Where is the Place of Corporate Security/Safety in the Organizational Structure of an Organization – An Approach

The terms „Safety“ and „Security“ are too often used as synonyms in many languages. But, safety and security doesn't mean the same thing. It is very important for the safety / security of business processes and the protection of business interests of any organization that the management of that organization understands the difference between these two terms. Also, the management of the organization should well define the tasks and place(s) of security / safety system in the organizational structure. The security / safety system of an organization should be considered as the system deeply connected to all parts of business system. The importance of the security / safety system in improving the overall business system of an organization is increasingly understood in Serbian organizations, as a well-established security / safety system significantly reduces the risks of potential business losses of any kind. To emphasize, if the top management of an organization has a dilemma whether or not to establish a security / safety system, we can recommend: Establish, it pays off!


INTRODUCTION
The terms "Safety" and "Security" are too often used as synonyms in many languages.
In our (Serbian) technical papers safety is the most frequent word for both terms, whereas in Croatia it is security.
But, safety and security doesn't mean the same thing.It is very important for the safety / security of business processes and the protection of business interests of any organization that the management of that organization understands the difference between these two terms.
"Safety focuses on the potential result of an occ-urrence defined as a risk.Meaning something is identified as a Safety problem if there is an unacceptable risk of damage to people, property or the environment.A Security problem is independent of the result of the action.A Security problem refers to illegal or unwanted penetration, interference with proper operation or inappropriate access to confidential information regardless of motivation (intentional or unintentional) or consequence (result)" [1].
In ref. [2], the subtle difference between these two terms is explained in a comprehensible way: "Security can be seen as an umbrella which keeps us out of the rain (Figure1).Our safety is reflected in the fact that we are dry and not cold under the umbrella.Security is protection which makes sure our safety is constant.If it is possible to predict variables risky to our safety, possible risks could be avoided or reduced to acceptable level by carrying out certain preventive measures.For example, we could keep comfortable temperature in our flats by air-conditioning settings.Locks secure entry doors.However, our property surroundings cannot be controlled so easily.Weather forecast can warn against rain, but safety still requires our involvement.Hence, Awareness or perception of a TEHNIKA -KVALITET IMS, STANDARDIZACIJA I METROLOGIJA 19 (2019) 5 situation or fact+Preparation=Safety".Or [9], mathematically speaking: Safety=Security+Perceived value (the sense of being safe).[2,12] Here is how TÜV NORD [11] explain the difference between security and safety from the aspect of security and safety in industry: Safety means avoidance of accidents and security means crime prevention.Take the example of emergency exit: both aspects are there, safety and security.In terms of safety, you have to be able to leave the building at any time, and emergency doors should always be open.As for security -with focus on building protection -those doors should not be there at all, so no one can enter the building.Aims and benefits of security and safety are sometimes contradictory, which is exactly what makes this subject so intriguing.To protect people and environment, traditional safety measures are applied to potentially dangerous machinery.However, as regards security, you are not protecting people from machinery -but vice versa: you have to protect machines from people against malfunctioning, grinding to a halt or cancelling safety precautions.

Figure 1 -Security and safety
Safety and security play an important role in Industry 4.0.What's the difference between security and safety concepts in this industry?The answer can be found in the lit.[11,13].Authors of this paper believe that water supply systems, due to their complexity and increasing automation and digitization, have important characteristics of the industry 4.0.According to [13], in the context of industrial automation and control systems, safety systems are special control systems whose function is to detect a hazardous condition and take action (typically shut down the process) to prevent a hazard.They are typically one of many layers of defense in an overall protection scheme for the facility.On the other hand, security of control systems refers to the ability of control systems to provide adequate assurances that unauthorized persons and systems are neither allowed to modify software and its data nor permitted access to system functions, making sure these are not denied to authorized personnel and systems.
We will point out another good reference dedicated to Industry 4.0.Ref. [3] indicated that "Increasing digitization has led to convergence between IT (Information Technology) used in offices and mobile devices, and OT (Operational Technology) that controls devices used in critical infrastructure and industrial control systems.The IoT (Internet of Things) is also rapidly growing, with around 10 billion devices today.These trends raise concerns about the interaction between safety and security… From a regulatory and standards point of view, the following Venn diagram summarises the current situation: However, practitioners recognize that there is not a clear separation (indeed it would be undesireable if there was), so the following is a better diagram of the current situation: There is a question about how large the intersection should be.There appears to be general agreement that the following diagram is wrong: The debate about the interaction between safety and security will continue."
