Intelligence Inc. How corporate security intelligence providers in The Netherlands use compliance and ethics infrastructures to foster their levels of corporate social responsibility

(1)

Intelligence Inc.

How corporate security intelligence providers in The Netherlands

use compliance and ethics infrastructures to foster their levels of

corporate social responsibility

W.R.S. van de Steeg

Master thesis

MSc Crisis and Security Management

Leiden University

(2)

(3)

2

Intelligence Inc.

How corporate security intelligence providers in The Netherlands

use compliance and ethics infrastructures to foster their levels of

corporate social responsibility

By

Willem Reyer Samuël van de Steeg

Born in Veenendaal

A thesis submitted to the Board of Examiners

in partial fulfilment of the requirements of the degree of

Master of Science in Crisis and Security Management

Leiden University

Faculty of Governance and Global Affairs

Institute of Security and Global Affairs

(4)

3

Supervisor: dr. Ludo Block

Second reader: dr. Joery Matthys

Student number: s2093480

Email: reinhardvandesteeg@gmail.com Word count: 21.134

(5)

4

Foreword

‘’In a dark place we find ourselves, and a little more knowledge lights our way.’’ —Yoda to Obi-Wan Kenobi when approaching Coruscant, Episode III:

Revenge of the Sith

The topic of this thesis is one these ‘dark places’. Namely, when I started to write about it, I soon became to realise that I had submerged myself into relatively unknown academic terrain. However, in contrast to Yoda, I hoped to find more pleasant answers. Just like the situation at Coruscant, this thesis marks the end of an era; although in a much better way. It is the end of a time of freedom, amazing adventures, and even more amazing people. From reading history in Utrecht, to political science in Toronto, to CSM in The Hague, I am sure that my time as a student will be one of the most rewarding periods of my life. I am grateful for having had this opportunity. Moreover, I sincerely want to thank all of you that have contributed to making this journey so incredible! Now I am curious for all the new things ahead.

Although a thesis is supposed to be an individual project, in practice it is not. First, I want to thank Ludo Block for inspiring me through your guest lecture, providing the necessary criticism along the way, and being the key to doors that would otherwise have remained closed. I highly appreciate it! Also, I especially want to thank my interviewees for the illuminating conversations we had. You have given me the opportunity to do this study, and a glance into a subject that is very close to me. Thank you so much!

I also want to thank my parents, Rein and Hetty, for providing the necessary (financial) support during my entire studies. Without this, I would not have been able to enjoy this period as much as I have done now. I also want to thank Lingjia, thank you for always motivating me through our endless phone calls. 我爱你! Finally, I hope you will enjoy reading this thesis.

Reinhard van de Steeg Utrecht, 13 January 2019

(9)

8

Chapter 1 Introduction

1.1 Presenting the research puzzle

Since the onset of the twenty-first century, the private security industry has witnessed a resurgence. Ever since, academic researchers have been increasingly studying this phenomenon. However, most scholarly attention has been given to private guards and private military companies. Another branch, namely private intelligence, has received far less attention. This while it has become a grown-up industry. Whereas it used to be just a handful of private detective agencies, nowadays it delivers high-end intelligence services to both public and private clients (Armstrong, 2008). While this is not unprecedented in history, the scope and depth of the current situation surpasses all earlier forms of private intelligence (Bean, 2016, p. 84). As such, private intelligence is more prominent in society than ever before.

Within the larger realm of private intelligence provision, this thesis zooms in on a specific form. Namely, it focusses on corporate intelligence. This concept was first explored by Fair (1966). In his analysis he argued that ‘’[…] within five years the gathering of intelligence as current practiced by governments in both military and diplomatic affairs will become a formal, recognized activity in corporate management’’ (Fair, 1966, p. B-489). As such, businesses would start to use intelligence in the same way as states do. In line with this prediction, most academic publications focus on the use of corporate intelligence practices within large multinational corporations. (see for example Crump, 2015; Eels & Hehemkis, 1984; Fair, 1966). Moreover, often the concept is framed in a purely economic way (Weiss, 2017, p. 373-374). As such, this thesis will introduce the concept of corporate security intelligence providers (CSIPs). The label ‘corporate security intelligence’ highlights the fact that their goals surpass a merely economic approach, but take a ‘situational awareness approach’ that focusses on risks and opportunities. Moreover, it will look at independent companies that provide such services to private third-parties. In sum, the concept introduces a new object of study in the field of private intelligence; a specialised private intelligence organisation that resembles the function of government intelligence agencies .

(10)

9

CSIPs work in the legitimate interest of their clients.1_{Namely, they help their clients fulfil their}

legal obligations; for example, the duty of care towards their employees. Moreover, due to today’s increasing complex operating environment clients need to understand the threats of their operating environment and therefore need early warnings (Crump, 2015, p. 53-88). However, despite the fact that CSIPs provide necessary services to their clients, they are also facing the criticism of acting irresponsibly towards society. For example, a notable critique is that CSIPs lack identifiable accountability mechanisms (cf. Block, 2013, p. 113). As such, they could be perceived as operating in an extra-legal space. Additionally, there is an argument that CSIPs also breach ethical norms and act irresponsibly towards society. For example, scholar and activist Eveline Lubbers concurs with the observation that there is a lack of oversight. Moreover, she also argues that corporate intelligence can present ‘’a danger to democracy’’ (Lubbers, 2012, p. 199). From this perspective she states that ’’given the covert nature of the work, how can any system of regulatorycontrol ensure that laws and ethical standards are respected and observed?’’ (Lubbers, 2012, p. 202-203). In other words, a critical perspective towards CSIPs emphasises the lack of control and the negative consequences for society. Hence, from this perspective CSIPs are perceived as acting irresponsible towards society, and thus possessing a low degree of corporate social responsibility.2

However, in contrast to this critical perspective stands research suggesting that CSIPs do have a framework in place to ensure responsible behaviour towards society. In what is the only quantitative empirical study into corporate intelligence, Cohen and Czepiec found that ‘’[corporate intelligence] practitioners will utilize most techniques which they believe their companies condone. However, in some instances the practitioners are even more eager to engage in specific activities than they believe the companies they work for to be’’ (Emphasis added, 1988, p. 202). In other words, this research indicates that, despite the critiques mentioned above, CSIP organisations do have systems in place to ensure responsible behaviour towards society. This observation fits with the practices of the broader private security industry. Namely, due to a lack of clear boundaries, this industry often relies on self-control (Born, Caparini, & Cole, 2007, p. 29-30; Shearing & Stenning, 1983, p. 504). In other words, research

1_{From the perspective of their clients, they fulfil legitimate needs. However, this view is not shared by critics of}

such companies.

2_{Corporate Social Responsibility (CSR) is the term used to describe how companies act responsibly towards}

society and the norms it sets. If corporations neglect legal and ethical norms, they are viewed as having a low degree of CSR. Hence, this often leads to a bad reputation of both the company and the industry it works in.

