When a technical or specialized issue (like medicine, or ballistics, or security) is raised through a legal proceeding (criminal trial, civil lawsuit/tort, etc.), attorneys for either or both sides will frequently retain/hire an "expert witness" to provide detailed, in-depth information about that technical/specialized issue and/or to render an "expert opinion" with regard to the technical/specialized issue as it relates to a particular case at hand.
There is no magic “standard” by which one is considered an expert. Attorneys generally try to select an individual with extensive experience in the technical/specialized field and who has some “reputation” for his knowledge and experience – in other words, someone who is generally regarded as a “go-to guy” in his field. Then, after being selected by an attorney, appointed as the “expert” for the case, and formally rendering an “expert opinion” in the case, the expert is scrutinized by opposing counsel who usually tries to question and refute the expert’s qualifications. Opposing counsel tries to present evidence to discredit the expert’s qualifications and/or credibility (I have actually been in depositions in which my background qualifications have been questioned for more than 4 hours – and no, I have never been disqualified as an expert). And if and/or when a case finally appears before a Judge, the expert may be formally recognized by the Court as an “expert”. This means that a Court has formally accepted the credentials of the expert and formally acknowledged his status as an “expert in his field.”
The opinions rendered by an expert during a legal proceeding may be presented/used in several ways: They may be used solely as advice/consultation by an attorney to help understand the issue and prepare his case; they may be used as the basis for a written "opinion report" which becomes part of the formal legal proceedings and case record; and/or they may be used as the basis for the expert’s testimony at deposition and/or trial. When an expert formally renders an opinion (via written report or testimony), that opinion is routinely scrutinized by the opposing side in the case; and opposing counsel may very well retain his own expert to review or refute.
Now comes the tricky part, and the part where the issue of “standards” comes into play. When an expert renders his opinion, he is really being asked to opine based on what in his own knowledge and experience is the most appropriate way of handling a particular situation under a given set of circumstances; and then to be able to convince the trier of fact (Judge or jury) that his way is better than the way being promulgated by the opposing side.
Let me digress for a moment to make a statement that I make immediately at the start of the class I teach on courtroom demeanor and testimony: Contrary to popular opinion, a trial is NOT a proceeding in which truth and justice are determined (although that may happen, albeit accidentally); a trial IS a proceeding in which one side’s opinion and testimony is more convincing than the other side’s, to one particular trier of fact, at one particular moment in time. The “winner” is not always truth and righteousness, and the “loser” is not always guilty. PERIOD. THE END.
So back to the issue of “experts.” For the sake of example, let’s say that the issue at hand is the appropriateness of actions taken by a security officer during an apprehension. The attorney for the “victim” (the plaintiff, the person who is complaining about the way that the apprehension was made) will probably have an expert who will testify that the procedure was totally wrong for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). And the attorney for the security officer and his company (the defendant) will probably have an expert who will testify that the actions were entirely appropriate and proper for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). SEE THE CONUNDRUM??????? Because there are no universal “standards” – an across-the-board, common way of doing things – who is to say who is right or who is wrong?? Sure, there are occasionally examples of actions so egregious that they are clearly wrong. But by and large, because there are no standards, it will boil down to whose expert and testimony was most credible and compelling. And this is why almost any attorney can almost always find an “expert” who will find some way to defend almost any action or position.
So…almost anyone in a given field can hold themselves out as an “expert” in that field. But being regarded as an expert in a court of law is a painstaking process that subjects the expert to widespread scrutiny of his qualifications, credentials and prior opinions. Most successful experts do little actual marketing, because their services are usually sought via word of mouth by attorneys or via reputation gained in similar and/or important cases.
I hope this sheds a little light…..
Monday, January 24, 2011
Tuesday, October 26, 2010
The Conundrum of Security
Here is a question for the ages: Why is it that – by and large – security has not been as widely accepted and embraced into corporate culture as virtually every other business operation discipline?
If this question could be answered, businesses would be much more secure, their assets would be better protected, and profits would necessarily grow commensurately. But we as individual practitioners and as an industry have failed to convince the C-Suite of this fundamental reality. Why??
While usually not analyzed as I will try to do, there is really very little difference between the security function and other operational disciplines. Consider:
· Security is generally considered a pure cost center. But isn’t protecting and retaining assets and profit (i.e., avoiding loss and liability) just as important to the bottom line as growing assets and profit?
· If money is spent ($ cost) to protect an asset and the asset is preserved, the full value of the asset is realized ($ retained + $ profit gained).
· If no money is spent ($ savings) to protect an asset and the asset is lost ($ value loss + $ profit loss) the asset needs to be replaced ($ cost), and then security will probably be added ($ cost) to protect the asset so it is not lost again.
So doesn’t providing proactive security actually save money in the long run and allow the setting by which profit can be gained?
Security is generally considered (at best) a “necessary evil” because it serves to protect against problems that may never occur. But isn’t that also a function of many other operational components that are considered integral to business functioning:
· Doesn’t Environmental Services clean spills so that someone doesn’t slip and fall (which may never happen even if the floor remains wet)?
· Doesn’t Maintenance make sure that machines keep on running properly so that production isn’t halted (which may never happen even if the machine isn’t maintained)?
· Doesn’t marketing develop ad campaigns so that products or services sell (even though products or services may sell even if the ads weren’t run)?
· Doesn’t Human Resources develop policies for issues like workplace violence and sexual harassment (even though workplace violence and sexual harassment may never occur)?
· Doesn’t Accounting have an outside auditor come in periodically to check the books (even though no mistakes or irregularities may be found)?
So why is security, which provides a secure environment so the business of the business can be conducted properly, not considered as important as those other functions? When – or if – this question is answered, the business world will be a better and safer place.
If this question could be answered, businesses would be much more secure, their assets would be better protected, and profits would necessarily grow commensurately. But we as individual practitioners and as an industry have failed to convince the C-Suite of this fundamental reality. Why??
While usually not analyzed as I will try to do, there is really very little difference between the security function and other operational disciplines. Consider:
· Security is generally considered a pure cost center. But isn’t protecting and retaining assets and profit (i.e., avoiding loss and liability) just as important to the bottom line as growing assets and profit?
· If money is spent ($ cost) to protect an asset and the asset is preserved, the full value of the asset is realized ($ retained + $ profit gained).
· If no money is spent ($ savings) to protect an asset and the asset is lost ($ value loss + $ profit loss) the asset needs to be replaced ($ cost), and then security will probably be added ($ cost) to protect the asset so it is not lost again.
So doesn’t providing proactive security actually save money in the long run and allow the setting by which profit can be gained?
Security is generally considered (at best) a “necessary evil” because it serves to protect against problems that may never occur. But isn’t that also a function of many other operational components that are considered integral to business functioning:
· Doesn’t Environmental Services clean spills so that someone doesn’t slip and fall (which may never happen even if the floor remains wet)?
· Doesn’t Maintenance make sure that machines keep on running properly so that production isn’t halted (which may never happen even if the machine isn’t maintained)?
· Doesn’t marketing develop ad campaigns so that products or services sell (even though products or services may sell even if the ads weren’t run)?
· Doesn’t Human Resources develop policies for issues like workplace violence and sexual harassment (even though workplace violence and sexual harassment may never occur)?
· Doesn’t Accounting have an outside auditor come in periodically to check the books (even though no mistakes or irregularities may be found)?
So why is security, which provides a secure environment so the business of the business can be conducted properly, not considered as important as those other functions? When – or if – this question is answered, the business world will be a better and safer place.
Thursday, September 09, 2010
Developing an Emergency Plan
There is unfortunately no magic template that will help an organization develop an emergency plan because there are so many variables such as size and location of business, nature of business, types of employees and invitees, internal resources available, external resources available, etc. etc. etc.
That being said, here are a few thoughts that might be helpful:
· There is no such thing as AN emergency plan. Different plans must be developed to address a variety of potential emergencies (this should be obvious but is not always – for example, a weather-related emergency is totally different from an active shooter scenario).
· A team approach to plan development is good, bringing to the table not only the persons/functions responsible for crisis management but other representative stakeholders as well (both internal and external).
· Good emergency planning deals with issues related to emergency prevention/mitigation, response during the emergency, and aftermath response to include business continuity planning.
· A good emergency plan is as complex as needed yet as simple as possible.
· Having someone knowledgeable in emergency plan development is of paramount importance, to help the team focus on not only the major issues to be considered but the subtle nuances as well. This key resource person might be internal or external, might be an independent security consultant, or might be a local law enforcement or fire service representative. Public safety agencies need to be involved in planning and testing, but keep in mind that public safety agencies may not have the expertise and/or resources to serve as the key plan development resource (this is especially true in public safety agencies in smaller communities).
· Emergency plans, once formulated, need to be formalized via company policies, with appropriate sanctions for non-compliance.
· Emergency plans need to be tested on a regularly recurring basis, with both tabletop and practical drills, to include all entities that will be involved during an actual emergency. Things that look good on paper do not always translate equally to application. The purpose and ultimate value of drills is to not only look for the things that are right with the plan, but to actively seek out the things that are deficient so they can be modified/remedied.
· Emergency plans need to be reviewed on a regularly recurring basis. As organizations change (facilities, assets, resources, etc.), plans need to be modified accordingly.
Emergencies can and do occur – that is a basic fact of life. How well an organization copes with those emergencies is a function of sound planning and preparation.
That being said, here are a few thoughts that might be helpful:
· There is no such thing as AN emergency plan. Different plans must be developed to address a variety of potential emergencies (this should be obvious but is not always – for example, a weather-related emergency is totally different from an active shooter scenario).
