A Time to Review and Plan

Hotels have been open for a few weeks now and hopefully, these green shoots will lead to a full recovery. The recovery will of course take time and the smart money is predicting that hotel business levels will not bounce back to 2019 levels until 2023 or 2024.

As we have previously highlighted even some of the big players in the hotel sector have been forced by lack of revenue to ‘slash and burn’ their security teams at both corporate and hotel level; often folding security risk management accountability into general risk departments who with the best will in the world do not possess the specialist skills and experience to manage security risks effectively. To my knowledge, Marriott is the only company whose security risk appetite has led to the maintenance of a global security team. Perhaps somewhat counter-intuitively, now is a great time for companies to conduct root and branch reviews of their security threat and risk management capabilities and identify opportunities for improvement. Although budgets may still extremely tight having a plan in place waiting for the budget to ‘arrive’ will enable timely and/or incremental implementation and as importantly demonstrate proactive engagement in fulfilling due diligence in the management of security risks.

Forward-looking hotel companies have started realizing that whilst security risk reorganisation looks good on paper, the effects on the ground are generating significant legal and reputational risks that have the potential to far outweigh the financial savings gained from cutting security. In this way, companies that continue to operate without competent and capable security teams are playing ‘Russian Roulette’. Companies who do not have the foresight to at least start planning for the re-establishment of security teams will likely be forced to do so following the next mass casualty incident at a western branded hotel.

It is encouraging that increasingly, small and medium-sized hotel companies who have never had a central function for security, or formal security programs, are recognising the requirement for ‘a controlling mind’ to develop, lead and maintain security. Perhaps more so than larger players, the smaller operators appreciate that in a post-pandemic era, security will be more important in a more dynamic threat environment and essential in reassuring guests and colleagues.

So what elements might be included in a hotel company security review and plan?

• Review the company security threat, risk and vulnerability assessment – to understand the current and foreseeable internal and external security challenges across operations, business processes, support infrastructure, and 3^rd
• Review current security risk management capability mapped against the findings of the threat, risk, and vulnerability assessment and conduct a gap analysis within the context of the company security risk appetite. Using a Risk Management Maturity Model is often a useful addition.
• Outreach to stakeholders across the enterprise to gain insights into security capability shortcomings and requirements.
• Review current security strategy and supporting policy and amend as appropriate.
• Update the company security plan using the data acquired through the above.
• Conduct an organisational and resource review to identify requirements required to implement the Strategy, Policy and Plan.
• Review procedures and align within the context of the security plan.
• Create and adopt an implementation plan.
• Review and amend as appropriate governance programs and governance bodies.
• Review and amend as appropriate compliance and risk maturity measurement programs.
• Review security training requirements and programs.
• Establish an ongoing review program to identify opportunities for improvement.

This can be a lengthy process and is best planned and executed as a formal project, breaking the task down into ‘digestible’ sections. A challenge that companies may face conducting such reviews and plans is that there is a requirement for someone with strategic security risk management expertise to assist risk generalists or safety specialists.