(11)

10

suggests that CSIPs create their own systems to show society that they act responsibly. However, current research fails to provide an understanding of the exact nature of the systems that CSIPs employ to foster CSR. As such, this thesis fills this gap.

In sum, the puzzle surrounding this research contains three elements. First, CSIPs are an ill-understood phenomenon that serve the (perceived) legitimate interest of their clients. At the same time, they are facing the critique of lacking CSR, because lack in oversight and transparency. However, there is quantitative evidence that suggests that CSIPs do have an internal framework to foster this. Given these observations, this thesis will attempt to find out which systems Dutch CSIPs use to foster their levels of CSR. By using the concept of compliance and ethics infrastructures it will assess the level of CSR in a number of CSIPs in The Netherlands. As such, it looks at how CSIPs use communication, monitoring, and reporting systems to create infrastructures that foster their levels of CSR. Hence, it provides the first qualitative insights in the puzzle presented above. The remainder of this chapter will first introduce the research question and research goals. Secondly, it will provide the academic and societal relevance of this study. Finally, it will give an overview of the rest of this thesis’ content.

1.2 Research goals and research question

The research carried out in this thesis has two goals. Firstly, it aims to clarify a part of the landscape of private intelligence. Namely, by focussing on the concept of CSIPs as a distinguishable type of private intelligence, it allows for providing a clearer picture of the field. Moreover, because of the (scarcely available) literature that touches upon corporate intelligence often lacks empirical substance, this thesis also provides actual new information on the topic (see for example, Crump, 2015; Eels & Hehemkis, 1984; Fair, 1966; Hoogenboom, 2006; Weiss, 2017). The second goal pertains to addressing the research puzzle. Looking at how CSIPs design systems to foster their levels of CSR fills the gap in the literature mentioned above. To reach these goals, this thesis asks the following research question:

Which strategy do corporate security intelligence providers in The Netherlands use to foster their levels of corporate social responsibility; and how do they use this?

(12)

11

Sub question 1 aims to examine the context of CSIPs. By looking at how the private landscape is currently understood in the academic literature, it explains how CSIPs can add to this. Sub question 2 has two functions. First, it delves into the theoretical foundation of CSIPs, and provides a conceptualisation. Secondly, by empirically revisiting the concept, this allows for a clearer image of the concept—one grounded in data. Sub question 3 seeks to understands how CSR can be relevantly understood in the context of this thesis. Adding to this, sub question 4 aims find how CSIPs perceive legal and ethical issues, and the relationship between those. Finally, subquestions 5 aims to find how CSIPs use systems of compliance and ethics infrastructures.

1.3 Significance of the study 1.3.1 Academic relevance

Whereas the broader field of private security has gained more prominence amongst scholars, the sub-field of private intelligence hardly receives any attention (Bean, 2016, p. 79). This statement is supported by the research of Loch Johnson and Van Puyvelde and Curtis, all leading scholars in the field of intelligence studies. In their overview of the topics examined by the field, private intelligence is conspicuous by absence (Johnson, 2014; Van Puyvelde & Curtis, 2016). Moreover, this goes hand in hand with the scarcely available literature on private intelligence being superficial and lacking empirical depth. This goes even more for the topic of corporate intelligence. As already stipulated above, the handful of studies that exist lack

Sub-questions:

1. How do CSIPs fit into the broader landscape of private intelligence?

2. What are corporate security intelligence providers, and how can they be conceptualised? 3. How can corporate social responsibility be conceptualised in the context of corporate security intelligence providers?

4. What is the relation of CSIPs to legality and ethics?

5. Which systems can companies apply to foster their corporate social responsibility; and how?

(13)

12

empirical strength. Moreover, the topic of study in this thesis, has not been empirically studied before. As such, it hopes to become a springboard for further research.

Moreover, the specific angle that this thesis takes is seen as a key issue in the field of intelligence studies. Namely, in 2013, Johnson and Shelton found that ‘’the relationship between intelligence and ethics; and the relationship between intelligence and the state’’ where amongst the key debates in the field (Johnson and Shelton, 2013, p. 110). Because this thesis touches upon both, it contributes to leading avenues of research. In sum, the research of this thesis falls both within an unexplored terrain and contributes to key debates in the field of intelligence studies. Hence, this thesis adds to the current academic body of knowledge.

1.3.2 Societal relevance

Besides having relevance for academic scholarship, this thesis also possesses relevance for society. Namely, since the beginning of 2018, Dutch society has become entangled in deliberations about intelligence. This involved an intensive debate about new legislation that involved the expansion of the capabilities of the Dutch intelligence agencies. (NOS, 2018). Due to critical voices in society, the new law soon came to be called sleepnetwet or afluisterwet (Nazarski, 2017; RTL Nieuws, 2015).3_{In short, Dutch society showed their concerns about the}

behaviour of the intelligence services. In the light of this intensified debate about intelligence, it is important that academic studies touch upon the private side of intelligence in The Netherlands as well. As such, it can function as the backbone of a (future) informed debate.

1.4 Readers’ guide

This thesis continues in the following way. Chapter two outlines the theoretical and conceptual framework. First, it provides the context of this research. It gives an overview of CSIPs in both their historical context and the current landscape of private intelligence. The first aims to show that the current position of CSIPs is unprecedented in scope. The second part shows that this has created a blurry academic understanding of the different types of private intelligence; subsequently, it seeks to clarify this. Secondly, it examines the concept of CSIPs. As such, it

3_{Sleepnetwet can be literally translated as ‘dragnet law’, and afluisterwet as ‘eavesdropping law’ (translation by}

(14)

13

starts with placing this study into the academic tradition of looking at intelligence as an organisation. Moreover, it shows how such an organisation can be defined. From this perspective it returns to the concept of CSIPs, examines it, and provides a definition. Thirdly, it addresses the concept of CSR. As such, it argues that, in the context of this thesis, this pertains to legal and ethical considerations. Coming from this, it proposes the concept of compliance and ethics infrastructure to examine how CSIPs deal with CSR. Here, it distinguishes between communication, monitoring, and reporting systems, and the organisational climate that CSIPs can use to foster their levels of CSR. These function as the operationalisation of the research concept.

The third chapter argues for the methodology of this thesis. First, it clarifies the research design; showing that this thesis is best suited by a qualitative, multiple case-study design. Secondly, it provides the case selection. Thirdly, it discusses the methods of data-gathering—that is, elite interviewing and corporate websites—and data-analysis, that is axial coding. Finally, it discusses the limitations of this study in terms of reliability and validity.

The fourth chapter provides an analysis of the gathered data. As such, it starts with empirically revisiting the concepts of CSIPs; emphasising how situational awareness plays a role in CSIPs. Moreover, it will analyse their relationship with legality and ethics. It then continues with a brief positivist overview of the coding. Finally, it provides an in-depth analysis of the compliance and ethics infrastructures in Dutch CSIPs.

