I don’t believe in using anyone else’s form or template for conducting security assessments – each consultant or manager who conducts such assessments has a unique style coupled with his own knowledge and experience; so, as with many things related to security, a “one-size-fits-all” approach usually doesn’t work. But other groups (such as ASIS International and the Federal protective Service) do have some great ideas, so I have incorporated some of those ideas into the forms and procedures that I personally developed for my own use.
In general, I use several background/ “inventory” forms to generate basic information about the grounds/campus, physical facilities, administrative/operational business components, and policies/procedures of the organization for which I am doing the assessment. I have these filled out to the extent possible by organizational representatives prior to my physical inspections/interviews. I then personally conduct a site inspection (to verify all information developed via the background/ “inventory” forms and to assure that nothing important was overlooked), conduct personal and focus group interviews, and review all relevant policies/procedures for adequacy and sufficiency. Finally, I compile all information along with my analyses and recommendations into a narrative report which is the final work product.
During my career this process, along with my experience in serving as a Court-recognized Expert Witness, has confirmed by belief that every place has to be assessed and analyzed separately and independently to fulfill the legal standard for adequate and sufficient security – namely, reasonable security at a particular place and time, under a particular set of circumstances, based on reasonable foreseeability; and thus my process which combines self-developed tools for gathering information along with objective analysis according to the needs and culture of each particular project assures that my assessments are personalized for each client.
I have been using this process for the past 25+ years, and it has served me well.
Friday, June 15, 2012
Sunday, April 22, 2012
Preparing for Testimony
Practitioners in the security industry may occasionally be called on to provide testimony in some legal proceeding (either a criminal or civil case; during a deposition or at trial; as a fact witness or an expert). While those practitioners who have served as case consultants and/or expert witnesses will probably have had testimony experience, other security personnel may be faced with giving testimony for the first time. Regardless of the inherent knowledge or expertise of a witness, he/she still needs to be credible, effective and persuasive to the Judge and/or jury. To this end, preparation of the witness is very important.
Each attorney has a unique style and strategy and will undoubtedly have an established procedure for prepping witnesses. But here are a few issues that should be considered by anyone preparing to testify:
(1) One issue that is sometimes overlooked in the preparation of a witness is the fact that he can only respond to the questions asked (a good witness can sometimes find a way to include additional information, but not always). So close collaboration with counsel is very important, not only to prepare for testimony expected during direct examination at trial, but for anticipated cross-examination. There needs to be a clear understanding and agreement of what information needs to be conveyed, the best manner to convey it, and the best manner to counteract aggressive cross examination, including attacks on both personal credibility and the credibility of testimony.
(2) Even if not specifically demanded in the deposition or trial subpoena, availability of any relevant case materials/files is a good idea. Specific information such as dates, times and/or other technical information is likely to be a subject at issue, so it is better to refer to notes than to give erroneous information which may later be challenged or used to impeach the witness.
(3) Answering questions “yes” or “no,” or at least as briefly as possible, is always a good idea. But when such a brief answer is not sufficient – such as when additional clarification or expansion is necessary – it is often best not to begin the answer with “yes” or “no” (such as “Yes, but…”) because an experienced attorney may not allow the “but” portion. Rather, it is sometimes better to begin a longer answer with a qualifying statement such as “Unfortunately, that question cannot be answered with a simple ‘yes’ or ‘no’, ” then go on with the full answer.
(4) It is usually helpful for a witness to be advised of the personality and usual strategies/tactics of the opposing attorney. This helps the witness to better prepare for the demeanor and “personality” of the anticipated proceeding (for example, knowing that a particular attorney focuses just as much on the witness’s background as he does on specific case issues). Knowing what to expect from a particular attorney is a great asset for testimony preparation.
(5) A witnesses should pause briefly before giving any answer, to allow his attorney the opportunity to object before potentially damaging or unnecessary information is inadvertently given.
Testifying in any legal proceeding is often a stressful and challenging ordeal. So having as much information as possible about what to expect, and being as prepared as possible, goes a long way towards doing a thorough, competent and professional job.
Each attorney has a unique style and strategy and will undoubtedly have an established procedure for prepping witnesses. But here are a few issues that should be considered by anyone preparing to testify:
(1) One issue that is sometimes overlooked in the preparation of a witness is the fact that he can only respond to the questions asked (a good witness can sometimes find a way to include additional information, but not always). So close collaboration with counsel is very important, not only to prepare for testimony expected during direct examination at trial, but for anticipated cross-examination. There needs to be a clear understanding and agreement of what information needs to be conveyed, the best manner to convey it, and the best manner to counteract aggressive cross examination, including attacks on both personal credibility and the credibility of testimony.
(2) Even if not specifically demanded in the deposition or trial subpoena, availability of any relevant case materials/files is a good idea. Specific information such as dates, times and/or other technical information is likely to be a subject at issue, so it is better to refer to notes than to give erroneous information which may later be challenged or used to impeach the witness.
(3) Answering questions “yes” or “no,” or at least as briefly as possible, is always a good idea. But when such a brief answer is not sufficient – such as when additional clarification or expansion is necessary – it is often best not to begin the answer with “yes” or “no” (such as “Yes, but…”) because an experienced attorney may not allow the “but” portion. Rather, it is sometimes better to begin a longer answer with a qualifying statement such as “Unfortunately, that question cannot be answered with a simple ‘yes’ or ‘no’, ” then go on with the full answer.
