Some hotel companies seem to be taking a first casualty approach to security risk management
Given the uncertainty surrounding the hotel sector, I have been engaged in many conversations about the state and future of security. Many ponder if security will ever be the same again and consequently whether there is still a career in the industry. I am optimistic because security threats remain and are likely to become more complex and harmful, guests and employees need protection and hotel companies still have a duty of care. I also see the current situation as an opportunity for change for the better. But how and when will this happen?
Regenerating security capability is unlikely to be a top priority for hotels and hotel companies as they fight for their survival. By and large, they are aware of the increased security risks they are taking but it is a calculated risk; a risk that will increase over time in terms of likelihood and probably impact. Given this, and perhaps unknowingly, hotel and hotel companies have adopted a ‘first casualty’ approach to security risk management.
This approach relies on another hotel company becoming the ‘first casualty’ of a major security incident. A ‘first casualty’ strategy is arguably not a responsible way of managing any risk so few companies will formally declare that this is their strategy; however, this is the de facto approach they are taking.
Inevitably, a hotel somewhere in the World will become victim to a high-profile security incident, perhaps a terrorist attack, a mass data loss, or an attack on a high-profile guest. Such an incident will attract widespread publicity and legal scrutiny. Any drawdown on security will inevitably come under the spotlight and will be challenged; saving money as a motivating factor will not play well and could be costly when the dust settles and the real cost of the strategy can be counted.
Once the ‘first casualty’ has taken place, the realities of security threats and risk will come into sharp focus; some may put themselves in the position of the first casualty and think ‘what if this was us?’ It will be at this stage that hotel companies will review their security strategy and security will start to be regenerated. The ‘first casualty’ will also make it easier for business leaders to make the case to stakeholders for greater security expenditure. Likewise, corporate client focus on hotel security will be sharpened and their security due diligence which will challenge hotels.
First casualty security risk management works so long as you are not the first casualty
The problems of being the ‘first casualty’ are clear, the ‘first casualty’ will bear the brunt for what has been happening across the sector. The ‘first casualty’ gives a second chance to the other companies.
If hotel companies chose to adopt a ‘first casualty’ approach to security risk management, there are still things to consider:
- Conduct a detailed security threat and risk assessment to model the implications of being the ‘first casualty’.
- Document risk assessments, plan, and training reviews to demonstrate continuing duty of care.
- Well-practiced and resourced crisis plans will need to be in place in case the company is the ‘first casualty’.
- An excellent communications plan will be required to explain why the company became the ‘first casualty’ and drew down on security.
- Contingency plans and budgets will be required to respond in the event of another company becoming the ‘first casualty’.
- Legal teams should be consulted in adopting a ‘first casualty’ strategy.
It is somewhat ironic that the future of security in the hotel sector may depend largely on threat actors conducting a horrendous attack on hotels; such an attack is inevitable: when, where and how is of course unclear. As mentioned in previous blogs, atrophy of hotel security might make it a challenge to regenerate security in a timely fashion; wise hotel companies will be making plans even if the need for implementation seems someway off. It is worth remembering that in times of uncertainty there is often greatest value in securing against loss.
Questions for Consideration:
- Do you have plans in place should your company become a ‘first casualty’?
- Do you have a communications plan in place to explain the security drawdown that may have led to you becoming a ‘casualty’?
- Will your security and resilience programs in their current state, stand post-incident scrutiny?