27-11draft
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security Management<br />
On the Institute’s theme of ‘culture’,<br />
Matthew Drew indeed dwelt on<br />
‘behaviours’.<br />
He mentioned the fine by<br />
the Serious Fraud Office,<br />
or rather the ‘Deferred<br />
Prosecution Agreement’ (DPA)<br />
completed in January. To quote<br />
the SFO director David Green in<br />
a September speech, ‘bribery had<br />
occurred in seven jurisdictions<br />
[Indonesia, Thailand, India, Russia,<br />
Nigeria, China and Malaysia] in three<br />
of its business streams touching three<br />
decades’. The penalty and costs,<br />
also to the authorities in Brazil and<br />
the United States, at about £670m<br />
‘was equivalent to a year’s profits<br />
for Rolls-Royce’, Green noted. As an<br />
aside, that case shows the sheer size<br />
of a corporate and how hard it is to<br />
achieve compliance; the investigation<br />
was the SFO’s largest ever, costing<br />
£13m and covering some 30m<br />
documents.<br />
Behaviour<br />
But to return to Matthew Drew. He<br />
recalled a memorable line from an<br />
Institute conference speaker years<br />
before; that security is a behaviour,<br />
not a function. In that bribery case,<br />
you had people who thought they<br />
didn’t have to behave in an ethical<br />
way (in procurement); that brought<br />
Rolls-Royce those problems.<br />
“Security is the same,” Matthew said.<br />
“You can have a fantastic security<br />
function, and clear policies, but<br />
unless every individual feels some<br />
ownership, you won’t be a secure<br />
company.” Everyone who joins the<br />
firm is vetted, to a consistent<br />
standard. Their criminal and financial<br />
history, and right to work in the<br />
country, and social media profile and<br />
any views if expressed, checked. As<br />
R-R has 50,000 people, the company<br />
as Matthew said has experienced ‘just<br />
about every’ personal issue that can<br />
cause a reputational harm. A R-R<br />
team runs ‘high quality investigations’<br />
so that if such behaviours have to go<br />
to law enforcement or an internal<br />
disciplinary process, evidential<br />
standards have been kept.<br />
Code of conduct<br />
He spoke of a ‘global code of<br />
conduct’, a commitment given when<br />
applying to join Rolls-Royce, ‘so that<br />
you know exactly what you are<br />
signing yourself up to. It’s very clear,<br />
it’s a very simple document, it leaves<br />
absolutely no room for ambiguity on<br />
the behaviours expected in the<br />
company’. Another document is the<br />
‘global security policy’; again, sent<br />
out to people before they even join,<br />
so that everyone, security and nonsecurity<br />
jobs alike, understands the<br />
‘core behaviours’ expected. It goes<br />
over basics, such as; you will wear a<br />
pass if you are in a R-R building, and<br />
if you don’t bring it, you go home for<br />
it. If you’re a manager, it’s your<br />
responsibility to brief your staff at<br />
team meetings on such security issues<br />
as ‘clear desk’. Matthew also aired<br />
something that Paul Grainge did at<br />
his Security TWENTY talk in 2015 in<br />
Newcastle; how to deal with unions.<br />
R-R factories, like docks, has a<br />
unionised workforce. Even small<br />
changes to security behaviour can be<br />
significant for unions, Matthew said.<br />
meeting the unions:<br />
If any new CCTV is fitted, unions<br />
will ask whether it’s not for safety<br />
and security, but to monitor time and<br />
attendance. Security meets with<br />
unions monthly, the aim to get unions<br />
to understand why such things as<br />
wearing passes to work are necessary.<br />
Here the threat of terrorism and risk<br />
to workers - and Security’s advice on<br />
the official lines of ‘run-hide-tell’ -<br />
has meant that unions have been the<br />
ones to report to their members, on<br />
security behaviour. On the insider<br />
threat, R-R doesn’t want to ‘recruit<br />
the problem’. R-R doesn’t want its<br />
intellectual property so locked down<br />
that it cannot be used; the company<br />
has to know where the IP actually is;<br />
but Matthew returned to security<br />
‘culture’; workers understanding<br />
what unusual behaviour is, such as<br />
working odd hours, avoiding<br />
supervision, and drawing it to<br />
Security’s attention.<br />
Enabler<br />
As Drew added, he tries to drive<br />
security as a business enabler, not<br />
a cost. Drew’s direct line manager<br />
is the general counsel, who makes<br />
sure that every time the executive<br />
leadership team meets, at least one<br />
security issue is on the agenda. While<br />
his work is about flattening out risk,<br />
and managing real (and perceived)<br />
threats from terrorism, the recent acts<br />
of terror across Europe, in Berlin<br />
and Brussels for example, affect R-R<br />
people simply because they are in the<br />
vicinity. Likewise, the Westminster<br />
Bridge terror attack was 300 yards<br />
from R-R headquarters. Drew praised<br />
support from police; and stressed the<br />
first five minutes of an attack, figuring<br />
out where people are, and what to do<br />
for them. p<br />
About Rolls-Royce<br />
n R-R has customers in<br />
150 countries; armed<br />
forces and navies, airlines,<br />
nuclear power companies.<br />
n Revenue was £13.8<br />
billion in 2016, around half<br />
from ‘aftermarket services’.<br />
n Its recent engine sales<br />
include to the UK’s new<br />
polar research vessel the<br />
RRS Sir David<br />
Attenborough; San<br />
Francisco Bay catamaran<br />
ferries; and Bangladesh<br />
power stations.<br />
Below: An Emirates<br />
A380 passenger jet. The<br />
airline is among users<br />
of Rolls-Royce engines<br />
and service support<br />
Photo courtesy of Airbus<br />
www.professionalsecurity.co.uk NOVEMBER 2017 PROFESSIONAL SECURITY 43<br />
p42,3 Institute <strong>27</strong>-11.indd 2 12/10/2017 11:01