(4) It is usually helpful for a witness to be advised of the personality and usual strategies/tactics of the opposing attorney. This helps the witness to better prepare for the demeanor and “personality” of the anticipated proceeding (for example, knowing that a particular attorney focuses just as much on the witness’s background as he does on specific case issues). Knowing what to expect from a particular attorney is a great asset for testimony preparation.
(5) A witnesses should pause briefly before giving any answer, to allow his attorney the opportunity to object before potentially damaging or unnecessary information is inadvertently given.
Testifying in any legal proceeding is often a stressful and challenging ordeal. So having as much information as possible about what to expect, and being as prepared as possible, goes a long way towards doing a thorough, competent and professional job.
Tuesday, March 06, 2012
"Absolute" vs. "Perfect" Security
“Absolute security” and “perfect security” are not one and the same – the terms are not synonymous. And let’s be clear from the outset: There is no absolute security; and while perfect security may be hypothetically possible at any given moment in time, long-term perfect security is also not possible.
First, some working definitions: Absolute security is the theoretical state of total, complete and unqualified protection and safety of a given asset (some specific person, place or thing, including intellectual “things”). Perfect security is the practical state of utilizing the most appropriate security measures and strategies for a given asset at a given moment in time to protect against immediate, specific threats. A subtle but important difference.
From another perspective: Absolute security would protect against any conceivable or possible threat at all times. This condition simply cannot exist: No security program or strategy can ever totally assure that assets will not be lost or that a legal challenge to security efficacy will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation, resources and persistence of an attacker; the inexplicable failure of a protective measure at a crucial moment; or even the whims of a jury – the best security measures may sometimes fail or be deemed to be inadequate. Nothing can be done to assure that nothing will ever happen.
On the other hand, perfect security keeps whoever/whatever is being protected safe right now, from whatever threat is occurring right now. This is attainable, albeit for limited periods of time because situations and conditions change constantly and continuously, and that which is adequate and sufficient right now may not be adequate and sufficient in a few minutes or hours or days. The best that can be hoped for – and what those responsible for security should strive for – is to control as many facets of the security strategy as possible for the longest time possible, and to monitor the strategy continually to assure that emerging threats and unanticipated failures can be best and most expediently mitigated.
As with most issues related to security, one should hope for the best while planning for the worst.
First, some working definitions: Absolute security is the theoretical state of total, complete and unqualified protection and safety of a given asset (some specific person, place or thing, including intellectual “things”). Perfect security is the practical state of utilizing the most appropriate security measures and strategies for a given asset at a given moment in time to protect against immediate, specific threats. A subtle but important difference.
From another perspective: Absolute security would protect against any conceivable or possible threat at all times. This condition simply cannot exist: No security program or strategy can ever totally assure that assets will not be lost or that a legal challenge to security efficacy will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation, resources and persistence of an attacker; the inexplicable failure of a protective measure at a crucial moment; or even the whims of a jury – the best security measures may sometimes fail or be deemed to be inadequate. Nothing can be done to assure that nothing will ever happen.
On the other hand, perfect security keeps whoever/whatever is being protected safe right now, from whatever threat is occurring right now. This is attainable, albeit for limited periods of time because situations and conditions change constantly and continuously, and that which is adequate and sufficient right now may not be adequate and sufficient in a few minutes or hours or days. The best that can be hoped for – and what those responsible for security should strive for – is to control as many facets of the security strategy as possible for the longest time possible, and to monitor the strategy continually to assure that emerging threats and unanticipated failures can be best and most expediently mitigated.
As with most issues related to security, one should hope for the best while planning for the worst.
Tuesday, January 17, 2012
The Value Of A Security Consultant
Many organizations – even, or perhaps especially those with in-house security operations – frequently fail to recognize the benefits of an occasional security assessment conducted by an outside, independent security consultant.
A security assessment of a business is conducted to identify factors which create potential risk to employees, customers, guests and facilities; to analyze and prioritize those potential risks; to analyze current security countermeasures in relation to the identified risks; and to offer recommendations, ranging from physical security measures to security personnel to security policies and procedures, to prevent and/or mitigate as many potential risks as possible. Many organizations have come to realize the value of an outside, independent, objective security audit process – such a review assures that all issues of potential concern have been identified and addressed.
Smaller businesses which do not have a proprietary security operation rightly utilize their local law enforcement agencies to provide basic protective efforts and believe that such involvement is sufficient for their security planning needs, but that is not necessarily the case – law enforcement agencies focus primarily on problem response and resolution, and rarely have the knowledge or experience to conduct thorough assessments of a business’s total security program which should focus primarily on development of prevention and mitigation strategies. While both components – prevention/mitigation and response/resolution – are essential for a thorough security plan, it is obviously much more beneficial to prevent problems whenever possible. So inclusion of the expertise of a security professional is something that should be considered. And in organizations that already have a proprietary security program, an occasional independent security assessment provides a fresh perspective to processes routinely managed by persons who may be too close to the situation to see it clearly and completely.
A security review of any business or security program by a totally independent security consultant, with no affiliations with equipment or personnel providers, can be invaluable in assuring that all security concerns have been identified and addressed in an objective manner, with recommendations geared to the particular needs and circumstances of a specific business.