· A team approach to plan development is good, bringing to the table not only the persons/functions responsible for crisis management but other representative stakeholders as well (both internal and external).
· Good emergency planning deals with issues related to emergency prevention/mitigation, response during the emergency, and aftermath response to include business continuity planning.
· A good emergency plan is as complex as needed yet as simple as possible.
· Having someone knowledgeable in emergency plan development is of paramount importance, to help the team focus on not only the major issues to be considered but the subtle nuances as well. This key resource person might be internal or external, might be an independent security consultant, or might be a local law enforcement or fire service representative. Public safety agencies need to be involved in planning and testing, but keep in mind that public safety agencies may not have the expertise and/or resources to serve as the key plan development resource (this is especially true in public safety agencies in smaller communities).
· Emergency plans, once formulated, need to be formalized via company policies, with appropriate sanctions for non-compliance.
· Emergency plans need to be tested on a regularly recurring basis, with both tabletop and practical drills, to include all entities that will be involved during an actual emergency. Things that look good on paper do not always translate equally to application. The purpose and ultimate value of drills is to not only look for the things that are right with the plan, but to actively seek out the things that are deficient so they can be modified/remedied.
· Emergency plans need to be reviewed on a regularly recurring basis. As organizations change (facilities, assets, resources, etc.), plans need to be modified accordingly.
Emergencies can and do occur – that is a basic fact of life. How well an organization copes with those emergencies is a function of sound planning and preparation.
Friday, July 16, 2010
The Security Return on Investment
If looked at solely from the perspective of immediate dollars-and-cents ROI, most security programs would be quickly eliminated, because they are almost always a “cost” center as opposed to a “profit” center – that is, they seldom generate enough revenue to at least pay for themselves. But this is a very narrow viewpoint that does not take into account the value of asset retention.
Since the primary foundation of a security program is to prevent or at least mitigate threats to assets, a successful program will be very difficult to “see.” It is hard to quantify that which does not occur. But the retention of assets (in other words, keeping the assets safely within the organization) is a concept that can be quantified and valued, at least in a general sense.
As a general rule, the failure to implement a sound security program until after a significant loss has occurred will be at least 3 times as expensive as implementing a security program from the outset: there will be the costs associated with the compromise/loss of the asset; there will the costs associated with the replacement of the asset that was lost; and there will be the costs associated with then implementing the protective measures that could have prevented the loss in the first place.
The investment in a sound security program can be likened to the investment in a good insurance policy: premiums continue to be paid for coverage that may never be needed; but coverage that is found to be truly indispensable and cost-effective when it is needed.
Since the primary foundation of a security program is to prevent or at least mitigate threats to assets, a successful program will be very difficult to “see.” It is hard to quantify that which does not occur. But the retention of assets (in other words, keeping the assets safely within the organization) is a concept that can be quantified and valued, at least in a general sense.
As a general rule, the failure to implement a sound security program until after a significant loss has occurred will be at least 3 times as expensive as implementing a security program from the outset: there will be the costs associated with the compromise/loss of the asset; there will the costs associated with the replacement of the asset that was lost; and there will be the costs associated with then implementing the protective measures that could have prevented the loss in the first place.
The investment in a sound security program can be likened to the investment in a good insurance policy: premiums continue to be paid for coverage that may never be needed; but coverage that is found to be truly indispensable and cost-effective when it is needed.
Monday, March 15, 2010
Security's "Cycle for Failure"
Here in simplistic terms is my perspective of the basic cycle that causes many of the problems that are faced throughout the security industry – what I have termed the “cycle for failure:”
1. In the business world, the security function is often misunderstood and frequently viewed (sometimes at best) as a necessary evil.
2. As a result, the security function is rarely given adequate, sufficient and/or appropriate resources and organizational support.
3. As a result, one of the key management functions related to a sound security program – recruitment, selection, vetting, hiring, training, supervision and retention of security personnel – is not handled appropriately; and the resources needed for appropriate physical security measures are not available.
4. As a result, basic security tasks such as security needs assessments leading to appropriate security strategies do not get accomplished or do not get accomplished well; and the things needed to provide adequate security are ignored.
5. As a result, a feeling and then a culture of apathy grows within the security department, because that which needs to be done is left undone.
6. As a result, the security function becomes far less effective than it could or should be, reinforcing #1 above and continuing the cycle.
I wish someone could prove me wrong. But after more than 30 years in this industry, as both Director of Security and an independent consultant, it is a cycle that I see time and time again. Organizations with adequate and sufficient security are the exception rather than the rule.
1. In the business world, the security function is often misunderstood and frequently viewed (sometimes at best) as a necessary evil.
2. As a result, the security function is rarely given adequate, sufficient and/or appropriate resources and organizational support.
3. As a result, one of the key management functions related to a sound security program – recruitment, selection, vetting, hiring, training, supervision and retention of security personnel – is not handled appropriately; and the resources needed for appropriate physical security measures are not available.
4. As a result, basic security tasks such as security needs assessments leading to appropriate security strategies do not get accomplished or do not get accomplished well; and the things needed to provide adequate security are ignored.
5. As a result, a feeling and then a culture of apathy grows within the security department, because that which needs to be done is left undone.
6. As a result, the security function becomes far less effective than it could or should be, reinforcing #1 above and continuing the cycle.
I wish someone could prove me wrong. But after more than 30 years in this industry, as both Director of Security and an independent consultant, it is a cycle that I see time and time again. Organizations with adequate and sufficient security are the exception rather than the rule.
Saturday, January 16, 2010
Political Correctness and Security
Like it or not, political correctness – loosely defined as being consciously cautious of doing or saying anything to minimalize or denigrate any particular group – is here to stay. And like it or not, political correctness is an impediment to good security.
As a career security practitioner, I have had to deal with a great diversity of persons and ideas. And even if I do say so myself, I am one of the least biased persons I know – I believe I am tolerant of just about everyone and everything...until I have some reason to not be tolerant. And therein lies the problem with political correctness.
Perhaps – I hope – it’s just a matter of our not finding a more appropriate term in our American-English language. But I think that we sometimes confuse political correctness with a legitimate response to facts; and when we deal with facts, political correctness should take a back seat. Let me illustrate:
Retail establishments frequently utilize security personnel to guard against thievery. When a review of theft incidents over a lengthy period of time factually determines that 83% of apprehensions for theft were of black (or white or yellow or brown) females between the ages of 15 and 24, why should it be considered politically incorrect to focus surveillance activities on the persons of that particular demographic? In fact, wouldn’t a store security agent be remiss in his duties if he ignored such documented facts and trends?
The groups “offended” by acts of political incorrectness have become so outraged and vocal that some of us have become overly cautious in our interactions. We choose our words and our actions so carefully that we almost never say what is really on our minds or say what we really mean – even when it is the truth. In fact, it is almost impossible to say or do anything that will not “offend” someone’s sensitivities.
But even when that is the case, security practitioners should not – and cannot – let the quest for political correctness override their protective responsibilities. No, we should not target or accuse anyone needlessly; but neither should we look the other way when facts clearly demonstrate that someone or some group bears additional scrutiny. We cannot ignore the female customers in the store per the example above; we cannot ignore the black driver cruising the white neighborhood at 3:00 AM; we cannot ignore the young Middle Eastern man buying a one-way ticket with cash at the airline counter. When we have objectively gathered the facts and the facts reveal distinct patterns, we cannot ignore those patterns for the sake of being politically correct. We must continue to use the information available to us to be diligent in the performance of our duties, for to do otherwise is in itself a serious abrogation of our responsibility.
Come to think of it, I guess I’m not being politically correct just by questioning political correctness.
As a career security practitioner, I have had to deal with a great diversity of persons and ideas. And even if I do say so myself, I am one of the least biased persons I know – I believe I am tolerant of just about everyone and everything...until I have some reason to not be tolerant. And therein lies the problem with political correctness.
Perhaps – I hope – it’s just a matter of our not finding a more appropriate term in our American-English language. But I think that we sometimes confuse political correctness with a legitimate response to facts; and when we deal with facts, political correctness should take a back seat. Let me illustrate:
Retail establishments frequently utilize security personnel to guard against thievery. When a review of theft incidents over a lengthy period of time factually determines that 83% of apprehensions for theft were of black (or white or yellow or brown) females between the ages of 15 and 24, why should it be considered politically incorrect to focus surveillance activities on the persons of that particular demographic? In fact, wouldn’t a store security agent be remiss in his duties if he ignored such documented facts and trends?
The groups “offended” by acts of political incorrectness have become so outraged and vocal that some of us have become overly cautious in our interactions. We choose our words and our actions so carefully that we almost never say what is really on our minds or say what we really mean – even when it is the truth. In fact, it is almost impossible to say or do anything that will not “offend” someone’s sensitivities.
But even when that is the case, security practitioners should not – and cannot – let the quest for political correctness override their protective responsibilities. No, we should not target or accuse anyone needlessly; but neither should we look the other way when facts clearly demonstrate that someone or some group bears additional scrutiny. We cannot ignore the female customers in the store per the example above; we cannot ignore the black driver cruising the white neighborhood at 3:00 AM; we cannot ignore the young Middle Eastern man buying a one-way ticket with cash at the airline counter. When we have objectively gathered the facts and the facts reveal distinct patterns, we cannot ignore those patterns for the sake of being politically correct. We must continue to use the information available to us to be diligent in the performance of our duties, for to do otherwise is in itself a serious abrogation of our responsibility.
Come to think of it, I guess I’m not being politically correct just by questioning political correctness.
Monday, January 04, 2010
The Dichotomy of Security
We can’t have it both ways:
We want to be safe in our homes and in our everyday lives; but we don’t want to “waste” our free time by joining the neighborhood watch or by calling the police when we see something suspicious.