The fifth chapter revisits the different subquestions that have guided the research, and subsequently answers them. As such, this culminates in answering the main research question. Secondly, it will briefly discuss what the implications hereof are for the CSR question that surrounds this thesis. Finally, it will discuss the limitations of this study and possible avenues for future research.

(15)

14

Chapter 2 Theoretical Framework

The previous chapter has outlined the research puzzle and introduced the research question and goals of this thesis. The purpose of this chapter is twofold. Namely, the first section provides both the historical and current context of corporate security intelligence providers. The following sections set out the theoretical framework of this research. Respectively, they look at the conceptualisation of corporate security intelligence providers; what corporate social responsibility is, and how it can be understood in the context of this thesis; and compliance and ethics infrastructures, which function as the conceptual operationalisation of this research.

2.1 Context and terminology

2.1.1 Private intelligence: a historical contextualisation 4

Private intelligence is often seen as a contentious concept. Mainly because it does not match with the traditional view of intelligence. Namely, often intelligence is seen as a practice and tool used by a state to keep or enhance its power. Consequently, if one turns to definitions of the term ‘intelligence’, it often refers to the state. For example, scholar-practitioner David Omand argues that ‘’Intelligence is a means for public policy to ensure security’’ (Dover, Goodman, & Hillebrand, 2014, p. xvi). Moreover, Michael Warner suggests that intelligence is ‘’that which states do in secret to support their efforts to mitigate, influence, or merely understand other nations (or various enemies) that could harm them’’(Cited in Dover et al., 2014, p. xvi). As such, this view results in perceiving intelligence as a purely state-centric phenomenon. As soon as the practice is transferred to other levels, it is often regarded as unethical, or at least as ‘problematic’. This situation can either be found when intelligence is transferred both up or down state-level. The first case appears when transnational organisations—for instance the United Nations—attempt to employ intelligence. In this a case, intelligence is indeed seen as a source of national power, and hence a ‘dirty’ practice (Steeg, van de, 2016, p. 7).

4_{For analytical purposes, this section will solely use the term private intelligence. The next sections will delve}

(16)

15

However, as mentioned in the previous chapter, Keefe argues that a new intelligence industry is emerging (2010). This argument is grounded in the observation that private intelligence endeavours have peaked in the first ten years of the twenty-first century (Keefe, 2010, p. 4). It is most certainly true that in contrast to the Cold War period, in which intelligence had become a state-centric practice, the current scope of private intelligence has enlarged (Armstrong, 2008). However, taking a historical approach to the topic, one can find discontinuity regarding the perceived state-centrism that generally surrounds intelligence. The analysis below will show that intelligence has been a private and commercial venture since Early Modern history.

Early Modern Europe already witnessed the use of private intelligence in several forms. First, one can find private entities employing intelligence for their own commercial gains. For example, in his Cyclopædia of Commercial and Business Anecdotes, written in 1865, Richard Millar Devens mentions that at the end of the seventeenth century ‘’[the] name of Sir Henry Furnese figure[d] largely […] he maintained a complete and perfect train of business intelligence. The news of the many battles fought was thus received first by him, and the fall of Namur added to his profits, owing to his early receipt of the news’’ (Devens, 1865, p. 210). Additionally, also larger companies used intelligence to secure their business. The Dutch East Indian Trading Company (VOC) had forces that mirrored national armies. As such, they possessed strong intelligence capabilities (Crump, 2015, p. 9). Moreover, in order to sustain their trading in China—around 1622-1624—the VOC attempted to hire local private spies (Noordam, 2015). All these examples indicate that spying was already a commercial good for hire in the Early Modern Period.

Intelligence continued to be a private endeavour in later times at different places. During the American Revolution, General George Washington spent more than ten percent of his budget on hiring private spies. This situation persisted during the Mexican-American War (1846-1848). American Commanders contracted the so-called ‘Mexican Spy Company’. These locally hired spies provided intelligence and linguistic support to the American troops (Voelz, 2013, p. 5-6). Moreover, one of the most well-known private intelligence companies—The Pinkerton Detective Agency—was founded in 1855. During the American Civil War (1861-1865) it was the first time the Agency made a name for itself. Union General McClellan often used intelligence services provided by Pinkerton (Crump, 2015, p. 10; Voelz, 2013, p. 6). At

(17)

16

the same time, another private intelligence company was operated by Lafayette Baker. He conducted counter-intelligence operations and interceptions of mail (Voelz, 2013, p. 6) In short, during the Modern Era, private intelligence became increasingly a service provided by specialised companies.

The practice of private intelligence was carried on into the industrial age. For example, in The Netherlands in 1905, the Mining Police served the interest of the mining industry. Their investigative department was in charge of vetting new personnel. In total, they collected information of about 25.000 miners. Moreover, the department established contact with more corporations such as Philips, KLM-Fokker and the Batavian Petroleum Company (Hoogenboom, 2006, p. 378). At same time, Pinkerton started mainly to work for mining companies as well. They were tasked with gathering intelligence on impeding strikes (Crump, 2015, p. 10). However, the beginning of the new century also marked a new development in the world of intelligence; the institutionalisation of intelligence. In 1909, both the UK and the US—the so-called godfathers of western intelligence— founded their own intelligence organisations. Moreover, the American ‘Bureau of Investigation’ and the British ‘Secret Service Bureau’ played key roles in both world wars (Jeffrey-Jones, 2015, p. 11-12 and 20-94). Eventually, the end of the Second World War and the onset of the Cold War reinforced the process of institutionalisation of intelligence. Now, smaller countries also started to found their own intelligence services; for example, The Netherlands created the Binnenlandse Veiligheidsdienst (For an overview see, Braat, 2012). It is therefore not surprising that during the Cold War public intelligence greatly overshadowed private intelligence endeavours.

However, as the new millennium approached, a paradigmatic change took place. Namely, the end of the Cold War meant an alteration of the function of intelligence; ‘’[…] threats from nuclear-armed political adversaries were lessened, while potential benefits for the commercial sector and economic superiority were being promoted. Consequently, governments reduced the size of their intelligence departments. If intelligence became necessary, this became more and more outsourced private actors’’ (Keefe, 2010, p. 5). Secondly, companies started to operate worldwide, which made them more vulnerable to threats; especially when they operated in regions where they experienced threats of piracy and terrorism. Moreover, they increasingly sought help from intelligence to protect their reputation, profits, protection from corporate

(18)

17

espionage, and the potential to enter new markets. As such, companies started to have ‘’an ongoing business demand for targeted intelligence product that is integrated into strategic and operational decision making’’ (Palmer, 2013, p. 5). Due to this development, a new, high-end intelligence industry emerged; resulting in the private intelligence sector becoming more complex than ever before (Armstrong, 2008). Therefore, in order to create order in the chaos, this section continues with discussing how the current literature on the private intelligence industry can be understood.