A security assessment of a business is conducted to identify factors which create potential risk to employees, customers, guests and facilities; to analyze and prioritize those potential risks; to analyze current security countermeasures in relation to the identified risks; and to offer recommendations, ranging from physical security measures to security personnel to security policies and procedures, to prevent and/or mitigate as many potential risks as possible. Many organizations have come to realize the value of an outside, independent, objective security audit process – such a review assures that all issues of potential concern have been identified and addressed.
Smaller businesses which do not have a proprietary security operation rightly utilize their local law enforcement agencies to provide basic protective efforts and believe that such involvement is sufficient for their security planning needs, but that is not necessarily the case – law enforcement agencies focus primarily on problem response and resolution, and rarely have the knowledge or experience to conduct thorough assessments of a business’s total security program which should focus primarily on development of prevention and mitigation strategies. While both components – prevention/mitigation and response/resolution – are essential for a thorough security plan, it is obviously much more beneficial to prevent problems whenever possible. So inclusion of the expertise of a security professional is something that should be considered. And in organizations that already have a proprietary security program, an occasional independent security assessment provides a fresh perspective to processes routinely managed by persons who may be too close to the situation to see it clearly and completely.
A security review of any business or security program by a totally independent security consultant, with no affiliations with equipment or personnel providers, can be invaluable in assuring that all security concerns have been identified and addressed in an objective manner, with recommendations geared to the particular needs and circumstances of a specific business.
Wednesday, December 28, 2011
Difference Between A Security Assessment and A Risk Analysis
The security assessment process is a common method used to determine specific security needs for a specific business based on the issue of foreseeability – the standard that Courts will use to determine if security was adequate and sufficient when security is legally challenged as a result of some incident that has occurred (something bad happens, someone gets hurt, you get sued). Pretty basic.
The security assessment process takes into account 4 specific issues: The inherent nature of the business (every place has its own inbuilt problems and vulnerabilities); the history of problems at the business (while not an exact predictor, past problems at any given place demonstrate the potential for future problems, all else being equal); history of problems in the area surrounding the business (problems which occur in the neighborhood have a tendency to affect everything within the neighborhood; nothing is immune); and industry standards/guidelines/best practices (what has been determined to work in similar places under similar circumstances is at least a good starting point to identify potential security strategies and tactics as related to identified threats and risks). Pretty straightforward for determining foreseeability – that which may occur.
But the concern for being sued shouldn’t be the only reason why a good security program should be part of a sound business plan – it’s just plain good business to maintain a place where assets are protected and employees and customers are safe.
So before a strategy to prevent and mitigate problems is formulated, perhaps we should first remember why security is important in the first place. And that determination can be accomplished by a risk analysis.
Before we begin figuring out why security is important, there are two basic premises that must be clearly understood:
1. There is no such thing as absolute or perfect security: No security program can ever totally assure that bad things will not occur or that a legal challenge will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation and persistence of a bad guy; the inexplicable failure of a protective measure at a crucial time; or even the whims of a jury – the best security measures may sometimes fail. So the best that can be hoped for is to control as many facets of the security strategy as possible, and to monitor the strategies sufficiently to assure that unanticipated failures can be best and most expediently mitigated.
2. There are always alternatives to how security measures can be implemented: Because the practice of security is both science and art – the science being the body of knowledge used in protective efforts; the art being the most appropriate application of that knowledge to a given circumstance – there will always be alternate ways to blend the stuff and the applications into a sound, workable and efficient protective strategy.
So here’s what we know thus far:
· Every business and its stuff needs to be protected.
· Every business needs to be concerned about liability.
· Since every business and its stuff is different from everyone else’s business and stuff, efforts to protect anyone’s business and stuff will necessarily be different from the efforts to protect anyone else’s business and stuff.
If we accept these enumerated hypotheses, it becomes obvious that some formal or at least conscious consideration must be given to the development of a security program – if I want to adequately protect my stuff and my liability, I need to consider my situation and develop a security plan accordingly. So how do I do that? Here’s the outline for our risk analysis:
· If I need to protect my business and my stuff and my liability, I need to know exactly what my business and my stuff and my liability is (these are my “assets” and they include not only my building and equipment but my employees and customers and vendors and my reputation and my business practices and anything else that is valuable to me).
· If I need to protect my business and my stuff and my liability, I need to know all of the potential problems and threats I might encounter (these are my “risks” and they include all the manmade and natural problems, both deliberate and inadvertent that pose a threat to my business).
· If I’ve identified all my potential problems and threats, I need to know how likely it is that each of those problems and threats might occur (all of the bad things that can potentially happen at my business do not all have the same potential for happening – an assault is more likely than a tornado, employee theft is more likely than an armed robbery, etc. – so we need to figure out what is most likely to occur so that we can determine which security measures will be most appropriate).
· If I’ve determined the likelihood of occurrence of each of my potential problems and threats, I need to know what the impact would be to my business, stuff and liability if any of those potential problems or threats occurred (even if/when something bad occurs the impact on business will be different – the loss from an employee caught stealing on his first day of work has less impact on the bottom line than the loss from an employee who has been stealing for the past 3 years, an attempted robbery in which an innocent bystander is seriously injured has greater impact on a business’s reputation than a loud disagreement about incorrect change – so we need to figure out which of the bad things most likely to occur will have the greatest negative impact if/when they do occur so that we can determine how best to allocate the limited resources for security measures) .