We want to feel safe in our workplaces, in our offices and parking areas, and we want our business visitors to feel safe and welcome; but we don’t want to have to use an access card or biometric reader to enter our workplaces or parking lots and we don’t want to be surveilled while we work and we don’t want to inconvenience our visitors by having them sign in.
We want to be safe on our streets; but we don’t want “Big Brother” watching us on surveillance cameras or to have police patrols randomly questioning us.
We want good service and low prices at the stores in which we shop; but we don’t want store security personnel watching us on surveillance cameras or following us while we shop.
We want banks to keep our money safe, and to make it available to us at a moment’s notice; but we don’t want to give our fingerprints to make a withdrawal or to have to remember and change our account passwords.
We want to move quickly and easily through airports and we want our flights to be safe; but we don’t want long security checkpoint lines or intrusive body searches or have our bags poked and prodded and inspected by security personnel.
We want to feel safe in our nation and we don’t want terrorists on our shores; but we complain about our taxes and criticize the military for their actions and want to afford terrorist detainees the same rights and protections as we citizens enjoy.
And on and on and on........
In other words – we want to be free and safe, but we want none of the prices that have to be paid to remain that way.
Unfortunately, we can’t have it both ways.
We want to be safe in our homes and in our everyday lives; but we don’t want to “waste” our free time by joining the neighborhood watch or by calling the police when we see something suspicious.
We want to feel safe in our workplaces, in our offices and parking areas, and we want our business visitors to feel safe and welcome; but we don’t want to have to use an access card or biometric reader to enter our workplaces or parking lots and we don’t want to be surveilled while we work and we don’t want to inconvenience our visitors by having them sign in.
We want to be safe on our streets; but we don’t want “Big Brother” watching us on surveillance cameras or to have police patrols randomly questioning us.
We want good service and low prices at the stores in which we shop; but we don’t want store security personnel watching us on surveillance cameras or following us while we shop.
We want banks to keep our money safe, and to make it available to us at a moment’s notice; but we don’t want to give our fingerprints to make a withdrawal or to have to remember and change our account passwords.
We want to move quickly and easily through airports and we want our flights to be safe; but we don’t want long security checkpoint lines or intrusive body searches or have our bags poked and prodded and inspected by security personnel.
We want to feel safe in our nation and we don’t want terrorists on our shores; but we complain about our taxes and criticize the military for their actions and want to afford terrorist detainees the same rights and protections as we citizens enjoy.
And on and on and on........
In other words – we want to be free and safe, but we want none of the prices that have to be paid to remain that way.
Unfortunately, we can’t have it both ways.
Saturday, January 02, 2010
Security Challenges for 2010 (and beyond)
Based on history and experience, security challenges in 2010 will not diminish – in fact, they will probably grow. Here is my forecast:
1. The economy will continue to play a big part as related to security challenges. As (or if) the economy strengthens, business will focus on regaining that which was lost (sales, market share, profitability, etc.) and will tend to ignore (or at least overlook) maintaining what it still has. This means that security and loss prevention issues will probably remain overlooked until and unless specific and serious problems arise.
2. Strong security leadership will continue to erode. Security executives will be so busy focusing on keeping their jobs and covering their posteriors (the two go hand-in-hand) that they will continue to overlook doing what is really necessary to protect the organizations they serve. Political correctness will abound, usually at the expense of truly good security.
3. Because security is still viewed in many organizations as a necessary evil rather than as a necessary business partner, security functions will remain relegated to lower-level importance and responsibility. This, coupled with #2 above (the erosion of strong security leadership) will continue the seemingly-endless cycle.
4. Because of all of the above, it will be difficult to develop the next generation of competent security leadership. When employees see the difficulties and roadblocks faced by their executives, there is little incentive to aspire to those positions.
So is the future, beginning in 2010, totally bleak? No. These are predictions, not unchangeable destiny. We as both an industry and individual practitioners/professionals must continue to clearly demonstrate and promote the value of our service. We need the few remaining strong leaders to sound the trumpets and beat the drums to show corporate executives that security is part of the fabric that keeps organizations together, healthy and prosperous. We must continue to prove that protecting assets is as important as generating new sales. In short, we must convince our bosses that security is an important, vital and integral part of every business.
The fate of security rests in our own hands. If we practitioners fail in the primary task of the self-promotion of ourselves and our industry, we have no one but ourselves to blame when my predictions become self-fulfilling prophecy.
1. The economy will continue to play a big part as related to security challenges. As (or if) the economy strengthens, business will focus on regaining that which was lost (sales, market share, profitability, etc.) and will tend to ignore (or at least overlook) maintaining what it still has. This means that security and loss prevention issues will probably remain overlooked until and unless specific and serious problems arise.
2. Strong security leadership will continue to erode. Security executives will be so busy focusing on keeping their jobs and covering their posteriors (the two go hand-in-hand) that they will continue to overlook doing what is really necessary to protect the organizations they serve. Political correctness will abound, usually at the expense of truly good security.
3. Because security is still viewed in many organizations as a necessary evil rather than as a necessary business partner, security functions will remain relegated to lower-level importance and responsibility. This, coupled with #2 above (the erosion of strong security leadership) will continue the seemingly-endless cycle.
4. Because of all of the above, it will be difficult to develop the next generation of competent security leadership. When employees see the difficulties and roadblocks faced by their executives, there is little incentive to aspire to those positions.
So is the future, beginning in 2010, totally bleak? No. These are predictions, not unchangeable destiny. We as both an industry and individual practitioners/professionals must continue to clearly demonstrate and promote the value of our service. We need the few remaining strong leaders to sound the trumpets and beat the drums to show corporate executives that security is part of the fabric that keeps organizations together, healthy and prosperous. We must continue to prove that protecting assets is as important as generating new sales. In short, we must convince our bosses that security is an important, vital and integral part of every business.
The fate of security rests in our own hands. If we practitioners fail in the primary task of the self-promotion of ourselves and our industry, we have no one but ourselves to blame when my predictions become self-fulfilling prophecy.
Friday, December 11, 2009
The Demise of the Keeper of the Problem
While the concept of synergy has been widely espoused throughout the business world and certainly does result in many positive benefits, it is seldom the answer to problems, because the synergistic approach is intended to supplement other management philosophies and practices, not totally supplant them.
The basic concept of synergy – that cooperative interaction produces a result greater than the sum of individual efforts – has manifested itself in various ways, many of which are based on the Total Quality Management platform. But there is an old adage that says “When everyone is responsible, no one is responsible.” And the strict adherents to the synergistic approach unfortunately (or conveniently) forget that adage. Those proponents/adherents like to believe that group dynamics is the only way to problem-solve. But what they forget is that someone still has to accept ultimate responsibility for problem resolution – someone has to be the “Keeper of the Problem.”
Businesses cannot operate successfully when everything is done by the committee process (which is usually the outward manifestation of the synergistic approach) – there are simply too many different disciplines involved in the running of a successful enterprise for everyone to be deeply involved in everything. Yes, looking at issues from a variety of disparate points of view brings new perspectives and uncovers additional potential strategies and solutions. But what happens after the identification of deficiencies and their resolutions is what distinguishes the traditional management philosophy from a totally synergistic approach. In the synergistic model, all stakeholders in the problem and resolution identification process believe that they all share responsibility for resolution implementation. This is usually a logistically-unworkable situation. But the traditional model recognizes the value of outside input while still placing responsibility for resolution implementation squarely where it belongs, with the person or department with direct and specific expertise, authority and responsibility for the issue at hand – the “Keeper of the Problem.”
Even in organizations which claim to totally embrace the synergistic approach, there usually are some vestiges of the traditional management model: Departments are usually delineated by common function; individuals usually have job descriptions/titles connoting their specific functions; and some hierarchical structure usually exists. So there is some recognition of role and rank delineation, based on subject-matter expertise, which in itself concedes that everyone cannot know everything about everything; and which also concedes that order and efficiency necessitates some role and hierarchical rank delineation. In other words, every organization needs to identify subject-matter expertise and assign commensurate authority and responsibility – to the “Keeper of the Problem.”
Keeping everyone aware and advised of everyone else’s issues and problems is basically a good concept – it gives a broader perspective and helps everyone understand the “big picture.” But what usually happens is that people begin to think that they know everything about everything, and that they can thus fix everything. So everyone becomes involved in everything ELSE, frequently to the exclusion of their own job.
In days of yore, when dinosaurs roamed and ruled the planet, everyone had a neat and compartmentalized job. Everyone knew exactly what his job was, and it was expected – nay demanded – that the jobs be performed to a high degree of excellence. And when everyone had a job and knew how to do it and in fact did it, everything got done well. And that included security and loss prevention. And our companies’ assets were protected, and the world was happy. Because there were “Keepers of the Problem” – people with responsibility and commensurate authority and accountability.
This is not a new concept – it is tried-and-true. We didn’t get away from this concept because it didn’t work; we got away from it because the management gurus (ala Tom Peters) found that offering new ways of doing things with the HOPE that things might get better would sell their programs. But what they forgot to put in their books and videos and training programs was that change does not always bring positive results; change can also bring negative results. Change is not necessarily better, it is just different. And……. something that has been said for far longer than any of us have been around is still oh-so-true today:
Too many cooks spoil the broth.
The basic concept of synergy – that cooperative interaction produces a result greater than the sum of individual efforts – has manifested itself in various ways, many of which are based on the Total Quality Management platform. But there is an old adage that says “When everyone is responsible, no one is responsible.” And the strict adherents to the synergistic approach unfortunately (or conveniently) forget that adage. Those proponents/adherents like to believe that group dynamics is the only way to problem-solve. But what they forget is that someone still has to accept ultimate responsibility for problem resolution – someone has to be the “Keeper of the Problem.”