In ref. [14] it is indicated that: "By 2050, the world will be home to 10 billion people, and two in five of these people will be aged 60 or over, including 434 million over 80 years old.This combination of population growth and demographic changes will seriously accelerate the challenges we face for the delivery of health and healthcare, with global healthcare spend projected to reach 13% of GDP in OECD countries by 2050." Ref. [14] also point out that: "The rapid pace of advances in science and technology in the Fourth Industrial Revolution has important implications for health and medicine.Advances in fields such as genetics, genetic engineering, precision medicine, data science, and more are giving rise to new diagnostic and therapeutic modalities which offer the possibility of curing disease, reducing suffering, lengthening lives, and more." Ref. [14] specifically highlights the vulne-rability of hospitals and health systems to cyberattacks, which could be dangerous for both patients and staff.Moreover, such attacks to broader infrastructure, for example to electric grid, could stop hospitals/healthcare organizations from functioning.Any physical facilities, as MRI, PET-CT etc. conected to elecrtical grid is potentially at risk from being taken over and exploited by hackers.Particular attention should be paid to cyber attacks on small healthcare organizations [22].Security/safety system in any healthcare organization should be designed and implement carefully.It should be based on an organization's security/safety culture and spread throughout all parts of the organization.Because of the extreme importance of the Healthcare industry, the authors intend to dedicate special paper to implementation of the security / safety systems in this industry.
Our introductory notes here are fully in keeping with the Merriam-Webster definition of safety and security [13,32,33], where the primary definition of safety "the condition of being free from harm or risk" is basically the same as the primary definition of security: "the quality or state of being free from danger".However, there is one more definition of security [13], which is "measures taken to guard against espionage or sabotage, crime, attack or escape", and that is generally the definition used when referring to industrial security.
Definitions of safety and security referenced in [8] are also interesting: Safety is protection against random incidents.Random incidents are unwanted incidents that happen as a result of one or more coincidences; Security is protection against intended incidents.Wanted incidents happen due to a result of deliberate and planned act.

TASKS AND FUNCTIONS OF CORPORATE SECURITY/SAFETY
Corporate security/safety dates back several centuries.However, the roots of contemporary corporate security/safety in Western Europe and USA go back to the 30s of the 20 th century, when certain laws in this area began to be adopted.In countries of the West Balkans, dealing in more detail with this important area started towards the end of the last century.Legal solutions that partially cover corporate security/safety in Serbia are given in Ref. [34].This paper will not cover in much detail tasks and functions of contemporary corporate security/safety.Because of the immense importance of this field for overall business activities of organizations of any type, a more detailed study of tasks and functions of corporate security/safety will be the subject of further series of papers prepared by contributors of the Development Centre of the Union of Engineers and Technicians of Serbia (DC UETS).Also, DC UETS will put together team of experts in this area to prepare one-day and several days training seminars for employees of various types of organizations, with special emphasis on training of water supply companies.References 1-66 make a good starting foundation for the study of corporate security/safety.
A "defensive" approach to corporate securety/safety dominated before, focused on protection and prevention of losses.Many people today still identify corporate security/security with physical protection within the organization.However, security/safety of performing business processes and protection of business interests of organizations present the most vital segment of contemporary corporate security/safety.The processes of corporate security/safety are ranked among key processes of the organization's business system, and contemporary corporate security/safety has become a strategic function in organization.
Let us set out some basic tasks and functions of corporate security/safety: It should be noted that within corporate security/safety, due to exponentially growing cyber-attacks on information and control systems functioning within organization, special attention is given to IT security/safety.Available data show that human factor causes 70% of business information loss.Some of standard procedures for protection of computer network include: restricted Internet access for personnel, scanning e-mails for viruses and setting up company intranet.
Due to the great importance of information security/safety, it is important that any organization of any type, regardless of its size, should harmonize its business system with regard to information security/safety with the requirements of international standards ISO/IEC 27001:2013 ( [66].This recommendation applies fully to water supply companies as well. We should point out that special attention has been paid lately to cyber terrorism, i.e. terrorist and vandal hacking attacks on SCADA (Supervisory Control And Data Acquisition) systems for remote supervision and control in water supply systems.In the first half of 2016, for example, hackers attacked an unnamed major water supply system in an unknown location in the USA-the level of chemicals used in water treatment was changed.