2.1.2 Private intelligence: the fluidity of a concept

Research on private intelligence has not been plenty (Bean, 2016, p. 79; Gill, 2014, p. 13; Hoogenboom, 2006, p. 373). Consequently, the field is blurry in its conceptualisations, which leads to a rather vague terminology. For example, Hoogenboom (2006, p. 373) uses ‘grey intelligence’ as an umbrella term for all forms of intelligence that go beyond formal public intelligence, and does not distinguish different types. However, reviewing the available literature on the topic leads to the conclusion that two strands of literature exist; distinguished by their mode of governance. The first body of literature, which is also the largest one, focusses on private defence contractors that provide intelligence services to governments. Essentially, this can be regarded as the outsourcing of intelligence services and products from governments to the private sector through contracting (Puyvelde, van, 2017, p. 298). Hence, this type of private intelligence can be seen as being governed through the principle of ‘anchored pluralism’. This governance model pertains to sharing tasks between the public and private sector. However, the public sector remains in charge (White, 2012, 91-95). As such, these defence contractors solely provide intelligence services to governments; as states are often the only legal market that exists in this realm (Gill, 2014, p. 6). In sum, this stream of literature focusses on private intelligence as a form of a public-private enterprises governed by the model of anchored pluralism. Hence, one could call this the ‘public-private defence intelligence sector’.

The second strand of literature looks at private intelligence as pertaining to the more ‘’open market’’; one that is not limited to the national defence industry. This market of private intelligence can be seen as the commodification of security. As such, it is no longer a public good, but one that must be bought (Krahmann, 2008). Consequently, they mainly provide

(19)

18

services to private actors—however, they can still cater to public actors (but not limited to the defence industry in this case). Hence, this can be regarded as the ‘fully privatised’ form of intelligence. However, the literature that involves this intelligence market neglects to clarify its complexity. Namely, it often confuses the different types of intelligence that exist in this area. Broadly speaking, three terms are often conflated: competitive, business, and corporate intelligence. For example, Weiss argues that for corporate intelligence, a number of other terms can be used; competitive intelligence being the most common one (2017, p. 373). Moreover, in their classic work Corporate Intelligence and Espionage. A Blueprint for Executive Decision Making, Eels and Nehemkis confuse corporate and competitive intelligence as well. They state that corporate intelligence is about acquiring ‘’the trade secrets of a competitor’’ (emphasis in original text, 1984, p. xi). As such, they use the term corporate intelligence, while they actually mean the economic-oriented competitive intelligence. Finally, Gill writes that ‘’intelligence in the corporate sector [can be regarded as] ‘competitive’ or ‘business intelligence’ (Gill, 2013, p. 94). In conclusion, these examples show that the literature does use existing terms interchangeably, and as such creates conceptual ambiguity.

In order to create more conceptual refinement, this section will continue with creating clarity regarding the terminology. The first type, competitive intelligence is economically oriented. It legally ‘’tracks the activity of direct and indirect competitors’’ (Rouach & Santi, 2001, p. 552). Moreover, if such actions are pursued in an illegal fashion, it has the possibility to transgress into industrial espionage (Crane, 2005, p. 234). As such, it has a purely economically-oriented function. The second type mentioned in the literature is business intelligence. Business intelligence is aimed at saving time and more efficient data management (see for example, Watson & Wixom, 2007). Hence, it can be regarded as being more of an information management tool than an intelligence-related term. As such, research aimed at private intelligence should refrain from using this term. Thirdly, corporate intelligence is the most problematic of the three. As written above, it is often used as an umbrella term for all sorts of intelligence used in a corporate setting. As such, when everything is corporate intelligence, nothing is corporate intelligence (cf. Agrell, 2002). Hence, it is an unclear term. For purposes of clarification, this thesis will thus refrain from using this term, but use the term corporate security intelligence instead. The next section will delve deeper into this term, and provide more context and a definition.

(20)

19

The last remark of this section has to do with observing the difference between the terms ‘investigation’ and ‘intelligence’.5_{This has to do with the fact that ‘’ [investigations] and}

intelligence collection may resemble each other, but they are really completely different’’ (Berkowitz, 2003, section 5). The term investigation differs from intelligence in two ways. Namely, the first often pertains to corporate investigations. Such an investigation is often conducted with regard to a breach of norm violations, mostly in the context of an employee-employer relationship (Meerts, 2018, p. 22). As such, this type of investigations can be regarded as a form of informal law enforcement (Meerts, 2018, p. 17 and 22). The second point is closely related to this. As Berkowitz states: ‘’The clock runs differently for detectives and intelligence analysts, too. Intelligence analysts—one hopes—go to work before a crisis; detectives usually go to work after a crime’’ (2003, section 7). As such, private investigations could be better defined as a ‘corporate FBI’. Thus, while investigations happen after a misconduct, intelligence is more preventive in character. Despite this conceptual differences, in practices both fields use similar methods and techniques to obtain their information. In reality, this can create confusion regarding both terms. As such, firms that operate in these fields often either conflate both terms, offer both services, or a combination of these.

In conclusion, this section has shown that private intelligence has known different degrees of importance throughout the course of history, and is currently witnessing its highest peak so far. Consequently, the private intelligence sector has become more complex than ever before; resulting in unclear terminology in both the sector itself and the academic literature. As such, it has shown that the field uses unclear terminology.

2.2 Corporate security intelligence providers: making sense of the concept The previous section has set out the context of this thesis. This section provides an conceptualisation of the main object of study, the CSIPs. First, it shows that they can be studied by looking at the organisational approach to intelligence. Secondly, it elaborates on the drivers

5_{In reality, one should carefully approach the terminology regarding intelligence and investigations. For example,}

sometimes when companies offer ‘investigation services’ they are actually providing corporate security intelligence. Secondly, often companies do not stick to delivering one type of service; they can provide both investigation services and corporate security intelligence. Finally, while this thesis works with a clear-cut term, in reality companies can use all of them interchangeably and alongside each other.

(21)

20

and functions of CSIPs; culminating in a definition of the concept. Finally, it will explore the ‘problem of control’ regarding CSIPs.

2.2.1 Approaching intelligence: the organisational perspective6

Despite the definitional problem that surrounds intelligence in general, the field identifies three ways to look at intelligence. This way of looking at intelligence was firstly introduced by the founder of intelligence studies, Sherman Kent. He wrote that ‘’the three separate and distinct things that intelligence devotees usually mean when they use the word’; these are: knowledge, the type of organisation that produces that knowledge and the activities pursued by that organisation’’ (Kent cited in Scott & Jackson, 2004, p. 141). As such, the first approach to intelligence sees it as an information product. As such, this perspective on intelligence often conceptualises it as a product containing secret information. In contrast, intelligence in the private realm often relies more on open-source information (Johnson, 2007, p. 1-2). Secondly, intelligence can also be perceived as a process. In this way, intelligence becomes ‘’a series of interactive steps, formally referred to as an ‘intelligence cycle’’’ (Johnson, 2007, p. 3). This view looks at how intelligence is transformed from planning and direction to dissemination (see Johnson, 2010, p. 9). As such, it is the operational process that is central in this approach. Finally, intelligence can also be seen as ‘’an organization collecting information’’ (Laqueur in Warner, 2002, p. 18). From this perspective, the organisation that does the intelligence collection is the central object of analysis. Since the ultimate starting point of this this thesis is Fair’s observation of the ‘’corporate CIA’’—in other words, a specific type of intelligence organisation—this research views intelligence through the organisational perspective.