Businesses cannot operate successfully when everything is done by the committee process (which is usually the outward manifestation of the synergistic approach) – there are simply too many different disciplines involved in the running of a successful enterprise for everyone to be deeply involved in everything. Yes, looking at issues from a variety of disparate points of view brings new perspectives and uncovers additional potential strategies and solutions. But what happens after the identification of deficiencies and their resolutions is what distinguishes the traditional management philosophy from a totally synergistic approach. In the synergistic model, all stakeholders in the problem and resolution identification process believe that they all share responsibility for resolution implementation. This is usually a logistically-unworkable situation. But the traditional model recognizes the value of outside input while still placing responsibility for resolution implementation squarely where it belongs, with the person or department with direct and specific expertise, authority and responsibility for the issue at hand – the “Keeper of the Problem.”
Even in organizations which claim to totally embrace the synergistic approach, there usually are some vestiges of the traditional management model: Departments are usually delineated by common function; individuals usually have job descriptions/titles connoting their specific functions; and some hierarchical structure usually exists. So there is some recognition of role and rank delineation, based on subject-matter expertise, which in itself concedes that everyone cannot know everything about everything; and which also concedes that order and efficiency necessitates some role and hierarchical rank delineation. In other words, every organization needs to identify subject-matter expertise and assign commensurate authority and responsibility – to the “Keeper of the Problem.”
Keeping everyone aware and advised of everyone else’s issues and problems is basically a good concept – it gives a broader perspective and helps everyone understand the “big picture.” But what usually happens is that people begin to think that they know everything about everything, and that they can thus fix everything. So everyone becomes involved in everything ELSE, frequently to the exclusion of their own job.
In days of yore, when dinosaurs roamed and ruled the planet, everyone had a neat and compartmentalized job. Everyone knew exactly what his job was, and it was expected – nay demanded – that the jobs be performed to a high degree of excellence. And when everyone had a job and knew how to do it and in fact did it, everything got done well. And that included security and loss prevention. And our companies’ assets were protected, and the world was happy. Because there were “Keepers of the Problem” – people with responsibility and commensurate authority and accountability.
This is not a new concept – it is tried-and-true. We didn’t get away from this concept because it didn’t work; we got away from it because the management gurus (ala Tom Peters) found that offering new ways of doing things with the HOPE that things might get better would sell their programs. But what they forgot to put in their books and videos and training programs was that change does not always bring positive results; change can also bring negative results. Change is not necessarily better, it is just different. And……. something that has been said for far longer than any of us have been around is still oh-so-true today:
Too many cooks spoil the broth.
Saturday, October 10, 2009
An Equitable System for Evaluating Personnel
In my communications with security practitioners, I frequently hear the lament about the inadequacy of standards or criteria used for evaluating personnel (and I suspect that this is an issue in many other industries as well). So in an attempt to shed some light on a subject for which I was personally responsible during my years as a Security Director, I offer the following insights:
The fact that there can be so many variables in a person’s employment situation – the type of enterprise, location of facilities, reporting structure, philosophy of immediate supervisor, etc. – makes it of utmost importance to have a performance evaluation system in place that accounts for these differences.
I have always believed that every job title needed 3 corresponding personnel-related formal documents:
Job Description - This is a document unique to a job title, applicable to anyone with that job title. It contains the formal, HR-based, legally-required information such as generalized duties and responsibilities; reporting structure; OSHA and FLSA classifications; salary grade; minimum knowledge, skills and abilities required; working conditions, etc.
Performance Expectations – This is a document unique to a job title, applicable to anyone with that job title. It contains the general guidelines outlining what is minimally expected and required of any and all individuals in a given job title – what is minimally necessary to succeed in and retain the job.
Performance Standards - This is a document related to a job title, but customized and tailored specifically to each employee with that job title. It contains the objective, measurable and quantifiable standards common to the job title, which are then apportioned and weighted in a unique way to each individual based on the individual’s unique combination of experience and situation (as a very simplified example: the performance standards for every individual with the “LP Agent” job title contains a line item for “making external apprehensions.” But Joe’s standard is weighted at 30 percent because Joe has 3 years of company experience, 2 years of prior experience, and is assigned to a store with many external problems; while Jim’s standard is weighted at only 10 percent because he is a new, inexperienced agent assigned to a store with very few external problems). The Performance Standards then forms the basis for the numerical point total or “grade” that the individual gets at his performance evaluation, and which is then directly and objectively linked to any merit salary raise (for example: 79 points equals a 2.5 percent increase).
After MANY years in management, this is still the most equitable way I know of to account for each employee’s unique situation, rate every employee on an equitable, objective basis, and take away any challengeable differences in salary administration.
The fact that there can be so many variables in a person’s employment situation – the type of enterprise, location of facilities, reporting structure, philosophy of immediate supervisor, etc. – makes it of utmost importance to have a performance evaluation system in place that accounts for these differences.
I have always believed that every job title needed 3 corresponding personnel-related formal documents:
Job Description - This is a document unique to a job title, applicable to anyone with that job title. It contains the formal, HR-based, legally-required information such as generalized duties and responsibilities; reporting structure; OSHA and FLSA classifications; salary grade; minimum knowledge, skills and abilities required; working conditions, etc.
Performance Expectations – This is a document unique to a job title, applicable to anyone with that job title. It contains the general guidelines outlining what is minimally expected and required of any and all individuals in a given job title – what is minimally necessary to succeed in and retain the job.
Performance Standards - This is a document related to a job title, but customized and tailored specifically to each employee with that job title. It contains the objective, measurable and quantifiable standards common to the job title, which are then apportioned and weighted in a unique way to each individual based on the individual’s unique combination of experience and situation (as a very simplified example: the performance standards for every individual with the “LP Agent” job title contains a line item for “making external apprehensions.” But Joe’s standard is weighted at 30 percent because Joe has 3 years of company experience, 2 years of prior experience, and is assigned to a store with many external problems; while Jim’s standard is weighted at only 10 percent because he is a new, inexperienced agent assigned to a store with very few external problems). The Performance Standards then forms the basis for the numerical point total or “grade” that the individual gets at his performance evaluation, and which is then directly and objectively linked to any merit salary raise (for example: 79 points equals a 2.5 percent increase).
After MANY years in management, this is still the most equitable way I know of to account for each employee’s unique situation, rate every employee on an equitable, objective basis, and take away any challengeable differences in salary administration.
Friday, July 10, 2009
The Business Considerations of Security
Every organization/landlord has a legal obligation to provide a safe environment, based on the concept of “reasonable security.” Management does not have to guarantee absolute security; however, reasonableness and adequacy of security must be affirmatively demonstrated. This basic concept is founded in most states’ case law. And there is virtually no place that can claim that no security is adequate.
“Reasonable security” has been consistently defined by courts to mean that appropriate security measures must be implemented commensurate with risks which are reasonably foreseeable. And a reasonable consideration of foreseeability has been determined to include the nature of the premises; the history of incidents at the premises; the history of incidents in geographic surroundings; and industry standards.
Adequacy of security is legally defensible only when vulnerabilities and risks are assessed via some formalized process to determine foreseeability; and commensurate security measures are implemented to reasonably address those identified foreseeable risks.
A reasonable assessment process should at least include interviews with key management personnel, representative employee focus groups, and other key stakeholders to determine perceptions about security and security wants/needs; a review of all documentation having anything to do with security (policies/procedures, reports, etc.); and an inspection and analysis of all related property and operations.
A good process for developing a sound security strategy has dual benefits: the program will be designed to protect the organization’s assets; and the program will be legally defensible should it be challenged in court.
“Reasonable security” has been consistently defined by courts to mean that appropriate security measures must be implemented commensurate with risks which are reasonably foreseeable. And a reasonable consideration of foreseeability has been determined to include the nature of the premises; the history of incidents at the premises; the history of incidents in geographic surroundings; and industry standards.
Adequacy of security is legally defensible only when vulnerabilities and risks are assessed via some formalized process to determine foreseeability; and commensurate security measures are implemented to reasonably address those identified foreseeable risks.
A reasonable assessment process should at least include interviews with key management personnel, representative employee focus groups, and other key stakeholders to determine perceptions about security and security wants/needs; a review of all documentation having anything to do with security (policies/procedures, reports, etc.); and an inspection and analysis of all related property and operations.
A good process for developing a sound security strategy has dual benefits: the program will be designed to protect the organization’s assets; and the program will be legally defensible should it be challenged in court.
Monday, April 06, 2009
Asset Protection is Inherent to Business
The protection of an organization's assets must be an integral part of its overall business strategy. In tight economic times, companies supposedly can't afford risk assessments; but these are exactly the times when they're most needed. Many businesses do not have the proprietary expertise to objectively assess their security vulnerabilities; they need outside assistance. A risk assessment conducted without a professional security practitioner is like a medical diagnosis conducted without a licensed physician.
Maximizing value and profit is not only a function of promoting the sale of goods or services; it is also a function of asset protection.
Maximizing value and profit is not only a function of promoting the sale of goods or services; it is also a function of asset protection.
Tuesday, November 04, 2008
What Kind of Security Do You Have?
SECURITY – The term has become prevalent in today’s world. And using the term in the context of protective efforts, it means different things to different people: It may mean the protection of our nation from terrorists; it may mean the feeling of well-being experienced by a senior citizen when the front door is locked at night; or it may mean anything in between. But even in the business world, which has embraced the concept of security for years – even if as nothing more than a necessary evil – there is no consensus as to what “security” really means.