According to WEB page of ISO, International standard ISO/IEC 27001:2013 [64], adopted in Serbia as SRPS ISO/IEC 27001:2014, specifies requirements for setting up, application, functioning, monitoring, reassessment, maintenance and improvement of documented information security management system within the context of total business risks in an organization.International standard ISO/IEC 27002:-2013 [65] (SRPS ISO/IEC 27002:2015) provides guidelines for organizational information security standards and information security management practices including choice, implementation and management of controls, taking into account considerations od organization's surroundings dangerous to information safety.
The basic International management standard ISO 9001:2015 (SRPS ISO 9001:2015) gives free rein to "risk-based thinking" in organization's business system.It is its main feature.
To conclude this paragraph with the fact that, regarding corporate security/safety, most Serbian organizations share these features:  inadequate awareness of need to set up suitable security/safety mechanisms in organization;  corporate security/safety is not seen as organization's strategic issue;  pay much more attention to external threats to the organization's security/safety, though employees jeopardize security/safety procedures in more than 70% of cases, as worldwide experience suggest.

THE PLACE OF CORPORATE SECURITY/ SAFETY IN ORGANIZATIONAL STRUCTURE
Many management experts adopt a systems approach to business processes management, whereby the entire environment is taken into account rather than mere effect of individual jobs or operations.Organization (company) is viewed as a system, with parts i.e. subsystems united for accomplishing common goals.When making decisions, a successful manager has to study relationship between subsystems, and identify basic and auxiliary processes in the company that affect creating added value.This integrated approach helps avoid situations where solving a problem in one area becomes a problem in another one.The system theory presumes that no action can be taken in isolation, but each decision spreads across the entire system.
The organization of any type should apply a systems approach to business processes management, which implies: identifying, understanding and managing interconnected processes as a system that contributes to efficiency and effectiveness of the organization in achieving its goals.The main task of the organization's management is to identify and then manage main and auxiliary processes within the organization's global task, applying modern IT infrastructure in achieving it.
For an organization to be able to manage a business process-based system, it is necessary to firstly define a network (map) of its basic processes.The criterion for defining basic processes are their connection and impact on meeting the organization's strategic goals.For a proper selection of basic business processes it is necessary to define the total flow of business, from the initial request of the user/buyer/investor to the delivery of product/service.Therefore, work in the organization of any type is carried out through a network of processes, whereby the structure of process network depends on the complexity of company programs/projects.The network is comprised of processes linked to performing all functions of the organization (planning; research; design; technologies; production functions: production preparation, production, providing services; quality control; training; human resources; marketing; ecology; procurement; sales; finance; (JIT) maintenance; communications with business partners; security/safety/functional safety, etc.).
In organizations where the structure is based on work processes management (horizontal structure), responsibilities shift from individuals to teams.Key (major) processes:  spread across functional borders of the organization;  the outcomes of these processes are strategically important for the organization's success;  have a decisive influence on meeting requirements/expectations of the user/buyer/investor.Business processes in any type of organization generally fall into three groups:  key processes of the business system,  support processes,  processes of management.
Clearly not all business processes are equally important, even though the main goal of business process management is to systematically improve all processes from the organization's network of business processes.Special attention should be paid to the continuous improvement of the macro process, especially those macro processes that are necessary for achieving the strategic goals of the organization.Such processes are the driving force of an organization and are crucial for its survival.That group of strategic macro processes forms a set of the so-called key (main) processes.
Depending on complexity and nature of programms/projects being performed within the organization, it is usually possible to distinguish between ten and twenty key processes.A process can be classified into a set of key processes if: (i) it affects the organization's strategic objectives, (ii) its output is linked to investor/buyer/user (patient), (iii) it is necessary in relation to customer user/buyer satisfaction.Processes that supervise other processes are not included into key processes; also processes which are not vital for survival of the organization.
Support and processes of management, albeit not directly affecting investor/buyer/user satisfaction, do fall among key processes if they have strategic significance for achieving business policy of the organization (e.g.strategic planning, IT system, unique system of marking all business elements, legal services, financial services, security/safety of operations, risk management; also total quality management, business policy, reviews of certain jobs/operations, personnel management, etc.).For a proper selection of key business processes one has to define complete business flow, from the initial request of the investor/buyer/user to delivery of product/service.