Different approaches to intelligence are also explored by Hastedt (1991). He identifies four levels of analysis to study intelligence comparatively; the organisational approach is one of these. Notably, he mentions that such an endeavour should contain both the formal and informal side of an intelligence organisation (Hastedt, 1991, p. 63). Additionally, his comparative approach proposes to look at each level through two factors—thud, intelligence organisations can also be conceptualised and defined by looking at these two factors. The first

6_{This thesis uses insights from the field of intelligence studies to conceptualise and define CSIPs. While this body}

of literature solely focusses on intelligence in the public sector, it can still be applied in the context of this research. This because starting point of this thesis is Fair’s terminology of the ‘corporate CIA’, and thus assumes a certain degree of conceptual overlap between the two.

(22)

21

element that defines intelligence organisations is their function. In other words, this can be understood as the intended goals of the organisation or its purpose. Moreover, he mentions the operation of an intelligence organisation as the second factor (Hastedt, 1991, p. 67). However, taking the last element into account would result in diverging from the purely organisational approach, and delve more into intelligence as a process. Hence, this thesis will only consider the function of an intelligence organisation in order to conceptualise CSIPs.

2.2.2 Defining CSIPs: drivers and function

Before delving into the function CSIPs, it is important to touch upon two other issues. First, the available literature on corporate security intelligence often focuses on in-house departments. However, the concept of CSIPs relates to specialised firms that provide corporate security intelligence to private third parties. Namely, having an in-house corporate security intelligence department is often not cost-effective. As such, there is room for independent companies to provide these services to other business entities. Secondly, it is important to consider what drives the need for CSIPs. The following quote by Briggs and Edwards provides a well-rounded summary:

Doing business is getting more and more complex. Globalisation has changed the structure and pace of corporate life; the saturation of traditional markets is taking companies to more risky places; the shift towards a knowledge economy is eroding the importance of ‘place’ in the business world; new business practices such as offshoring challenge companies to manage at a distance; and new forms of accountability, such as corporate governance and corporate social responsibility, put added pressure on companies to match their words with deeds, wherever they are operating (Emphasis added, 2006. p. 12; cf. Crump, 2015, p. 15-16)

This quote points to three sets of drivers. First of all, there are internal legal drivers that create the need for CSIPs. For example, clients need to ensure their duty of care towards their employees. Namely, when employees operate abroad, this requires ‘’intelligence and risk-management activities beyond the usual requisites that exist in the employee’s country of residence’’ (Crump, 2015, p. 55). Secondly, there are external legal drivers. For example, the US Foreign Corrupt Practices Act and the UK Anti-Bribery Act state that businesses have to ensure that their partners are not involved in corrupt practices and whether they follow existing

(23)

22

regulatory schemes. As such, CSIPs can assist their clients with fulfilling their due diligence requirements under laws like these (Crump, 2015, p. 65-73). Thirdly , there are operational drivers that create the need for CSIPs (Palmer, 2013, p. 5). Namely, they help their clients to understand the risks their operating environment poses, and provide early warnings on potential issues (Crump, 2015, p. 77-85 ). In sum, CSIPs help their business clients to deal with the increased complexity—in the form legal and operational issues—of today’s globalised world.

Currently, the book Corporate Security Intelligence and Strategic Decision Making by Justin Crump is the only available comprehensive account on the phenomenon of this thesis.7_The

term he uses can be perceived as resembling ‘national security intelligence’. In other words, it is the corporate variant of public intelligence organisations—a ‘corporate CIA’. This term is defined by Loch Johnson in The Oxford Handbook of National Security Intelligence. He writes: ‘’This definition points to intelligence as a matter of “situational awareness,” that is, understanding events and conditions throughout the world faced by policymakers, diplomats, and military commanders’’ (Johnson, 2010, p. 6). As such, this perspective can be used to clarify the focus of corporate security intelligence. Namely, it is concentrated on the complex operating environment of corporations. More specifically, it is intelligence that enhances the situational awareness of corporations. Secondly, adding the term ‘security’ also shows that this intelligence is part of the broader system of corporate security (Crump, 2015, p. 8). As such, it can also refers to the self-protection of a company by using accurate and timely intelligence about a company’s operating environment (Ludbey, Brooks, & Coole, 2018, p. 109).

In his analysis Crump points out two core elements that can be used to further define CSIPs. First, the focus on ‘situational awareness’ can be understood in terms of risks and opportunities (Braes & Brooks, 2010, p. 16; Crump, 2015, p. 18-21). As such, their function is to identify, mitigate, analyse, and engage with the risks and opportunities their clients face in today’s complex global environment (Braes & Brooks, 2010, p. 16; Crump, 2015, p. 18-21; Ludbey, 2015, p. 25). As such, CSIPs help their clients to make informed decisions, and succeed in

7_{Justin Crump writes from a practitioners perspective. As such, his account is not an academic work. However,}

it can still be useful as a guide for academically exploring the concept central to this study. Moreover, the same holds for the work of Braes and Brooks. The problem regarding the subject of this thesis is that it lacks any scholarly attention. As such, practitioner-studies can function as a stepping stone for more academic studies of the topic.

(24)

23

business (Crump, 2015, p. 20). Secondly, because of the current complex world, organisational resilience is becoming more and more important (Braes & Brooks, 2010, p. 16; Crump, 2015, p. 15-18). Resilience can be understood as ‘’the potential to exhibit resourcefulness by using available internal and external recourses in response to different contextual and developmental challenges’’ (Braes & Brooks, 2010, p. 16). In other words, CSIPs provide intelligence regarding risks and opportunities to help strengthen their clients’ organisation in order to successfully operate in the aforementioned complex environment. They create ‘’insight, adaptability, and robustness that enables an organisation to bounce back and create new ways to thrive when faced with uncertainty’’ (Braes & Brooks, 2010, p. 17). Consequently, corporate security intelligence makes the organisation more resilient, and hence prevents losses when operating in uncertain areas (cf. Hoogenboom, 2006, p. 380) .

As such, given the above analysis, this thesis uses the following definition of corporate security intelligence:

Corporate security intelligence is a service that identifies, mitigates, and engages with risks and opportunities in a client’s complex operating environment through intelligence provision.