· If I need to develop a plan to protect my business and stuff from liability, I need to know if any adequate safeguards are currently in place (we need to determine if existing security measures are adequate to protect all identified assets and meet all identified risks, and to determine what additional security measures might need to be implemented).
So there you have it – we’ve come full circle: We know how to implement appropriate security strategies that will protect our businesses and do so in a manner that is legally defensible (by determining foreseeability via a security assessment); and we now know how to determine why we need a security program (as identified via a risk analysis).
The security assessment process takes into account 4 specific issues: The inherent nature of the business (every place has its own inbuilt problems and vulnerabilities); the history of problems at the business (while not an exact predictor, past problems at any given place demonstrate the potential for future problems, all else being equal); history of problems in the area surrounding the business (problems which occur in the neighborhood have a tendency to affect everything within the neighborhood; nothing is immune); and industry standards/guidelines/best practices (what has been determined to work in similar places under similar circumstances is at least a good starting point to identify potential security strategies and tactics as related to identified threats and risks). Pretty straightforward for determining foreseeability – that which may occur.
But the concern for being sued shouldn’t be the only reason why a good security program should be part of a sound business plan – it’s just plain good business to maintain a place where assets are protected and employees and customers are safe.
So before a strategy to prevent and mitigate problems is formulated, perhaps we should first remember why security is important in the first place. And that determination can be accomplished by a risk analysis.
Before we begin figuring out why security is important, there are two basic premises that must be clearly understood:
1. There is no such thing as absolute or perfect security: No security program can ever totally assure that bad things will not occur or that a legal challenge will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation and persistence of a bad guy; the inexplicable failure of a protective measure at a crucial time; or even the whims of a jury – the best security measures may sometimes fail. So the best that can be hoped for is to control as many facets of the security strategy as possible, and to monitor the strategies sufficiently to assure that unanticipated failures can be best and most expediently mitigated.
2. There are always alternatives to how security measures can be implemented: Because the practice of security is both science and art – the science being the body of knowledge used in protective efforts; the art being the most appropriate application of that knowledge to a given circumstance – there will always be alternate ways to blend the stuff and the applications into a sound, workable and efficient protective strategy.
So here’s what we know thus far:
· Every business and its stuff needs to be protected.
· Every business needs to be concerned about liability.
· Since every business and its stuff is different from everyone else’s business and stuff, efforts to protect anyone’s business and stuff will necessarily be different from the efforts to protect anyone else’s business and stuff.
If we accept these enumerated hypotheses, it becomes obvious that some formal or at least conscious consideration must be given to the development of a security program – if I want to adequately protect my stuff and my liability, I need to consider my situation and develop a security plan accordingly. So how do I do that? Here’s the outline for our risk analysis:
· If I need to protect my business and my stuff and my liability, I need to know exactly what my business and my stuff and my liability is (these are my “assets” and they include not only my building and equipment but my employees and customers and vendors and my reputation and my business practices and anything else that is valuable to me).
· If I need to protect my business and my stuff and my liability, I need to know all of the potential problems and threats I might encounter (these are my “risks” and they include all the manmade and natural problems, both deliberate and inadvertent that pose a threat to my business).
· If I’ve identified all my potential problems and threats, I need to know how likely it is that each of those problems and threats might occur (all of the bad things that can potentially happen at my business do not all have the same potential for happening – an assault is more likely than a tornado, employee theft is more likely than an armed robbery, etc. – so we need to figure out what is most likely to occur so that we can determine which security measures will be most appropriate).
· If I’ve determined the likelihood of occurrence of each of my potential problems and threats, I need to know what the impact would be to my business, stuff and liability if any of those potential problems or threats occurred (even if/when something bad occurs the impact on business will be different – the loss from an employee caught stealing on his first day of work has less impact on the bottom line than the loss from an employee who has been stealing for the past 3 years, an attempted robbery in which an innocent bystander is seriously injured has greater impact on a business’s reputation than a loud disagreement about incorrect change – so we need to figure out which of the bad things most likely to occur will have the greatest negative impact if/when they do occur so that we can determine how best to allocate the limited resources for security measures) .
· If I need to develop a plan to protect my business and stuff from liability, I need to know if any adequate safeguards are currently in place (we need to determine if existing security measures are adequate to protect all identified assets and meet all identified risks, and to determine what additional security measures might need to be implemented).
So there you have it – we’ve come full circle: We know how to implement appropriate security strategies that will protect our businesses and do so in a manner that is legally defensible (by determining foreseeability via a security assessment); and we now know how to determine why we need a security program (as identified via a risk analysis).
Thursday, October 06, 2011
Private Security / Law Enforcement Partnerships
There are probably a few readers who are wondering why this issue is even being discussed, since there are still a few security practitioners who do not (or cannot) see the importance and value of developing good working relationships and partnerships with our law enforcement counterparts. While it may not be the most current trendy management philosophy, I can state categorically after more than 30 years in private security that having good relationships with public law enforcement is not only desirable, but it is absolutely necessary to the success of a security or loss prevention program. Without belaboring the issue, let me illustrate just a few salient points:
· There will undoubtedly come a time when some type of criminal act occurs at the organization for which you have security responsibility; and there will undoubtedly be a time when that criminal act requires, for whatever reason, some form of law enforcement involvement. That type of incident should not be the first time that you have had communication with the appropriate law enforcement agency. Knowing each other beforehand will go a long way towards a satisfactory, timely and successful resolution to your problem. (And this relationship will prove even more important if the problem becomes complicated or difficult.)