In common business philosophy, “security” usually refers to a program for protecting the organization’s assets; and it is usually meant to be a proactive program involving the implementation of various strategies to prevent or diminish the likelihood of the occurrence of bad things. And that is fine…as far as it goes. But organizations sometimes forget that “protecting assets” should be a comprehensive business strategy that not only achieves asset protection but that also limits liability. And the concept of liability avoidance is all too frequently overlooked in the development of a security program.
In reality, there are 3 different kinds of security:
First is the “one-size-fits-all,” “everyone-does-it-like-this” kind: “Joe down the block has a guard and a camera, so I better have a guard and a camera.” This may be sufficient for some businesses, and may occasionally achieve a semblance of actual security – even if only by luck and chance. But luck and chance have a habit of disappearing when needed most.
Then there is “good” security. This is usually a program designed with some specific intent to address the protection of the company’s assets. This may also be sufficient for some businesses, and certainly is better than the haphazard approach. But unless the program has been developed by someone with security knowledge and experience, and unless a recognized program development process has been used, there is still no assurance that the program will be successful or will withstand a legal challenge.
To digress a moment…legal challenge? Why should development of a security program be concerned about a legal challenge? Because no security program is infallible and failure-proof – even with a comprehensive security program, some bad things can and will happen. And when some kinds of bad things happen, lawsuits will result. And when a lawsuit arises, it will not be good enough to demonstrate that a good security program existed. It will also be necessary to demonstrate that the security program was reasonable, adequate and sufficient in relation to legal standards. Which brings us to the third type of security…..
Legally defensible security. This is a program that has been designed not only to protect, but to withstand legal scrutiny when challenged. It is a program that has consciously taken into account the potential threats and risks that might be encountered, the various methods and strategies available to counteract those threats and risks, and then has taken those countermeasures and strategies and implemented them in some formalized manner. This is the kind of security that affords reasonable, adequate and sufficient protection against reasonably foreseeable risks.
In other words, the best security program is one which not only achieves its protective function successfully, but which has been developed and implemented in a manner which can be defended in court.
What kind of security do you have?
In common business philosophy, “security” usually refers to a program for protecting the organization’s assets; and it is usually meant to be a proactive program involving the implementation of various strategies to prevent or diminish the likelihood of the occurrence of bad things. And that is fine…as far as it goes. But organizations sometimes forget that “protecting assets” should be a comprehensive business strategy that not only achieves asset protection but that also limits liability. And the concept of liability avoidance is all too frequently overlooked in the development of a security program.
In reality, there are 3 different kinds of security:
First is the “one-size-fits-all,” “everyone-does-it-like-this” kind: “Joe down the block has a guard and a camera, so I better have a guard and a camera.” This may be sufficient for some businesses, and may occasionally achieve a semblance of actual security – even if only by luck and chance. But luck and chance have a habit of disappearing when needed most.
Then there is “good” security. This is usually a program designed with some specific intent to address the protection of the company’s assets. This may also be sufficient for some businesses, and certainly is better than the haphazard approach. But unless the program has been developed by someone with security knowledge and experience, and unless a recognized program development process has been used, there is still no assurance that the program will be successful or will withstand a legal challenge.
To digress a moment…legal challenge? Why should development of a security program be concerned about a legal challenge? Because no security program is infallible and failure-proof – even with a comprehensive security program, some bad things can and will happen. And when some kinds of bad things happen, lawsuits will result. And when a lawsuit arises, it will not be good enough to demonstrate that a good security program existed. It will also be necessary to demonstrate that the security program was reasonable, adequate and sufficient in relation to legal standards. Which brings us to the third type of security…..
Legally defensible security. This is a program that has been designed not only to protect, but to withstand legal scrutiny when challenged. It is a program that has consciously taken into account the potential threats and risks that might be encountered, the various methods and strategies available to counteract those threats and risks, and then has taken those countermeasures and strategies and implemented them in some formalized manner. This is the kind of security that affords reasonable, adequate and sufficient protection against reasonably foreseeable risks.
In other words, the best security program is one which not only achieves its protective function successfully, but which has been developed and implemented in a manner which can be defended in court.
What kind of security do you have?
Wednesday, March 12, 2008
Security Standards
There is a widespread misperception related to the concept of “security standards.” So this message will attempt to clarify the issue.
As an expert witness, I am frequently asked to assess existing security measures in relation to “security standards.” In fact, such standards do not exist, at least not in the narrow sense of universally accepted, required or codified principles (the exception being standards for Government buildings and its contractors’ buildings).
Because security is both science and art – the science being the paraphernalia, technology and techniques used in protective efforts; the art being the proper and appropriate application of that “stuff” to a given situation – there are frequently a variety of ways to achieve reasonable security. And since reasonableness of security is judged vis-Ã -vis the circumstances of a particular situation, reasonable security is by definition different in every situation. So in truth, a “standard” is nothing more than a best practice that some reputable body has endorsed and/or embraced; but even an accepted “standard” is not – and in fact cannot be – the appropriate security measure that can or should be applied in every circumstance.
The biggest difficulty with “standards” is not in their identification or interpretation, but in their application. Courts across the country have taken the most realistic approach to the concept of standards: While Courts will recognize that standards (in the broadest context) exist, Courts usually will then go a step further and require evidence that the standard was applied to a given situation in the most appropriate way, and was the most suitable solution to the security problem.
As an example: A Court may recognize that there is a “standard” for the appropriate minimal height, configuration and installation of a chain link fence. But then that Court will take that “standard” and seek evidence as to whether that particular standard was suitable, appropriate, adequate and sufficient for the fencing around the facility where the actionable incident occurred.
So in other words, standards are fine; but they are not – and cannot be – universal in terms of one-size-fits-all-in-every-circumstance application. Every situation is different, so security measures will of necessity be different.
As an expert witness, I am frequently asked to assess existing security measures in relation to “security standards.” In fact, such standards do not exist, at least not in the narrow sense of universally accepted, required or codified principles (the exception being standards for Government buildings and its contractors’ buildings).
Because security is both science and art – the science being the paraphernalia, technology and techniques used in protective efforts; the art being the proper and appropriate application of that “stuff” to a given situation – there are frequently a variety of ways to achieve reasonable security. And since reasonableness of security is judged vis-Ã -vis the circumstances of a particular situation, reasonable security is by definition different in every situation. So in truth, a “standard” is nothing more than a best practice that some reputable body has endorsed and/or embraced; but even an accepted “standard” is not – and in fact cannot be – the appropriate security measure that can or should be applied in every circumstance.
The biggest difficulty with “standards” is not in their identification or interpretation, but in their application. Courts across the country have taken the most realistic approach to the concept of standards: While Courts will recognize that standards (in the broadest context) exist, Courts usually will then go a step further and require evidence that the standard was applied to a given situation in the most appropriate way, and was the most suitable solution to the security problem.
As an example: A Court may recognize that there is a “standard” for the appropriate minimal height, configuration and installation of a chain link fence. But then that Court will take that “standard” and seek evidence as to whether that particular standard was suitable, appropriate, adequate and sufficient for the fencing around the facility where the actionable incident occurred.
So in other words, standards are fine; but they are not – and cannot be – universal in terms of one-size-fits-all-in-every-circumstance application. Every situation is different, so security measures will of necessity be different.
Monday, September 24, 2007
The Basics of Risk Assessment
While every business knows that it is important for a variety of reasons to protect its assets, many business owners and managers do not know how to perform the risk assessment that will identify the specific threats to be guarded against. While a professional security consultant is frequently the best and most cost-effective way for a thorough risk assessment to be conducted, here are the basic steps that should be used to determine a sound security strategy:
· identify/itemize all assets that need to be protected (physical, human and intellectual)
· identify every conceivable threat/risk that may be encountered – be sure that everything bad that could happen is given at least cursory consideration
· determine/prioritize the likelihood of occurrence of each of the identified threats/risks – the bad things most likely to occur should be given the highest priority
· determine/prioritize the business impact if/when each of the identified threats/risks should occur – some risks have a potentially greater impact than others
· identify/itemize all security measures currently in place – are current protective measures adequate to counter all the identified threats/risks
· implement a sound security strategy that is adequate to protect the organization and its most vital assets
Even in industries in which security standards have been recommended or promulgated, the above outline forms the basis of the process that is recognized by both security professionals and the Courts as being adequate, sufficient, and legally defensible.
· identify/itemize all assets that need to be protected (physical, human and intellectual)
· identify every conceivable threat/risk that may be encountered – be sure that everything bad that could happen is given at least cursory consideration
· determine/prioritize the likelihood of occurrence of each of the identified threats/risks – the bad things most likely to occur should be given the highest priority
· determine/prioritize the business impact if/when each of the identified threats/risks should occur – some risks have a potentially greater impact than others
· identify/itemize all security measures currently in place – are current protective measures adequate to counter all the identified threats/risks
· implement a sound security strategy that is adequate to protect the organization and its most vital assets
Even in industries in which security standards have been recommended or promulgated, the above outline forms the basis of the process that is recognized by both security professionals and the Courts as being adequate, sufficient, and legally defensible.
Thursday, June 14, 2007
The Trouble With Policies
In many facets of life, good intentions are frequently overshadowed by poor implementation. This is especially true with regards to company policies and procedures in the business world.
Policies and procedures are extremely important and absolutely necessary. Organizations must have policies and procedures so that operations run smoothly and personnel know what they can and cannot do. But the good intention of a policy or procedure can quickly transform into a nightmare if it is not developed, implemented and enforced with care and diligence.
