its operations and its employees. To be effective, security measures should be tied to the threat situation in the locations where you have operations and travelers. It is very likely there will be some generic aspects that may apply across the board such as basic access control measures or policies relating to displaying ID on company premises, etc. Whether or not to utilize close protection teams or simply trusted transportation, as an example, should be based on the threat information received from security intelligence resources and perhaps in some cases augmented or validated by an on-the-ground assessment. Building effective and applicable security measures for facilities and for employee protection, developing policies governing employee travel and planning contingencies for likely events all require an in depth knowledge of the threat situation. This knowledge cannot be gained by solely from mass media like CNN or the New York Times because these media outlets tailor their coverage to a US and/or European mainstream audience and do not cover all corners of the world or provide coverage and insight in all regions where an organization may have interests or travelers. How much coverage did we see on television or in the major newspapers devoted to civil unrest in Bangladesh throughout much of 2006 and early 2007? It is also problematic to get all information from one retained provider – even if that provider is capable and competent. A more effective approach is to engage several providers with strengths in different areas, participate in private-public partnership organizations, solicit information and opinion from sources on the ground and after gathering all this information view it in the context of your organization’s operations and business activities to develop the most accurate picture of how events effect you and your people and what steps need to be taken to provide a reasonable level of protection to your organization’s employees and assets.