· There will undoubtedly come a time when some form of emergency situation occurs at the organization for which you have security responsibility (a fire; a bomb threat; a power outage; a lost child; a domestic dispute involving an employee; etc. etc. etc.). Knowing who to contact and what to expect from the appropriate law enforcement agency will prove essential to successful problem resolution.
· There will undoubtedly come a time when a company investigation in which you are involved requires more information or resources than you have internally. Having a good working relationship with the appropriate law enforcement agency will provide at the very least a sounding board for discussing your situation and getting an informed second opinion; and may even provide the information and/or resources that you are lacking to continue or complete your investigation.
These are only a few obvious examples of the practical need for sound working relationships between the private security sector and public law enforcement. But the benefits of such relationships go beyond the boundaries of an individual security practitioner’s needs for his own organization. As far back as the 1970’s, there has been a realization that public law enforcement cannot do its job alone: increases in criminal activity and public outcry against continually-rising taxes has created a situation in which public law enforcement is spread dangerously thin. It is unrealistic and unreasonable to expect that law enforcement can immediately respond to every citizen’s – or every business’s – wants and needs. So, along with the increased necessity for a business organization to be more self-reliant with regard to its own security needs, so, too, does that necessitate a sound partnership with involved law enforcement agencies so that both sides know what to expect from the other, to insure proper strategic and operational planning. And this concept was dramatized and heightened even more after the tragic events of 9/11.
And then there is the altruistic reason. We in the security and LP industries frequently don’t give ourselves enough credit for the importance of our role (perhaps because we are all too often held in relatively low esteem by our employers – but that is another topic for discussion). Maybe it’s time to view ourselves from a different perspective. Since business and industry is the backbone of the American economy and culture, doesn’t it seem crucial for business and industry to be protected? Isn’t the protection of our business places (corporate citizens) as important as the protection of our individual citizens? So...from this viewpoint, maybe our role is a little more important than we have heretofore realized or given ourselves credit for. Perhaps there is not significant importance individually, but certainly collectively. And our role is becoming ever more important because of the myriad of threats that the American businessplace is experiencing in today’s social and economic reality – the stability of the American economy is unquestionably a target; and the economy goes as its individual components (i.e., our organizations) go. Whether we admit to it or not, and whether we like it or not, we are part of the overall criminal justice system. And, as such, we play a vital part in the protection of our society via the protection of our companies; and we must learn to work with other protective agencies to assure that we can successfully do our jobs.
I hope I have at least provided some sound arguments for the need for good working relationships and partnerships with public law enforcement.
· There will undoubtedly come a time when some type of criminal act occurs at the organization for which you have security responsibility; and there will undoubtedly be a time when that criminal act requires, for whatever reason, some form of law enforcement involvement. That type of incident should not be the first time that you have had communication with the appropriate law enforcement agency. Knowing each other beforehand will go a long way towards a satisfactory, timely and successful resolution to your problem. (And this relationship will prove even more important if the problem becomes complicated or difficult.)
· There will undoubtedly come a time when some form of emergency situation occurs at the organization for which you have security responsibility (a fire; a bomb threat; a power outage; a lost child; a domestic dispute involving an employee; etc. etc. etc.). Knowing who to contact and what to expect from the appropriate law enforcement agency will prove essential to successful problem resolution.
· There will undoubtedly come a time when a company investigation in which you are involved requires more information or resources than you have internally. Having a good working relationship with the appropriate law enforcement agency will provide at the very least a sounding board for discussing your situation and getting an informed second opinion; and may even provide the information and/or resources that you are lacking to continue or complete your investigation.
These are only a few obvious examples of the practical need for sound working relationships between the private security sector and public law enforcement. But the benefits of such relationships go beyond the boundaries of an individual security practitioner’s needs for his own organization. As far back as the 1970’s, there has been a realization that public law enforcement cannot do its job alone: increases in criminal activity and public outcry against continually-rising taxes has created a situation in which public law enforcement is spread dangerously thin. It is unrealistic and unreasonable to expect that law enforcement can immediately respond to every citizen’s – or every business’s – wants and needs. So, along with the increased necessity for a business organization to be more self-reliant with regard to its own security needs, so, too, does that necessitate a sound partnership with involved law enforcement agencies so that both sides know what to expect from the other, to insure proper strategic and operational planning. And this concept was dramatized and heightened even more after the tragic events of 9/11.
And then there is the altruistic reason. We in the security and LP industries frequently don’t give ourselves enough credit for the importance of our role (perhaps because we are all too often held in relatively low esteem by our employers – but that is another topic for discussion). Maybe it’s time to view ourselves from a different perspective. Since business and industry is the backbone of the American economy and culture, doesn’t it seem crucial for business and industry to be protected? Isn’t the protection of our business places (corporate citizens) as important as the protection of our individual citizens? So...from this viewpoint, maybe our role is a little more important than we have heretofore realized or given ourselves credit for. Perhaps there is not significant importance individually, but certainly collectively. And our role is becoming ever more important because of the myriad of threats that the American businessplace is experiencing in today’s social and economic reality – the stability of the American economy is unquestionably a target; and the economy goes as its individual components (i.e., our organizations) go. Whether we admit to it or not, and whether we like it or not, we are part of the overall criminal justice system. And, as such, we play a vital part in the protection of our society via the protection of our companies; and we must learn to work with other protective agencies to assure that we can successfully do our jobs.