Additionally, this thesis focusses on private firms that deliver such services to private third parties; this leaves out in-house divisions of large multinationals. Moreover, the cases of this research are independent firms. As such, this excludes the ‘corporate intelligence’ divisions of large (forensic) accountancy firms from the analysis as well.8_{A third feature of these firms—}

coming from the logic of Fair’s ‘corporate CIA’—is that they operate internationally; that is, assignments are mostly carried out outside the country where the company is based. In sum, this thesis looks at the practice of corporate security intelligence from the perspective of a

8_{In The Netherlands, companies as PwC or Grant Thornton have such a division. However, these function largely}

within the accountancy framework. As such, they function within an already specific type of regulatory framework—that of the forensic accountancy. Therefore, they are less relevant for the research puzzle of this thesis.

(25)

24

certain type of provider. For purposes of clarity, these types of providers are designated as ‘corporate security intelligence providers’, abbreviated as CSIPs. 9

2.2.3 CSIPs: Lacking CSR?

By focussing on issues risks and opportunities, CSIPs mirror the activities of public intelligence agencies. However, the main difference with these lies in the degree of ‘control’. Namely, in contrast to public intelligence organisations, CSIPs have significantly less oversight. Or as Fair put it, ‘’the ‘rules of the game’ are inadequately drawn up currently and this favors the group with the most flexible conscience’’ (1966, p. B-502). As such, and similarly to other areas of the private security industry, CSIPs operate in a grey legal area (cf. Hoogenboom, 2006). Consequently, critical voices perceive them as behaving irresponsibly towards society; in order words, lacking CSR. However, as mentioned above, research by Cohen and Czepiec (1988) suggests the opposite. According to them, companies involved in providing corporate (security) intelligence do have a framework that sets out what they condone and what not (Cohen & Czepiec, 1988, p. 202). This fits with the principle of self-regulation that is often used within the private security sector as a whole (Shearing & Stenning, 1983, p. 504). In sum, empirical research indicates that CSIPs do try to foster a degree of corporate social responsibility towards society, and have built-in systems to achieve this.

In conclusion, this section has provided the conceptual foundation of CSIPs. First, it has shown that this study fits with the tradition of studying intelligence as being an organisation. As such, the function, or goal, of an intelligence organisation is the main factor that defines it. In the case of CSIPs, this pertains to helping the client’s organisation dealing with risks and opportunities in the current complex and globalised world. Finally, it has pointed out that despite the (perceived) problem of control, there is evidence that suggests that CSIPs do have systems in place to foster their CSR.

9_{Here, the use of the term ‘providers’—in contrast to using terms as ‘company’ or ‘firm’—reflects that the cases}

assessed in this research provide, amongst other, corporate security intelligence services. As such, this division does not have to be the sole type of services they provide.

(26)

25

2.3 Corporate social responsibility

This section elaborates on corporate social responsibility, and has two purposes. First, it starts with explaining the term, and furthermore it shows which systems companies can apply to foster their degree of CSR.

2.3.1 What is CSR?

Corporate social responsibility (CSR) rose in the 1950s. However, in this period this involved more talk than action (Carrol, 2008, p.26). Eventually, it gained maturity; nowadays CSR has ‘’moved from ideology to reality’’. As such, many organisations now perceive it as vital to society that they adhere to social and ethical standards (Lindgreen & Swaen, 2010, p. 1). This has resulted in a CRS becoming a widespread, global phenomenon (Carrol, 2008, p. 41). In essence, CSR can thus be defined as the relationship between business and society, were the focus lies on the ‘’societal expectations of corporate behavior’’ (Lindgreen & Swaen, 2010, p. 2). More specifically , it is about companies adhering to social norms, and as such obtaining social legitimacy in order to uphold their reputation. In sum, CSR is vital for companies to uphold their reputation and legitimacy. As such, CSR relates to the puzzle of this thesis.

2.3.2 Conceptualising CSR in the context of CSIPs: legality and ethics

The concept of CSR is plagued by the situation that a plethora of definitions exist (see Dahlsrud, 2008). However, Schwartz and Carrol (2003) have proposed an approach to CSR that involves three-domains rather than a specific definition. It distinguishes between the economic, legal, and ethical responsibilities of corporations. The first element pertains to the ‘’direct or indirect positive economic impact on the corporation in question’’ (Schwartz & Carroll, 2003, p. 508). As such, maximising profits and share value are central. This type is thus more related to the responsibility a company has to its shareholders, and not necessarily the broader society. Moreover, as this thesis looks at how CSIPs deal with regulatory norms, this domain goes beyond the scope of the research puzzle. As such, the economic responsibility will not be considered here. The second type of responsibility, the legal aspect, relates to a business firm’s ‘responsiveness to legal expectations mandated and expected by society’’ (Schwartz & Carroll, 2003, p. 509). Finally, the last element concentrates on how firms react to the ethical responsibility that is expected by the general population and other relevant

(27)

26

stakeholders (Schwartz & Carroll, 2003, p.511). In short, in the context of this thesis, two elements are relevant for exploring the levels of CSR of CSIP s: legality and ethics.

Additionally, arguing for conceptualising CSR as pertaining to legality and ethics is supported by observations of other scholars. For example, Garriga and Melé argue that CRS does not mean the ‘’same thing to everybody. To some it conveys the idea of legal responsibility or liability; to others it means socially responsible behaviour’’ (Emphasis added, 2004, p. 52). Moreover, Lindgreen, Swaen, and Johnston concur with this argument. They state that CSR relates to both ‘ethical values [and] compliance with legal requirement’’ (2009). Moreover, socio-legal research has shown that nowadays many firms ‘’no longer perceive their social obligations as necessarily synonymous with their legal obligations’’ (Gunningham, Kagan, & Thornton, 2004, p. 308). In contrast, they try to go beyond the legal license, and try to uphold a social license that is aimed at a more ethical approach (Gunningham et al., 2004). In conclusion, these arguments support the choice of conceptualising CSR in context of CSIPs as pertaining to both legality and ethics.

In order to go from the abstract conceptualisation of CSR to a framework that assesses how companies shape the systems fostering their CSR, this thesis will mainly build on the work of Tenbrunsel, Smith-Crowe, and Umphress (2003) and Weber and Wasieleski (2013). The latter have labelled such systems as ethics and compliance programmes. As such, they look at specifically designed policies that have to foster an organisation’s CSR; here, pertaining to legal and ethical norms. In contrast, Tenbrunsel et al. design a broader framework; this encompasses not just policies, but takes a more holistic approach, focussing on both formal and informal elements, and the organisational climate. However, their analysis mainly focusses on ethics. Therefore, this thesis attempts to combine the work of both authors to coin the term compliance and ethics infrastructures. As such, it will use the combined legal-ethical approach of Weber and Wasieleski, together with the more comprehensive model of Tenbrunsel et al. The remainder of this chapter outlines the framework of analysis for researching how CSIPs try to foster their CSR.