In contemporary functional-matrix model of organization structure [35], experts of different profiles can be combined for a one-off job/project, and then move on to others.That way their knowledge, expertise and qualifications are efficiently used.Such an organizational structure is suitable for organizations that work in a dynamic environment and realize complex services / products.Here, teamwork (matrix part of the structure) is applied to those jobs and projects where a functional organization is unsuitable.
Organizational units of the organization that provide services to business and projects carried out within the organization, such as marketing, sales, procurement, finance, development, quality ..., are functionally organized.Production of products/services is functionally organized.As a function, the production of products/services can, in certain types of organizations, provide services to certain one-off jobs/projects that are performed in the organization.Problems likely to arise with functional matrix model of organization's structure are those concerned with responsibility, authorization and coordination of work while performing simultaneous jobs/projects.This is solved through certain defined procedures of the organization's business system.Possible solutions to conflict situations are proposed at the top level of organization's management.
From the previous consideration in this section of the paper it is clear that processes performed within the security/safety function belong with support processes to the organization's business system.Corporate security/safety in the organization plays an important part in achieving the set strategic goals of the organization.
Depending on the organization's size and activities, securety/safety activities are done by one ore TEHNIKA -KVALITET IMS, STANDARDIZACIJA I METROLOGIJA 19 (2019) 5 more teams of experts from different company units, with clearly set resposibilities and authorizations.The coordination of the work of the teams is carried out, as a rule, by a manager from the top management structure, with the full cooperation of the top management.
Obviously corporate security/safety in Serbia is gaining momentum as it improves the entire company business system, significantly reducing losses.
A detailed description of the work of the members of corporate security/safety teams will be the subject of forthcoming papers.Necessary knowledge, skills sets, capabilities and personal traits expected from team members will also be dealt with.

CONCLUSION
There is no denying that corporate security/safety is sine qua non in today's business environment in various types of organizations.It is also clear that introducing security/safety into business systems is a demanding and long-term chore.In some companies it can take several years.Obviously, favorable results of introducing this function are not visible at once, which often discourages top managerial teams and puts them into dilemma if the whole shebang pays off at all.Let us remove the dilemma: IT definitely DOES PAY OFF.
We should point out that the influence of teams performing security/safety activities is proportionate to their capability to convince individuals and other teams within company to cooperate.Hence, they have to establish with them long-lasting, open and fruitful dialogue.In other words, security/safety teams must not even try to count on lack of knowledge of others in their favor.
It is indisputable that corporate security / security, in today's business environment in which organizations of different type are working, is necessary.It is also clear that the introduction of a security / security function into an organization's business system is a required and long-term job, which may take several years for some organizations.It is evident that the positive results of introducing this function can not be seen immediately, which can often discourage the top management of the organization and introduce the dilemma of whether the entire business is worth it at all.To resolve the dilemma: SAFE WILL BE DISCLAIMED.
It should be noted that the impact of teams that implement activities within the security / safety function is proportionate to their ability to convince individuals and other teams throughout the organization to cooperate, which means that they have to establish a lasting, open and fruitful dialogue with them.In other words, safety / security teams should not even try to play the lack of knowledge of others for their own benefit.Also, when setting up security/safety function within company business system, one should not look for Rolls Royce solutions as absolute security is not possible, and such solutions are not financially justifiable.
What matters when setting up this function is establishing good relationships within company and good relationships between company and its interested parties.
The outcome of activities pertaining to this function must be visible across the whole of company and help come up with right strategic decisions within the business system.Also, in establishing the security / safety function within the organization's business system, Rols-Roice solutions should not be sought, because absolute security is not possible, and economically such solutions are not justified.It is important that in establishing this function, in addition to good relations within the organization, good relations between the organization and its stakeholders are also good.
The results of the activities that take place within this function must be visible throughout the organization and contribute to making correct strategic decisions within the business system.At the end, the importance of the organization's security culture existence should be emphasized.Security culture does not originate on its own.It needs to be invested in it in the long run.When an organization's security culture becomes sustainable, it transforms security from a one-time event into a lifecycle that provides security on an ongoing basis.