I hope I have at least provided some sound arguments for the need for good working relationships and partnerships with public law enforcement.
Thursday, August 18, 2011
Security Standards and the Question of Liability
There has recently been much rhetoric over the issue of security standards. Organizations such as UL (Underwriters Laboratories), NFPA (National Fire Protection Association) and ASIS International have undertaken projects to develop standards. And the process and even advisability of developing standards have both supporters and detractors. But with all the discussion and debate that has taken place, little has been said – at least publicly – about the issue that will have significant impact on the implementation of security standards: liability.
The reason that liability will be such a significant factor is because liability in and of itself is a controversial topic. While in theory there could probably be almost universal consensus that liability exposure should be avoided at all cost, the reality is that since virtually nothing can be done to guarantee the elimination of all liability (at least not until we cease to be such a litigious society), there has to be a recognition of the difference between trying to eliminate all risk and liability, and accepting or at least managing reasonable risk and liability.
As a quick reminder of Liability 101, “getting sued” is not the same as “being liable.” In fact, “getting sued” is not even the same as “getting sued successfully.” But those concerned about total liability avoidance in the business world – the bean counters and corporate attorneys – frequently take the path of least resistance and make an error when they equate avoiding lawsuits with avoiding liability. And the addition of security standards will be another factor in muddying the liability waters.
Security is not an exact science, and thus is not readily adaptable to the “cookie-cutter” or “one-size-fits-all” mold. And that is why developing security standards will be a formidable task, especially as related to the issue of liability. Once the factor of liability is brought into the security standards equation, the forensic interpretation of adequacy and sufficiency of security as determined by the Courts must be considered. And it will be in this legal arena that the full impact and importance of security standards will ultimately be determined.
From a practical perspective, the implementation of any security standards that may be developed will have mixed results. While some may see such standards as a “no-brainer” way to implement a security program, others will be more cautious. And both will be correct in their own limited ways: If developed properly, a set of standards will be a guide for building a basic security program; but since adequacy and sufficiency of any given security program is related to reasonableness vis-à-vis the risks at a given place, standards may not be appropriate in certain situations.
Moving forward to Security Liability 101, Courts across the country have long and consistently held that security measures must be commensurate with reasonably foreseeable threats and risks at a given place – the operative words being “foreseeable” and “given place.” This means that security programs will necessarily be different at different places (perhaps even at different places within the same organization) because the threats and risks might be different. So trying to find a set of standards that will be applicable to the myriad of potential scenarios will be difficult (at best) if not impossible to achieve.
The main value that I see to security standards is a compilation of strategies and best practices from which any organization can choose those which best suit its particular needs. And again, since security is not an exact science and there are almost always multiple ways to solve any given problem, such a compilation will allow any organization to pick and choose from a variety of strategies from which a sound security plan can be developed. This will meet the needs of organizations looking to maximize their security posture while also providing a framework for liability avoidance.
The reason that liability will be such a significant factor is because liability in and of itself is a controversial topic. While in theory there could probably be almost universal consensus that liability exposure should be avoided at all cost, the reality is that since virtually nothing can be done to guarantee the elimination of all liability (at least not until we cease to be such a litigious society), there has to be a recognition of the difference between trying to eliminate all risk and liability, and accepting or at least managing reasonable risk and liability.
As a quick reminder of Liability 101, “getting sued” is not the same as “being liable.” In fact, “getting sued” is not even the same as “getting sued successfully.” But those concerned about total liability avoidance in the business world – the bean counters and corporate attorneys – frequently take the path of least resistance and make an error when they equate avoiding lawsuits with avoiding liability. And the addition of security standards will be another factor in muddying the liability waters.
Security is not an exact science, and thus is not readily adaptable to the “cookie-cutter” or “one-size-fits-all” mold. And that is why developing security standards will be a formidable task, especially as related to the issue of liability. Once the factor of liability is brought into the security standards equation, the forensic interpretation of adequacy and sufficiency of security as determined by the Courts must be considered. And it will be in this legal arena that the full impact and importance of security standards will ultimately be determined.
From a practical perspective, the implementation of any security standards that may be developed will have mixed results. While some may see such standards as a “no-brainer” way to implement a security program, others will be more cautious. And both will be correct in their own limited ways: If developed properly, a set of standards will be a guide for building a basic security program; but since adequacy and sufficiency of any given security program is related to reasonableness vis-à-vis the risks at a given place, standards may not be appropriate in certain situations.
Moving forward to Security Liability 101, Courts across the country have long and consistently held that security measures must be commensurate with reasonably foreseeable threats and risks at a given place – the operative words being “foreseeable” and “given place.” This means that security programs will necessarily be different at different places (perhaps even at different places within the same organization) because the threats and risks might be different. So trying to find a set of standards that will be applicable to the myriad of potential scenarios will be difficult (at best) if not impossible to achieve.
The main value that I see to security standards is a compilation of strategies and best practices from which any organization can choose those which best suit its particular needs. And again, since security is not an exact science and there are almost always multiple ways to solve any given problem, such a compilation will allow any organization to pick and choose from a variety of strategies from which a sound security plan can be developed. This will meet the needs of organizations looking to maximize their security posture while also providing a framework for liability avoidance.
