Legal and compliance teams: Where do they fit in the physical security picture?
Legal and compliance teams engage with nearly every aspect of the organization, from labor law to contracts, to cybersecurity. The role they play to reduce workplace violence and other security risks often go unnoticed and are seldom discussed.
It’s worth having those discussions, because legal and compliance teams often set workplace violence policies, interpret regulations and audit internal programs to ensure that policies that have been established are being followed. They also put in place strategies to minimize risk of lawsuits and associated reputational damages. And in publicly-traded companies, they identify the risks that make up part of the required disclosures for investors.
In short, legal and compliance teams connect physical security departments to the big picture risks of the organization.
So how do they connect with their colleagues in physical security?
First, let’s note where physical security leaders and L&C teams are aligned. A strong majority, 77%, of legal and compliance leaders say that they are directly responsible for ensuring compliance requirements related to the protection of companies’ executives, employees and customers from violent and catastrophic events, according to a recent survey of human resources, legal and compliance, IT, cybersecurity and physical security leaders from the Ontic Center for Protective Intelligence.
But legal and compliance executives differ from their colleagues in a couple of significant ways: They are more likely than other respondents to identify geopolitical risks as threats to the company, and more likely to identify lawsuits and regulatory issues as threats to the company. Taking into consideration their expertise and the lens they use to view threats, I am not surprised by this finding.
Another set of responses from legal compliance executives really sparks my curiosity. We asked the four groups a series of questions about policies their organizations had. We asked whether their organization had policies to reduce risk of lawsuits, policies to notify physical security teams during potentially hostile terminations, and clear policies to keep people safe while working from home.
In every case, legal and compliance professionals were more likely than their counterparts to say that they weren’t sure whether such a policy existed. Perhaps it’s because they view many policies as inadequate or outdated, that having an inadequate policy doesn’t give them confidence to say that a policy actually exists.
Whatever the reason, those findings are an opportunity for physical security teams to engage in dialogue with legal and compliance teams about how they can work together.
A couple of points they can discuss:
- Maintaining the audit trail. It’s important for physical security teams to discuss how they can document their efforts and how their roles align with policies to reduce risk. A good audit trail can be invaluable when replying to regulatory concerns and lawsuits.
- Getting on the same page. One thing we’ve noticed in surveys is that there can be a pretty big disparity between different departments over what they see as threats to the organizations. Physical security teams and legal teams should work to align their outlook to make sure nothing falls through the cracks.
- Reviewing response plans. In so many organizations, response plans for critical incidents aren’t updated frequently, and this hampers crisis response. Legal and compliance and physical teams regularly identify new risks. They should work together to make sure they are reflected in plans.
- Using technology to drive results. Threat intelligence tools pull in an amazing amount of data. When physical security teams and legal teams have access to it all in one place, it’s a force multiplier that allows the organization to take a proactive risk mitigation stance.
By working with their counterparts in legal and compliance, physical security teams can gain a better understanding of how their roles contribute to the organization, and have confidence they are participating in meaningful risk reduction activities.