The Need for Written Policies

Headlines continue to point to the need to have formal policies governing the operation of a CI unit, as well as of consultants and contractors working for that unit. ^[26] Of course, CI professionals have to be very careful to avoid crossing either legal or ethical boundaries when collecting data for any intelligence program. In fact, it is not necessary to be illegal or unethical to conduct effective CI. As was noted, 80 percent (or more) of what a company needs to know about its competitors is easily available through legal, ethical means. Therefore, any "perceived" need for information that cannot be obtained by legal, ethical means should be very small. When weighed against the potential for damaging business relationships and reputations, the potential benefits of getting such information can never outweigh the potential harm.

In some instances, a gray area may exist between industrial espionage and legitimate intelligence collection efforts. In these instances, we are dealing with taking actions that are not strictly illegal, but that still could violate a reasonable corporate conduct policy or ethical standards. Taking our example one step further, what do you think of someone soliciting samples at a trade show while using a badge that (falsely) labels them as a potential distributor? Does it make a difference if the samples are being given to everyone, anyway? Without a clear directive as to what is in the "gray zone" of unethical behavior, it is all too easy to slide right through into the "black zone" of illegal activity. ^[27]

There are positive benefits to having an ethical policy that applies to how the CI unit operates, whether or not it deals directly with CI by name. Here are a few:

• By developing a statement of ethical standards to complement legal ones, management sends a message to employees that the company expects more from them than the bare minimum of "Don't break the law."

• There is a direct link between the presence of a corporate ethics/business conduct policy and awareness of the limits of legal and ethical behavior on the part of CI practitioners. ^[28] And while research has shown a direct relationship between a CI professional's perception of legal constraints and the success of the CI function, the relationship is not what some CI professionals would have expected. Executives give a higher rating to the performance of CI functions, as well as the results to their firm, when the CI professional's perception of legal constraints was higher! ^[29]

• One of the lessons that emerged from the SCIP Team Excellence Awards process during its 1999–2000 test period dealt with efforts to train employees on what such policies mean in the context of CI.

• This training also alerts both legal personnel and corporate CI personnel to the real issues involved in conducting CI, before they can cause problems.

• Looking at the "open source" hierarchy (discussed earlier in this chapter), it is interesting to note the relative "costs" associated with each type of data. If we take open source information (representing 80 percent of the information available on a target) as a baseline of 100 percent, then open proprietary information, which adds 5 percent, does so at a cost equal to 50 percent of what was already spent on open source information. "Closed proprietary," which could also be defined as information obtained through activities of dubious ethical stature as well as some that cross the line, could provide 5 percent, but at a cost equal to what was spent on open source information. The final category, "classified," which is acquired almost exclusively through illegal operations, represents the last 10 percent of the information available on a target but typically costs 2.5 times what was spent on open source information. ^[30] Therefore, behavior that is unethical (or worse) is not only not proper, it is not even cost-effective.

• Any ethical statement, whether or not it is based on the SCIP Code, ^[31] also provides an external measuring stick. That is, if your firm is hiring a CI consultant, it should ask that the contractor be bound by the client's own standards. In addition, having your own set of written standard permits you to ask the potential contractor to discuss its own standards with you and compare the fit, or lack of fit, with your own.

In other words, CI involves the legal and ethical collection of data. It is more than a practice that is merely "not illegal." And operating both legally and ethically is not only the moral way to conduct business, it is also good business.