Wednesday, July 06, 2011
The Real Essence of Trials
The variety and disparity of feelings and opinions on the Casey Anthony verdict offers a timely opportunity to review the real purpose and conduct of trials.
As I state in the lectures on courtroom testimony and demeanor that I present to security officers, a courtroom is not necessarily or unequivocally a place where justice is served; rather, it is a stage where situations and words are manipulated and where attorneys use the tools of credibility and persuasion to attain a desired result (hopefully with justice as a product). A trial is basically and primarily a process of credibility vs. non-credibility – the side that is most believable usually wins, because every word uttered in court is subject to interpretation, analysis and impeachment. A somewhat cynical description, but accurate.
As has been demonstrated in mock trials and moot courts, cases tried with the same basic sets of facts and evidence but presented by different litigators using different strategies and techniques can produce completely opposite verdicts. And in the real world, we all know that the “quality” and/or intensity of prosecution and/or defense representation can have a profound effect on trials.
The moral: While the facts of a case are undoubtedly important, the manner and style of case strategy and presentation is also of great importance. This is a crucial concept to remember for security professionals who become involved and/or testify in legal matters as case principals, consultants and/or experts.
Sunday, June 26, 2011
Living In “Relaxed Alertness”
Prevention of inappropriate acts, both criminal and terroristic, surely depends on good intelligence which includes (in overly simplistic terms): identifying the bad guys, learning about their plans, stopping the bad guys. But let’s not forget that bad acts are also thwarted by the hardening of potential targets.
We have heard the term “soft targets” used quite a bit lately. “Soft targets” generally refers to those places which traditionally attract little evil intent and which consequently do not prepare very well security-wise for the worst-case scenario. (Examples of soft targets include churches, shopping malls, hospitals, daycare centers, sports/entertainment venues, ground transportation systems and the like – places which attract large numbers of persons who are not immediately or primarily focused on security issues.) So “soft targets” become attractive to the bad guys because of the potential for a high-yield event with relatively little effort.
I certainly do not advocate making our society even more of an armed fortress than it currently is – the terrorists have already accomplished part of their goal by disrupting and changing our everyday way of life. But on the other hand, we have to stop being a reactive culture – we have to realize that bad people do bad things, and that we have some personal/corporate responsibility to do what we can to prevent and mitigate those bad people and things. All individuals and businesses should do some self-assessment of their particular security needs: determine what is important (their “assets”); determine what bad things can reasonably be anticipated to happen to those important things; and initiate an appropriate and commensurate security strategy. In other words, everybody should pretty much always be in a state of “relaxed alertness,” aware of surroundings, understanding that something bad could possibly happen, understanding that reasonable efforts have been taken to avoid those bad things, and being prepared to deal with the bad things if our proactive measures have not been totally adequate. This is not paranoia, it is simply being conscious of what could happen and being reasonably prepared for it.
(In fact, isn’t this a realistic and pretty good way to look at life in general??)
Friday, May 13, 2011
“Old School” vs. “New School” Security
There is definitely a distinct difference between “old school” and “new school” security philosophy.
While I understand and (sometimes) even appreciate and (sometimes) even utilize facets of “new school” thinking, I am basically an “old school” kind of security professional – maybe even a dinosaur. But my “old school” philosophy has been honed from over 40 years in this profession, in a great variety of activities and circumstances and situations. And my “old school” philosophy has resulted in significant successes at the 3 organizations for which I was Director of Security: no significant losses, no significant incidents, no significant problem trends, and NO successful lawsuits against my organizations. (In fact, the losses and incidents and trends and lawsuits increased substantially at those 3 organizations after I left them and was replaced by “new school” devotees.)
While there are many major differences between “old school” and “new school” security philosophy, here is what I see as perhaps the most significant: I have always spent more time planning security strategies than researching the metrics (see – “metrics” – a “new school” term). After I had built credibility in my organizations with those who counted – senior executive management, corporate attorneys and bean-counters – I was able to convince them of the efficacy of my strategies/programs without the need for the pretty charts and the myriad of footnotes and references and the 6 numbers after the decimal point. I had been there and done that and gotten the T-shirts so successfully that my word was sufficient. And then you can’t much argue with success. So I basically used my personal experience and knowledge, added a little intelligence-gathering (kept abreast of the news and the trade publications and watched and listened and observed), and then spent the majority of my time developing and refining my already-successful strategies and actually doing the things that protected my organizations.
Yes, it was a different time. Managers were selected for their abilities and were actually allowed to manage. As an experienced and credentialed security professional, I was expected to provide quality security services, and I didn’t have to reinvent the wheel every time I wanted to do something because it was presumed – in fact demanded – that that was my function as the responsible executive. Today is different, and today’s security executives rarely have the authority and responsibility (which just may equate to credibility?) to do the things that really should be done to adequately protect their organizations.
Yes, there is a big difference between vulnerabilities and threats. But until I have been convinced otherwise, every vulnerability is at least a potential threat that I have to assess and prioritize and act on. With the vast majority of my business now being involved in litigation as a Court-recognized expert witness, I continually observe organizations whose security programs are of the “it-can’t-happen-to-me” or “it-didn’t-happen-to-me-yesterday-so-it-won’t-happen-to-me-tomorrow” schools of thought; and those organization almost always lose more in the lawsuits which transpire after it does happen to them and they didn’t plan accordingly than if they had been proactive. In security, the adage of “an ounce of prevention is worth more than a pound of cure” is almost always spot-on.