The reason that “policy” and “procedure” are two different words is because they mean two different things. But all too often, the terms policy and procedure are used interchangeably; and therein lies the crux of the problem.
A “policy” should be a fairly specific statement of desired intent which includes a fairly broad statement of how that intent will be achieved. In contrast, a “procedure” should be a detailed enumeration of actions to be followed under certain defined circumstances for the achievement of a desired result and related policy. If a policy gets too specific in its statement of intent attainment, it wanders into the realm of procedure. If a procedure’s actions are outlined with great specificity in relation to broadly-defined circumstances, the procedures can be followed or applied to circumstances that were never intended. And if a procedure’s actions are contrary to the corresponding policy’s stated objective, confusion arises and mistakes are made.
In my more than 30 years of developing and reviewing policies and procedures in the security and loss prevention worlds, I have learned a lesson that has served me well: The best policies and procedures are those which are defined well enough to achieve the desired goals while still allowing enough leeway for common sense and initiative.
It should be fairly obvious that some latitude is necessary in policies and procedures. Very few things in life can be simply categorized as either black or white – we live in a world of grays. So even when a seemingly black-or-white situation arises (right vs. wrong; good vs. evil; rule adherence vs. rule violation), it is almost always different and unique from other such black-or-white situations, because while the act may be the same, the circumstances are always different. And since good policies and procedures should be developed with regard to circumstances, good policies and procedures must of necessity be constructed to allow for those differences in circumstances. In other words, policies and procedures should be designed with enough flexibility so as to allow for reasonable situational analysis, interpretation and initiative while still providing guidance towards desired results. Especially with regard to procedures, operational parameters are much better than specifically-fixed actions.
One of the reasons that poor policies and procedures abound is because the business world has become addicted to playing follow-the-leader. Whenever the current business guru with some new business management philosophy comes along, we have to try it out ourselves because if we don’t, and our competitors do, then it somehow makes us feel that we are inferior and “behind the curve.” As an example, the current buzzword and trend is “zero-tolerance” in policies. Perhaps well-meaning in theory but almost never good in practice, because such policies are usually developed just the opposite of what this article espouses: the objectives are too generally defined, and the mandated actions are too narrowly defined. Zero-tolerance policies almost never allow for the common sense and initiative that a truly good policy not only allows but encourages.
Let me illustrate: News accounts have been full of reports of children expelled from school because of the possession of something as innocuous as an aspirin. Why? Because the zero-tolerance policy used as the basis for the expulsion simply stated that students with drugs (a very broad, general term) must be automatically expelled (a very narrowly-defined action).
I presume that the person(s) responsible for such a policy’s development did not have that scenario in mind. But for a variety of reasons – time, budgetary, liability and so forth – there is a common misperception about policies in general:
· we believe that we must try to make as few policies as possible (easier to remember, cuts down on the size of the Policy Manual)
· we believe that each of those few policies must be as all-encompassing as possible (the fewer the policies, the more ground each has to cover)
· we believe that each procedure must specify very narrowly-defined actions (to tell the policy enforcers exactly what to do)
· we believe that the actions defined must leave no room for interpretation (the policy makes the decision, not the person enforcing the policy)
· we believe that each procedure must have strictly-enforced sanctions (if the policy says so, there can be no debate)
But the unfortunate result of such policies is that a never-anticipated situation will occur which does not exactly fit any specific policy. So a policy which remotely resembles the situation is brought into play, and a policy never intended for the specific situation is applied. And undesirable ramifications and consequences inevitably ensue.
I firmly believe – and the belief has served me well – that most operational policies and procedures must be developed with an eye towards allowing the persons responsible for their implementation and enforcement some latitude to exercise their own initiative, discretion and judgment. Since very few things in life are black and white, people must not be forced into only those two choices when situations involving policy interpretation and application present themselves. If the people entrusted with policy enforcement have been selected and trained well, they should be given not only the responsibility for enforcement, but the authority for reasonable interpretation and adaptation.
Policies and procedures are extremely important and absolutely necessary. Organizations must have policies and procedures so that operations run smoothly and personnel know what they can and cannot do. But the good intention of a policy or procedure can quickly transform into a nightmare if it is not developed, implemented and enforced with care and diligence.
The reason that “policy” and “procedure” are two different words is because they mean two different things. But all too often, the terms policy and procedure are used interchangeably; and therein lies the crux of the problem.
A “policy” should be a fairly specific statement of desired intent which includes a fairly broad statement of how that intent will be achieved. In contrast, a “procedure” should be a detailed enumeration of actions to be followed under certain defined circumstances for the achievement of a desired result and related policy. If a policy gets too specific in its statement of intent attainment, it wanders into the realm of procedure. If a procedure’s actions are outlined with great specificity in relation to broadly-defined circumstances, the procedures can be followed or applied to circumstances that were never intended. And if a procedure’s actions are contrary to the corresponding policy’s stated objective, confusion arises and mistakes are made.
In my more than 30 years of developing and reviewing policies and procedures in the security and loss prevention worlds, I have learned a lesson that has served me well: The best policies and procedures are those which are defined well enough to achieve the desired goals while still allowing enough leeway for common sense and initiative.
It should be fairly obvious that some latitude is necessary in policies and procedures. Very few things in life can be simply categorized as either black or white – we live in a world of grays. So even when a seemingly black-or-white situation arises (right vs. wrong; good vs. evil; rule adherence vs. rule violation), it is almost always different and unique from other such black-or-white situations, because while the act may be the same, the circumstances are always different. And since good policies and procedures should be developed with regard to circumstances, good policies and procedures must of necessity be constructed to allow for those differences in circumstances. In other words, policies and procedures should be designed with enough flexibility so as to allow for reasonable situational analysis, interpretation and initiative while still providing guidance towards desired results. Especially with regard to procedures, operational parameters are much better than specifically-fixed actions.
One of the reasons that poor policies and procedures abound is because the business world has become addicted to playing follow-the-leader. Whenever the current business guru with some new business management philosophy comes along, we have to try it out ourselves because if we don’t, and our competitors do, then it somehow makes us feel that we are inferior and “behind the curve.” As an example, the current buzzword and trend is “zero-tolerance” in policies. Perhaps well-meaning in theory but almost never good in practice, because such policies are usually developed just the opposite of what this article espouses: the objectives are too generally defined, and the mandated actions are too narrowly defined. Zero-tolerance policies almost never allow for the common sense and initiative that a truly good policy not only allows but encourages.
Let me illustrate: News accounts have been full of reports of children expelled from school because of the possession of something as innocuous as an aspirin. Why? Because the zero-tolerance policy used as the basis for the expulsion simply stated that students with drugs (a very broad, general term) must be automatically expelled (a very narrowly-defined action).
I presume that the person(s) responsible for such a policy’s development did not have that scenario in mind. But for a variety of reasons – time, budgetary, liability and so forth – there is a common misperception about policies in general:
· we believe that we must try to make as few policies as possible (easier to remember, cuts down on the size of the Policy Manual)
· we believe that each of those few policies must be as all-encompassing as possible (the fewer the policies, the more ground each has to cover)
· we believe that each procedure must specify very narrowly-defined actions (to tell the policy enforcers exactly what to do)
· we believe that the actions defined must leave no room for interpretation (the policy makes the decision, not the person enforcing the policy)
· we believe that each procedure must have strictly-enforced sanctions (if the policy says so, there can be no debate)
But the unfortunate result of such policies is that a never-anticipated situation will occur which does not exactly fit any specific policy. So a policy which remotely resembles the situation is brought into play, and a policy never intended for the specific situation is applied. And undesirable ramifications and consequences inevitably ensue.
I firmly believe – and the belief has served me well – that most operational policies and procedures must be developed with an eye towards allowing the persons responsible for their implementation and enforcement some latitude to exercise their own initiative, discretion and judgment. Since very few things in life are black and white, people must not be forced into only those two choices when situations involving policy interpretation and application present themselves. If the people entrusted with policy enforcement have been selected and trained well, they should be given not only the responsibility for enforcement, but the authority for reasonable interpretation and adaptation.
Monday, April 16, 2007
Foreseeability In Premises Liability Cases
Civil lawsuits resulting from security-related incidents on both public and private property generally are classified as “premises liability” cases. The basic concept of premises liability is that owners/landlords have a legal obligation to provide reasonable security based on foreseeability. But many persons with an interest in providing or assessing “reasonable security” – security and loss prevention practitioners, and attorneys – are sometimes misinformed about the concept of foreseeability.
“Foreseeability” as defined by most courts in the U.S. (with only few minor exceptions, most notably Michigan) is a broader concept than is recognized by many. Foreseeability is usually determined by a formal assessment of 4 distinct criteria:
The inherent nature of the premises: Every premises has a distinct nature, each with its inherent problems and risks. Bars, for example, have different inherent risks than do shopping malls, just as schools have different inherent risks than do hospitals. The intrinsic nature of the premises is the first factor to be considered in determining foreseeability.
The history of security incidents at the premises: History does have a tendency to repeat itself. A premises with a history of crime and security incidents can probably expect more crime and incidents in the future. The history of events at a premises is the second factor to be considered in determining foreseeability.
And with regard to the history of incidents at a premises, Courts have not necessarily held that criminal or security incidents of a specific nature are a determining factor. For example, a parking lot with a history of thefts and robberies will probably not be able to successfully claim that it was unaware of security issues when a carjacking occurs. Criminal and security incidents in general are considered, because security measures are usually not implemented to prevent or deter only one type of incident (the CCTV surveilling the parking lot is not only scanning for thieves and robbers).