(28)

27

2.4 Fostering CSR: compliance and ethics infrastructures

Companies have become more aware of the importance of ethics and compliance, since this enhances the corporate reputation. Consequently, they often attempt to foster their CSR by adhering to these. Moreover, research has shown that if organisations have infrastructures in place that provide assurance, this results in an increasing adherence to legal and ethical norms (Weber & Wasieleski, 2013, p. 610). As such, companies can put several systems in place to create compliance and ethics infrastructures. Based on Tenbrunsel et all., these infrastructures exists of three plus one components. They consist of communication, surveillance, and reporting systems. According to the authors these systems are working independently to influence behaviour; as such, it can happen that a code of conduct is implemented, but not monitored. Moreover, these are not the only types possible, but they have been chosen for their prevalence and visibility (Tenbrunsel et al., 2003, p. 289). Additionally, these three systems can exist in a formal and an informal way (cf. Lindgreen & Swaen, 2010, p. 3; Tenbrunsel et al., 2003, p. 286). This formal-informal division is defined in the following way. According to Tenbrunsel et al , formal systems of ethics and compliance are those that are documented and standardized (2003, p. 288). On the contrary, informal systems are not directly observable and more subtle of nature. As such, they relate to the interactions between organisational members (Tenbrunsel et al., 2003, p. 291). Finally, overlapping these systems is the organisational climate that supports them; this relates to thinking about issues of legality and ethics.

2.4.1 Communication systems

The communication systems in compliance and ethics infrastructures are used to convey expectations and standards for legal and ethical behaviour. They explicitly communicate the rules and procedures that employees have to adhere to. Additionally, they also communicate the company’s standards to the outside world. In a formal way, this relates to four elements. First, and most common, Tenbrunsel et al. mention formal documents that set out the legal and ethical standards of a company. As such, it can be seen as a way to set out behavioural guidelines. The first type of document is a code of conduct. Such a measure is vital to the discussion of legal and ethical issues within a given company (Tenbrunsel et al., 2003, p. 289). Additionally, it is the most widely used action by business to communicate their legal and ethical standards to employees (Weber & Wasieleski, 2013, p, 614). A second type of written communication comes in the form of mission statements. While codes of conduct are aimed at

(29)

28

communication towards employees, are mission statements used to communicate the company’s legal and ethical awareness to the outside world. Additionally, written performance standards are mentioned as the third form of formal communication. Such procedures are here understood as formalised evaluations of how a company has dealt with legal and ethical issues. Finally, training measures are aimed at increasing employees’ awareness of the legal and ethical standards they have to adhere to (Tenbrunsel et al., 2003, p. 289-290).

In contrast, informal communication are ‘’those unofficial messages that convey the [legal and] ethical norms within the organization’’ (Tenbrunsel et al., 2003. p. 291). First of all, this includes informal conversations between organisational members about legal and ethical issues. Secondly, Tenbrunsel et al. focus on the role of organisational leaders. More specifically, organisational leaders are key in conveying legal and ethical norms through their own actions. According to Brown and Treviño, this is mostly done through either interpersonal relationships and personal actions (2006, p. 595). In short, company leaders are part of the informal communication systems if they lead by example by showing employees the ‘right’ way to comply with law and adhere to ethics. For example, Weber and Wasieleski point out that they also play a role in stimulating the overall systems that have to ensure adherence to the law and ethics (Weber & Wasieleski, 2013, p. 615).

2.4.2 Monitoring systems

Secondly, the infrastructure has surveillance systems. These are aimed at monitoring and detecting illegal and unethical behaviour (Tenbrunsel et al., 2003, p. 288). However, in contrast with the existing literature, this thesis will use the term ‘monitoring’ instead of ‘surveillance’. This is because surveillance implies continuing observation; in contrast, monitoring relates more to regular checks of a certain process. As with communication systems, monitoring systems have both a formal and informal variant. The latter does not go through official company procedures, but is ‘’carried out through , among other channels, personal relationships (e.g., peers)’’ (Tenbrunsel et al., 2003, p. 292). As such, it is not an officially embedded in the organisational structure, but exists between co-workers. In contrast, formal monitoring systems are official procedures. That is, systems that are required by corporate policy, and are thus standardised.

(30)

29

2.4.3 Reporting systems

The final system of compliance and ethics infrastructures relate to reporting issues of misconduct. While Tenbrunsel et al. use the term sanctioning systems, this thesis assumes that before any type of sanction is executed, misdemeanours have to be reported first—Tenbrunsel et al. overlook this important step. Therefore, this research opts for using the term reporting systems; subsequently, this might evolve to sanctioning procedures in a later stage. As such, in order to restore and uphold their CSR, the company can use both formal and informal ways of reporting. The difference between these is that the first relates to official sanctioning procedures by the company, and the second one to unofficial sanctioning by other organisational members (2003, p. 290 and 292). However, this thesis proposes a different categorisation; one that is tailored to the specific cases of this research. Namely, it considers every type of reporting that is being used within a CSIP itself as being informal. On the other hand, formal reporting occurs when the formal authorities are becoming involved; for example, the police, a public prosecutor, or another state authority. This approach fits the scope of this research better, since it touches upon the public-private accountability discussion; hence, the internal-external dimension of reporting allows for addressing this issue. In sum, the type of sanctioning is determined by whether it comes from within or outside the organisation.

2.4.4 The role of the organisational climate

Overlapping these three systems is the organisation climate. Tenbrunsel et al. define this as the ‘’shared perceptions regarding a particular aspect of an organisation’’ (Emphasis added, 2003, p. 294). In this case, this pertains to legality and ethics. Moreover, the difference between the organisational climate and the (in)formal systems pertains to the fact that those can still be observed—while the climate solely exists of employees’ thinking about legal and ethical issues. (Tenbrunsel et al., 2003, p. 296). As such, this thesis looks at which frame of mind CSIP employees have regarding legality and ethics.

In conclusion, this section has proposed a conceptualisation of CSR; one that emphasises legality and ethics. In order to look at how organisations can foster this, it has proposed the concept of ethics and compliance infrastructures. This model consists of three plus one layers: communication, monitoring, sanctioning, and the organisational climate that supports these. As such, this framework will be used to analyse the levels of CSR in Dutch CSIPs.

(31)

30

Table 1. Compliance and ethics infrastructures indicators

Compliance and ethics infrastructures

Indicators (as used by Tenbrunsel et al.)

Indicators (as used in this research)

Communication systems

Code of ethics Codes of conduct

Mission statement Website statements about _{legality and ethics}

Written performance standards about ethical policies

Evaluation of legal and/or ethical policies

Training programmes about ethics

Training programmes to create more legal and/or ethical awareness

Conversations about ethics Conversations about legality and ethics

Role of organisational leadership

Role of managers in creating legal and/or ethical awareness

Monitoring systems

Formal monitoring Formal monitoring procedure

Informal monitoring Peer-monitoring (i.e., co-_{workers checking each other)}

Reporting systems

Formal sanctioning

Reporting that involves the formal authorities, e.g. the police or public prosecutor.

