Interview with Carolin Stellmacher | 3-core GmbH for DMB Deutsches Mittelstandsbund The internationalization of medium-sized businesses poses new challenges for companies. At the latest when employees are sent to new target markets outside the EU, good preparation is elementary. In addition to the business potential analysis, the topic of security takes on a central significance. Many risks can be avoided with the right strategy, explains Carolin Stellmacher from 3-core GmbH in an interview with DMB. The DMB member company advises companies and corporations with the aim of establishing security management structures. DMB: Ms. Stellmacher, what does 3-core stand for and what does 3-core offer? Carolin Stellmacher (3-core): We are a management consultancy in the niche market of corporate security. The “core” in our name stands for exactly that: Corporate Resilience. We have specialized in 3 subject areas: Security, Emergency, and Crisis Management. What we offer is, for example, security governance. This is about the organization of security, emergency and crisis management in the company. Other examples from our portfolio are the assessment and protection of critical infrastructures, the support of market entries in high-risk areas and exercises or simulations of operational emergencies and crises. It is also important to add that our consulting is not about occupational health and safety or cyber security, but about third party attacks and threats in a corporate context. What are critical infrastructures? Critical infrastructures are organizations with important significance for the community. Failures would mean supply shortages. If there were an outage from these organizations, it would mean, for example, that you would have no electricity, water or gas at home. The BBK (Office of Emergency Management and Civil Relief) assesses criticality. Could you, despite all the secrecy, describe a current project example? I’d be happy to give you a project insight into emergency management. The aim here is to establish the emergency organization at a site with around 1500 employees. In the project, processes for reporting channels and emergency scenarios are being created. This involves questions such as: Who has to alert whom? Which communication strategy is used in which scenario? Which scenarios are realistic? What could happen? Extreme weather events, burglary, vandalism, flooding, bomb discovery, protests, etc. All of these issues are brought into the corporate context and result in site-specific response plans and contingency plans. Are there risks that a company cannot prepare for at all? You should always look at what is happening in the world right now. What is happening in my country? What’s happening in my region? What’s happening around me? Risks can be of various kinds: technological, environmental, social, geopolitical. All the insights and “findings” should be brought into the business context. How could these factors negatively impact my business? That’s when we talk about risk management. But you’re asking about risks that can’t be prepared for. The risk of becoming the victim of a terrorist attack, the probability of which is very low and the extent of the damage is relatively high, is difficult or disproportionately costly to prepare for. What are usually the biggest cost drivers for companies in the area of security, emergency and crisis management? Security is not seen per se as part of the value chain in the company. That’s completely understandable, because it doesn’t produce a product or offer a service. Ultimately, it’s a cost-benefit calculation, between the investment and the potential damage. In most cases, however, the investments in security, emergency and crisis management are lower than the expected personal and material damage or the outflow of know-how. Basically, a sense of proportion is required. Even small but targeted investments can bring added value. Basically, it is a question of weighing up and accepting the risks, which each company must do for itself. Do you have a concise example that shows how non-existent or poorly positioned safety, emergency or crisis management has resulted in significant follow-up costs? For example, a senior employee was stationed abroad with his family – a high-risk area at the time. The family was the victim of a robbery one night. As a result, the employee and his family wanted to leave the country as soon as possible. As a result, the project could not be realized for the time being. In addition to the financial costs, the delay in the project caused enormous damage to the company’s reputation. The company breached its duty of care to the employee by not taking care of the necessary security of the home. I think this is a fitting example of subsequent costs incurred due to poor safety management. What should companies do to prevent such a situation from occurring? Especially when sending employees to more dangerous regions of the world, the general political as well as the specific security situation should not be underestimated. I therefore recommend that employees be intensively prepared for the situation in advance – including culturally – and that their accommodation be protected accordingly. From your perspective, are there anything like minimum requirements for security, emergency and crisis management for companies abroad? Basically, the company has a duty of care toward its employees. This duty of care naturally also applies to stays abroad and to business trips. Ensuring the safety of the employee should not be the last priority. Sensitization with regard to cultural customs as well as the specific business etiquette of the host country are part of this. In addition, dealing with corruption is another important topic in this context. One of the basics of a business trip is travel safety training. Among other things, such training addresses the following question: How do I get from A to B on site? Especially when traveling to high-risk areas, it is important to pay attention to regional peculiarities. Companies benefit from our networks and their local experience. On the basis of constantly updated situation reports, we can make recommendations in line with companies’ needs. So much for business travel. The minimum requirements of foreign projects include first and foremost a macro analysis of the political conditions as well as the local security situation. This includes issues such as corruption, crime, but also the potential risk of natural disasters. How do you go about making recommendations? Do you travel to the countries yourself and look at the structures on the ground? How can you imagine this in concrete terms? One of our customers wanted to open up new markets in Mexico. What is important here is not just the country as such, but an analysis of the situation in the individual regions. This is especially true for large territorial states. In this specific case, the regions that the company favored were visited by us in advance. In cooperation with the Mexican authorities in the regions, German security agencies on site and our network, we compiled the information relevant to the company. The analysis also takes into account the experience of companies already in the country. We then draw up recommendations based on several indices. It is always important to take a very specific look at the regions and to exchange ideas with the local players. In your opinion, how well or poorly positioned are German SMEs in terms of security, emergency and crisis management? Medium-sized companies can assess this for themselves by asking a few specific questions: Do you know your internal business risks? Do you know the risks at home and abroad with regard to political, socio-economic and security-related aspects? Do you have guidelines and information documents for security, emergency and crisis management? Do you know what to do if production sub-processes fail? Is the topic of safety anchored in the corporate culture? Do you meet the legal requirements from the German Civil Code (BGB), German Commercial Code (HGB) and the IT Security Act? These questions should provide an initial starting point. Do you have any best practice examples or concrete tips for SMEs? The concept of customer A does not necessarily work for customer B. Needs vary depending on the industry and the corporate culture. We offer individual solutions tailored to the needs of each company. Entrepreneurs are best placed to assess for themselves how high their own company’s risk acceptance is. However, it would be negligent not to know one’s risks. Awareness of the risks is the starting point of the analysis. How likely is it that a certain event will occur, also in the context of the company’s history. What has already happened in the past? Based on this, it must be weighed up whether certain incidents could happen again and, if so, whether protective measures should be implemented. In my opinion, it is very important that security is generally thought of as part of the corporate culture, so that companies do not act negligently.