The history of security incidents in the immediate geographic surroundings: Crime usually does not limit itself to specific sites. Criminals engaged in inappropriate activities are usually opportunists who are always looking for an easy target. So security problems that occur in a neighborhood will frequently find their way to and impact any given premises in that neighborhood. The history of events in the neighborhood is the third factor to be considered in determining foreseeability.
Industry security standards for the premises: Any organization whose industry has established some formalized standards or practices for security has an obligation to at least consider those security measures. Industry standards, guidelines and practices are usually not developed until and unless there is significant commonality among the members of the industry. So standards and practices that have been developed, especially for security, are probably relevant and must be considered. Industry security standards are the fourth factor to be considered in determining foreseeability.
So a quick review of past incident reports will not be sufficient for an organization to successfully argue that it has met its obligation with regard to foreseeability. And why is foreseeability so important? Because it is the results of the foreseeability assessment that determine what security measures are reasonable under the circumstances.
“Foreseeability” as defined by most courts in the U.S. (with only few minor exceptions, most notably Michigan) is a broader concept than is recognized by many. Foreseeability is usually determined by a formal assessment of 4 distinct criteria:
The inherent nature of the premises: Every premises has a distinct nature, each with its inherent problems and risks. Bars, for example, have different inherent risks than do shopping malls, just as schools have different inherent risks than do hospitals. The intrinsic nature of the premises is the first factor to be considered in determining foreseeability.
The history of security incidents at the premises: History does have a tendency to repeat itself. A premises with a history of crime and security incidents can probably expect more crime and incidents in the future. The history of events at a premises is the second factor to be considered in determining foreseeability.
And with regard to the history of incidents at a premises, Courts have not necessarily held that criminal or security incidents of a specific nature are a determining factor. For example, a parking lot with a history of thefts and robberies will probably not be able to successfully claim that it was unaware of security issues when a carjacking occurs. Criminal and security incidents in general are considered, because security measures are usually not implemented to prevent or deter only one type of incident (the CCTV surveilling the parking lot is not only scanning for thieves and robbers).
The history of security incidents in the immediate geographic surroundings: Crime usually does not limit itself to specific sites. Criminals engaged in inappropriate activities are usually opportunists who are always looking for an easy target. So security problems that occur in a neighborhood will frequently find their way to and impact any given premises in that neighborhood. The history of events in the neighborhood is the third factor to be considered in determining foreseeability.
Industry security standards for the premises: Any organization whose industry has established some formalized standards or practices for security has an obligation to at least consider those security measures. Industry standards, guidelines and practices are usually not developed until and unless there is significant commonality among the members of the industry. So standards and practices that have been developed, especially for security, are probably relevant and must be considered. Industry security standards are the fourth factor to be considered in determining foreseeability.
So a quick review of past incident reports will not be sufficient for an organization to successfully argue that it has met its obligation with regard to foreseeability. And why is foreseeability so important? Because it is the results of the foreseeability assessment that determine what security measures are reasonable under the circumstances.
Wednesday, January 31, 2007
What Is the "Security Industry?"
There is no common public perception as to what “security” really is. And that’s because the industry is so large and diversified. When the term “law enforcement” is used, there is little doubt as to its meaning: it refers to public agencies that uphold the law. Pretty simple and straightforward. The more informed understand that there are differences in jurisdiction (local vs. county vs. state vs. federal, etc.) and in general function (ordinary policing vs. investigations vs. transportation enforcement vs. protective services, etc.). But when the ordinary citizen hears “law enforcement,” he or she pretty much knows exactly what is meant.
On the other hand, there really is no simple definition of the security industry (other than “providing protective services,” which is so all-encompassing as to be nebulous and non-helpful). Here is just a partial list of the “security industry:” proprietary security departments; contract security services; private investigations; guard and patrol services; armored courier services; alarm and equipment installers; security consultants; private information/intelligence services; auditors; risk management services; contingency planning services; business continuity services; special event specialists; bodyguards/personal protection specialists; etc.
And each of these categories has its subcategories: some proprietary security departments provide overnight guard patrol, some provide full security and law enforcement-like services; some contract security companies provide services to a variety of industries, some specialize in one; some alarm and equipment companies provide home burglar alarms, some provide integrated security systems that are literally global in scope; etc.
So when the term “security” is heard, should the ordinary citizen think of the night watchman-slash-boiler operator, or the corporate security executive who is responsible for $500 billion worth of company assets, or the bodyguard protecting Britney from a stalker, or… what should the ordinary citizen think of?
Coupled with the vast diversity of services encompassed by the “security industry,” there are other issues of disparity that make it difficult for the ordinary citizen to understand what we do and who we are:
· There is a Police Officer on duty at the publicly-owned hospital, while there is just a “security guard” on duty at the private hospital across the street – and both are performing the same basic job function.
· Public law enforcement agencies, because they are public, are subject to public scrutiny, in everything from their budgets to their activities. Private security operations, because they work for private enterprises, are subject to virtually no public scrutiny (until something newsworthy – usually meaning “bad” – occurs).
· The high-speed police pursuit of a speeding motorist makes the nightly news because the media camp out on the Police Department’s doorstep. The 2-year investigation by the team of corporate investigators which results in the break-up of the international theft ring resulting in the recovery of $3 million worth of MP3 players goes unnoticed because there are no media present, because the company doesn’t want the publicity to jeopardize the three other investigations that are going on simultaneously.
· The company that installed the home burglar alarm may not be the proper responder when the alarm is activated.
· The “event staff” personnel are seen as being overly aggressive in removing the “…poor drunk guy…” from the concert – after he had just started the fight that knocked over the ten-thousand-dollar amplifier and injured 4 patrons.
In other words, the ordinary citizen cannot really know or understand the “security industry” because the industry is so vast and because “security guards” have such a diverse range of duties and responsibilities. And if you add into the mix the fact that many security strategies rely on unobtrusiveness to be successful……
On the other hand, there really is no simple definition of the security industry (other than “providing protective services,” which is so all-encompassing as to be nebulous and non-helpful). Here is just a partial list of the “security industry:” proprietary security departments; contract security services; private investigations; guard and patrol services; armored courier services; alarm and equipment installers; security consultants; private information/intelligence services; auditors; risk management services; contingency planning services; business continuity services; special event specialists; bodyguards/personal protection specialists; etc.
And each of these categories has its subcategories: some proprietary security departments provide overnight guard patrol, some provide full security and law enforcement-like services; some contract security companies provide services to a variety of industries, some specialize in one; some alarm and equipment companies provide home burglar alarms, some provide integrated security systems that are literally global in scope; etc.
So when the term “security” is heard, should the ordinary citizen think of the night watchman-slash-boiler operator, or the corporate security executive who is responsible for $500 billion worth of company assets, or the bodyguard protecting Britney from a stalker, or… what should the ordinary citizen think of?
Coupled with the vast diversity of services encompassed by the “security industry,” there are other issues of disparity that make it difficult for the ordinary citizen to understand what we do and who we are:
· There is a Police Officer on duty at the publicly-owned hospital, while there is just a “security guard” on duty at the private hospital across the street – and both are performing the same basic job function.
· Public law enforcement agencies, because they are public, are subject to public scrutiny, in everything from their budgets to their activities. Private security operations, because they work for private enterprises, are subject to virtually no public scrutiny (until something newsworthy – usually meaning “bad” – occurs).
· The high-speed police pursuit of a speeding motorist makes the nightly news because the media camp out on the Police Department’s doorstep. The 2-year investigation by the team of corporate investigators which results in the break-up of the international theft ring resulting in the recovery of $3 million worth of MP3 players goes unnoticed because there are no media present, because the company doesn’t want the publicity to jeopardize the three other investigations that are going on simultaneously.
· The company that installed the home burglar alarm may not be the proper responder when the alarm is activated.
· The “event staff” personnel are seen as being overly aggressive in removing the “…poor drunk guy…” from the concert – after he had just started the fight that knocked over the ten-thousand-dollar amplifier and injured 4 patrons.
In other words, the ordinary citizen cannot really know or understand the “security industry” because the industry is so vast and because “security guards” have such a diverse range of duties and responsibilities. And if you add into the mix the fact that many security strategies rely on unobtrusiveness to be successful……
Tuesday, January 30, 2007
The Fallacy of Liability Avoidance
We hear it everywhere: “…We better be careful or we’ll get sued” or “…We have to avoid liability.” But if you really analyze those two phrases (which are frequently used interchangeably), you’ll see that they are not necessarily the same, especially as related to the loss prevention or security function in the real business world.
“Getting sued” is not the same as “being liable.” In fact, “getting sued” is not even the same as “getting sued successfully.” But those concerned about true liability avoidance in our companies – the bean counters and attorneys – frequently take the path of least resistance and make an error when they equate avoiding lawsuits with avoiding liability.
We are a litigious society. Virtually anyone can sue virtually anyone else for virtually anything. And until limits are set on frivolous lawsuits, such will continue to be the case. So there is almost nothing that we can do in the area of assets protection that will not come under someone’s scrutiny at some point, to the extent that we will be sued.
A prime example of companies being so concerned about any lawsuit (as opposed to legitimate, successful lawsuits) is their internal policies that have no substantive basis in law. One of those areas in which company policies usually do not directly equate to law is the hiring process.
How many times have you heard that asking for a date of birth is an "illegal question" under EEOC guidelines, presumably because it could lead to age discrimination? A show of hands, please. Ahh….I see that almost everyone has raised a hand….
EEOC does NOT...I repeat NOT...stipulate that ANY hiring practice or strategy is inherently bad or unlawful; it simply requires that there be a LEGITIMATE AND DEMONSTRABLE BUSINESS REASON for a particular practice or strategy.