Informal sanctioning

Reporting that is kept within the company (no involvement formal authorities).

Organisational climate Shared perceptions about ethics.

Frame of mind regarding legality and ethics.

(32)

31

Chapter 3 Methodology

The previous two chapters have introduced the research puzzle, the research question, and the theoretical framework of this thesis. This chapter aims to provide the rationale of this research. It first outlines the research design of this thesis and argue for the specific case selection. Secondly, it shows which methods are used for data-gathering and how this data is analysed. Finally, it discusses the limitations of this study.

3.1 Research Design

A research design can be considered to be the main blueprint that sets out how to conduct a research. Essentially, it is ‘’a framework for the generation of evidence that is chosen to answer the research question(s) in which the investigator is interested (Bryman, 2016, p. 39). The design of this thesis rests on two pillars. First, since the topic of CSIPs is exploratory in character—caused by a lack of available (empirical) studies—this thesis takes a multiple case study approach. Such an approach has the advantage of being able to analyse the complexity of the topic of this research (Bryman, 2016, p. 60; cf. Meerts, 2018, p. 37). In the context of this thesis, these are the different CSIPs being researched. Secondly, this case study research takes a qualitative approach (cf. Bryman, 2016, p. 61). As such, it examines ‘’many variables of a few cases’’ (Neuman, 2014, p. 179). Consequently, it allows for the gathering of rich and detailed data on the topic. This results in the possibility of further elaborating on the concept of CSIPs, and to provide a rich analysis of the research puzzle. The next section will introduce the cases selection and explain the rationale behind the sampling strategy.

3.2 Case selection

Selecting cases in qualitative case-study designs follows two paths. The first one pertains to the whether or not the sampling is randomised. As such, one can distinguish between probability sampling and non-probability sampling. In the first type, every unit in the population has an equal chance of ending up in the sample . Secondly, in non-probability sampling this principle is not being followed. In other words, the cases are picked from a more subjective point of view (Etikan, Musa, & Alkassim, 2015, p. 1). Bearing this in mind, the type of sampling used in this research is convenience sampling. This is ‘’a type of nonprobability

(33)

32

or nonrandom [sic] sampling where members of the target population that meet certain practical criteria, such as easy accessibility, geographical proximity, availability at a given time, or the willingness to participate are included for the purpose of the study’’ (Etikan et al., 2015, p. 2). In short, the key rationale behind the sampling in this thesis is convenience sampling; mostly for the reason of accessibility.

This thesis uses this sampling strategy for a number of reasons. First, the case selection of this thesis is compartmented by the fact that it only looks at companies in The Netherlands. Namely, the context of this research—it being a Master’s thesis—means that is limited in both time and resources. Therefore, the sample is drawn from one country only. Moreover, the sample exists only of firms that openly present themselves as being specialised corporate security intelligence providers in The Netherlands.10_{As such, it does not look at companies that operate ‘under the}

radar’, and hence operate outside the public’s view. This approach is taken for two reasons. The first being a practical one. Namely, companies that work in the shadows are difficult to gain access to; one needs an elaborate network to carry out such a research. Secondly, a more epistemological argument plays a role. When researching the topic of CSR, it is logical that the sample units need to be visible for society. Namely, companies that work in the shadows will probably not adhere to CSR-related principles, that is why try to operate invisibly in the first place. Thus, in order to maximise the focus on CSR, publicly visible companies are chosen. Thirdly, any subject that involves matters of intelligence is often surrounded by controversy, and hence sensitivity. Therefore, gaining access is a common problem in intelligence research. Consequently, researchers in this field often have to work with those organisations they can get access to. In sum, due to several particularities of this research, it uses a convenience sampling strategy based on accessibility.

The full population of CSIPs in The Netherlands that present itself as such is six in total. However, two of these are embedded in forensic accountancy firms. Since such organisations are regulated within the accountancy framework, and are less specialised firms as a whole, they are of lesser importance to the puzzle presented in this thesis. The other four companies are

10_{In order to find companies that present themselves as corporate security intelligence firms, this thesis has looked}

at whether these companies can be found online. The rationale that lays behind this approach is that if they are visible online, they are visible for the public at large. All companies found in this way are regarded as the full population of corporate security intelligence providers in The Netherlands.

(34)

33

specialised CSIPs. For this thesis, all have been approached for interview requests. This has led to 3 companies responding positively. As a result, the research of this thesis is based on three cases out of a population of four. While on a first glance, these cases seem rather different—they greatly differ in scope and organisational structure—they still all fit with the definition provided above.

Table 2. Overview of interviews.

3.3 Data-gathering

The central method of data-gathering in this thesis is interviewing. In line with the qualitative nature of the research design, it uses the technique of semi-structured interviewing. This type of qualitative interviewing leads to several advantages in the context of this research. First of all, because it balances structure and flexibility (Gilham, 2005b, p. 54). It is structured because it involves the use of a topic list based on the theoretical framework. This list will thus include more specific elements of the issues of communication, monitoring, and reporting systems, and the organisational climate. As such, all respondents will be asked about the same issues, which allows for comparability. Secondly, since interviewing employees of different companies will involve a different phrasing of the topic at hand (due to company differences and the position of the interviewee in the company), this technique allow the flexibility to address this issue. Thirdly, the use of interviewing allows for asking respondents about both tangible and non-tangible issues in their organisation.

Interviews Number of interviews 3 (1 for each case)

Respondents Function Type of company Duration

interview

Location interview

Case 1 — Respondent 1 Owner

Small company; owner is only employee; office

in The Netherlands

33’’ 25’ Office company 1

Case 2 — Respondent 2 Managing partner

Middle-sized company; ten employees; office in

The Netherlands

Approx. 60’’ Office company 2

Case 3 — Respondent 3 Senior partner

Global firm; offices

worldwide 41’’ 25’

Office company 3

Intelligence Inc. How corporate security intelligence providers in The Netherlands use compliance and ethics infrastructures to foster their levels of corporate social responsibility

Intelligence Inc.

How corporate security intelligence providers in The Netherlands

use compliance and ethics infrastructures to foster their levels of

corporate social responsibility

W.R.S. van de Steeg

Master thesis

MSc Crisis and Security Management

Leiden University

Intelligence Inc.

How corporate security intelligence providers in The Netherlands

use compliance and ethics infrastructures to foster their levels of

corporate social responsibility

By

Willem Reyer Samuël van de Steeg

Born in Veenendaal

A thesis submitted to the Board of Examiners

in partial fulfilment of the requirements of the degree of

Master of Science in Crisis and Security Management

Leiden University

Faculty of Governance and Global Affairs

Institute of Security and Global Affairs

Table of Contents

Foreword

Chapter 1

Introduction

Chapter 2

Theoretical Framework

Chapter 3

Methodology