So back to the question of asking for a date of birth: It is a common misconception that it is an illegal question. In fact, under EEOC guidelines, THERE IS NO SUCH THING AS AN "ILLEGAL QUESTION." Rather, the USE of the information is what may be considered illegal if the information is gathered and used for the wrong reasons.
Case in point: In most states, a full background investigation of employees (especially employees in positions of trust, such as LP employees, persons handling large sums of money, etc.) is perfectly legal and may in fact be required. In some of those states, pertinent background information (such as criminal records) is filed by both name and date of birth – in order to do a background investigation, a date of birth is necessary. So....if a business can demonstrate a BUSINESS NEED (like assuring the integrity of employees in certain positions) for performing a LEGITIMATE AND LAWFUL BUSINESS FUNCTION (like conducting a background investigation) and that lawful function requires gathering SPECIFIC INFORMATION (like a date of birth) in a MANNER CONSISTENT WITH COMMON PRACTICE (like the records are filed requiring a date of birth), then gathering the date of birth is perfectly legal, acceptable and allowable under EEOC guidelines.
Now....this does not mean that these types of questions (date of birth, gender, etc.) should appear on every company application – that would not be appropriate because the information would probably not be needed during the hiring process for every company employee. But the questions can and should be asked and information gathered during the hiring process in situations in which the information is necessary.
As noted in another posting on this blog, company lawyers frequently take the path of least resistance when reviewing or recommending policies – they feel that it is easier to promulgate universal policies that will apply to most employees than to have a more complex policy that allows for legitimate (and necessary) exceptions.
For security professionals, it's frustrating to be subject to internal policies that restrict legitimate activities under the guise of "legal" when in fact the policies may have no foundation in law. Getting those kinds of “convenient” policies changed should be the job of senior security management – that should be why they make the big bucks.
“Getting sued” is not the same as “being liable.” In fact, “getting sued” is not even the same as “getting sued successfully.” But those concerned about true liability avoidance in our companies – the bean counters and attorneys – frequently take the path of least resistance and make an error when they equate avoiding lawsuits with avoiding liability.
We are a litigious society. Virtually anyone can sue virtually anyone else for virtually anything. And until limits are set on frivolous lawsuits, such will continue to be the case. So there is almost nothing that we can do in the area of assets protection that will not come under someone’s scrutiny at some point, to the extent that we will be sued.
A prime example of companies being so concerned about any lawsuit (as opposed to legitimate, successful lawsuits) is their internal policies that have no substantive basis in law. One of those areas in which company policies usually do not directly equate to law is the hiring process.
How many times have you heard that asking for a date of birth is an "illegal question" under EEOC guidelines, presumably because it could lead to age discrimination? A show of hands, please. Ahh….I see that almost everyone has raised a hand….
EEOC does NOT...I repeat NOT...stipulate that ANY hiring practice or strategy is inherently bad or unlawful; it simply requires that there be a LEGITIMATE AND DEMONSTRABLE BUSINESS REASON for a particular practice or strategy.
So back to the question of asking for a date of birth: It is a common misconception that it is an illegal question. In fact, under EEOC guidelines, THERE IS NO SUCH THING AS AN "ILLEGAL QUESTION." Rather, the USE of the information is what may be considered illegal if the information is gathered and used for the wrong reasons.
Case in point: In most states, a full background investigation of employees (especially employees in positions of trust, such as LP employees, persons handling large sums of money, etc.) is perfectly legal and may in fact be required. In some of those states, pertinent background information (such as criminal records) is filed by both name and date of birth – in order to do a background investigation, a date of birth is necessary. So....if a business can demonstrate a BUSINESS NEED (like assuring the integrity of employees in certain positions) for performing a LEGITIMATE AND LAWFUL BUSINESS FUNCTION (like conducting a background investigation) and that lawful function requires gathering SPECIFIC INFORMATION (like a date of birth) in a MANNER CONSISTENT WITH COMMON PRACTICE (like the records are filed requiring a date of birth), then gathering the date of birth is perfectly legal, acceptable and allowable under EEOC guidelines.
Now....this does not mean that these types of questions (date of birth, gender, etc.) should appear on every company application – that would not be appropriate because the information would probably not be needed during the hiring process for every company employee. But the questions can and should be asked and information gathered during the hiring process in situations in which the information is necessary.
As noted in another posting on this blog, company lawyers frequently take the path of least resistance when reviewing or recommending policies – they feel that it is easier to promulgate universal policies that will apply to most employees than to have a more complex policy that allows for legitimate (and necessary) exceptions.
For security professionals, it's frustrating to be subject to internal policies that restrict legitimate activities under the guise of "legal" when in fact the policies may have no foundation in law. Getting those kinds of “convenient” policies changed should be the job of senior security management – that should be why they make the big bucks.
Sunday, December 10, 2006
The Security Professional's Role in School Security
While tragically unfortunate, it is nonetheless a reality of today that school administrators must regularly ask themselves 2 important questions: “Are my schools safe and secure?” and “Will my schools’ security stand up to the legal scrutiny and challenges that will undoubtedly arise from a tragic incident?” In many cases, the honest answer to these questions is….“I don’t know.”
In the aftermath of Columbine and other such incidents across the country, security is an issue that must be of concern to anyone who is responsible for the safety and well-being of others. And now, with these types of incidents occurring with alarming frequency, the questions necessarily arise:
· Are there appropriate physical security safeguards in place?
· Is there a security plan?
· Does the security plan have commensurate policies, procedures, and training?
· Are tabletop and practical drills conducted to assure that the security plan is workable?
· Are there review procedures to assure that the security plan remains current?
· Has the security plan been reviewed to assure its adequacy and sufficiency – is it legally defensible (the standard that courts will use if your security plan is challenged)?
Many organizations, even those with proprietary capabilities in areas such as human resources, finance, or risk management realize the value of an outside, independent, objective audit process. Such a review assures that all issues of potential concern have been identified and addressed; and provides a fresh perspective to processes routinely managed by persons who may be too close to the situation to see it clearly and completely. And while many school districts rightly utilize their local law enforcement agencies to provide basic protective efforts and believe that such involvement is sufficient for their security planning needs, that is not necessarily the case. Consider that law enforcement agencies rarely have the knowledge or experience to conduct thorough assessments of a school’s total security program, because law enforcement officials focus primarily on problem response and resolution. Security professionals focus primarily on development of prevention and mitigation strategies. While both components (prevention/mitigation and response/resolution) are essential for a thorough school security plan, it is obviously much more beneficial to prevent problems whenever possible. So inclusion of the expertise of security professionals is something that should be considered.
A security assessment of a school and its campus is conducted to identify factors which create potential risk to students, staff, visitors, and facilities; to analyze and prioritize those potential risks; to analyze current security countermeasures in relation to the identified risks; and to offer recommendations as appropriate to prevent and/or mitigate as many potential risks as possible. The assessment process is usually accomplished via 3 basic methods:
· interviews with key administrative personnel and representative constituent focus groups, to identify security wants and needs; and to determine the current perceived state of security within the facilities
· review of any current policies, procedures and practices relating to security, to determine their adequacy and sufficiency
· a physical inspection and survey of facilities, to determine the current state of security; this inspection will include any current and/or proposed security systems, to determine their adequacy and sufficiency
So if your school administrators have been thinking about security needs, but didn’t know where to find professional, cost-effective direction and advice, look no further – a competent security professional may be your answer.
In the aftermath of Columbine and other such incidents across the country, security is an issue that must be of concern to anyone who is responsible for the safety and well-being of others. And now, with these types of incidents occurring with alarming frequency, the questions necessarily arise:
· Are there appropriate physical security safeguards in place?
· Is there a security plan?
· Does the security plan have commensurate policies, procedures, and training?
· Are tabletop and practical drills conducted to assure that the security plan is workable?
· Are there review procedures to assure that the security plan remains current?
· Has the security plan been reviewed to assure its adequacy and sufficiency – is it legally defensible (the standard that courts will use if your security plan is challenged)?
Many organizations, even those with proprietary capabilities in areas such as human resources, finance, or risk management realize the value of an outside, independent, objective audit process. Such a review assures that all issues of potential concern have been identified and addressed; and provides a fresh perspective to processes routinely managed by persons who may be too close to the situation to see it clearly and completely. And while many school districts rightly utilize their local law enforcement agencies to provide basic protective efforts and believe that such involvement is sufficient for their security planning needs, that is not necessarily the case. Consider that law enforcement agencies rarely have the knowledge or experience to conduct thorough assessments of a school’s total security program, because law enforcement officials focus primarily on problem response and resolution. Security professionals focus primarily on development of prevention and mitigation strategies. While both components (prevention/mitigation and response/resolution) are essential for a thorough school security plan, it is obviously much more beneficial to prevent problems whenever possible. So inclusion of the expertise of security professionals is something that should be considered.
A security assessment of a school and its campus is conducted to identify factors which create potential risk to students, staff, visitors, and facilities; to analyze and prioritize those potential risks; to analyze current security countermeasures in relation to the identified risks; and to offer recommendations as appropriate to prevent and/or mitigate as many potential risks as possible. The assessment process is usually accomplished via 3 basic methods:
· interviews with key administrative personnel and representative constituent focus groups, to identify security wants and needs; and to determine the current perceived state of security within the facilities
· review of any current policies, procedures and practices relating to security, to determine their adequacy and sufficiency
· a physical inspection and survey of facilities, to determine the current state of security; this inspection will include any current and/or proposed security systems, to determine their adequacy and sufficiency
So if your school administrators have been thinking about security needs, but didn’t know where to find professional, cost-effective direction and advice, look no further – a competent security professional may be your answer.
Subscribe to:
Posts (Atom)
Posts