I guess the reason that I will remain “old school” is because after 40 years I have the metrics to prove that my “old school” way works, while “new school” advocates can only watch and wait and hope that their way is equally as effective – I hope it is, but I do have my doubts.
While I understand and (sometimes) even appreciate and (sometimes) even utilize facets of “new school” thinking, I am basically an “old school” kind of security professional – maybe even a dinosaur. But my “old school” philosophy has been honed from over 40 years in this profession, in a great variety of activities and circumstances and situations. And my “old school” philosophy has resulted in significant successes at the 3 organizations for which I was Director of Security: no significant losses, no significant incidents, no significant problem trends, and NO successful lawsuits against my organizations. (In fact, the losses and incidents and trends and lawsuits increased substantially at those 3 organizations after I left them and was replaced by “new school” devotees.)
While there are many major differences between “old school” and “new school” security philosophy, here is what I see as perhaps the most significant: I have always spent more time planning security strategies than researching the metrics (see – “metrics” – a “new school” term). After I had built credibility in my organizations with those who counted – senior executive management, corporate attorneys and bean-counters – I was able to convince them of the efficacy of my strategies/programs without the need for the pretty charts and the myriad of footnotes and references and the 6 numbers after the decimal point. I had been there and done that and gotten the T-shirts so successfully that my word was sufficient. And then you can’t much argue with success. So I basically used my personal experience and knowledge, added a little intelligence-gathering (kept abreast of the news and the trade publications and watched and listened and observed), and then spent the majority of my time developing and refining my already-successful strategies and actually doing the things that protected my organizations.
Yes, it was a different time. Managers were selected for their abilities and were actually allowed to manage. As an experienced and credentialed security professional, I was expected to provide quality security services, and I didn’t have to reinvent the wheel every time I wanted to do something because it was presumed – in fact demanded – that that was my function as the responsible executive. Today is different, and today’s security executives rarely have the authority and responsibility (which just may equate to credibility?) to do the things that really should be done to adequately protect their organizations.
Yes, there is a big difference between vulnerabilities and threats. But until I have been convinced otherwise, every vulnerability is at least a potential threat that I have to assess and prioritize and act on. With the vast majority of my business now being involved in litigation as a Court-recognized expert witness, I continually observe organizations whose security programs are of the “it-can’t-happen-to-me” or “it-didn’t-happen-to-me-yesterday-so-it-won’t-happen-to-me-tomorrow” schools of thought; and those organization almost always lose more in the lawsuits which transpire after it does happen to them and they didn’t plan accordingly than if they had been proactive. In security, the adage of “an ounce of prevention is worth more than a pound of cure” is almost always spot-on.
I guess the reason that I will remain “old school” is because after 40 years I have the metrics to prove that my “old school” way works, while “new school” advocates can only watch and wait and hope that their way is equally as effective – I hope it is, but I do have my doubts.
Monday, January 24, 2011
What Is An "Expert?"
When a technical or specialized issue (like medicine, or ballistics, or security) is raised through a legal proceeding (criminal trial, civil lawsuit/tort, etc.), attorneys for either or both sides will frequently retain/hire an "expert witness" to provide detailed, in-depth information about that technical/specialized issue and/or to render an "expert opinion" with regard to the technical/specialized issue as it relates to a particular case at hand.
There is no magic “standard” by which one is considered an expert. Attorneys generally try to select an individual with extensive experience in the technical/specialized field and who has some “reputation” for his knowledge and experience – in other words, someone who is generally regarded as a “go-to guy” in his field. Then, after being selected by an attorney, appointed as the “expert” for the case, and formally rendering an “expert opinion” in the case, the expert is scrutinized by opposing counsel who usually tries to question and refute the expert’s qualifications. Opposing counsel tries to present evidence to discredit the expert’s qualifications and/or credibility (I have actually been in depositions in which my background qualifications have been questioned for more than 4 hours – and no, I have never been disqualified as an expert). And if and/or when a case finally appears before a Judge, the expert may be formally recognized by the Court as an “expert”. This means that a Court has formally accepted the credentials of the expert and formally acknowledged his status as an “expert in his field.”
The opinions rendered by an expert during a legal proceeding may be presented/used in several ways: They may be used solely as advice/consultation by an attorney to help understand the issue and prepare his case; they may be used as the basis for a written "opinion report" which becomes part of the formal legal proceedings and case record; and/or they may be used as the basis for the expert’s testimony at deposition and/or trial. When an expert formally renders an opinion (via written report or testimony), that opinion is routinely scrutinized by the opposing side in the case; and opposing counsel may very well retain his own expert to review or refute.
Now comes the tricky part, and the part where the issue of “standards” comes into play. When an expert renders his opinion, he is really being asked to opine based on what in his own knowledge and experience is the most appropriate way of handling a particular situation under a given set of circumstances; and then to be able to convince the trier of fact (Judge or jury) that his way is better than the way being promulgated by the opposing side.
Let me digress for a moment to make a statement that I make immediately at the start of the class I teach on courtroom demeanor and testimony: Contrary to popular opinion, a trial is NOT a proceeding in which truth and justice are determined (although that may happen, albeit accidentally); a trial IS a proceeding in which one side’s opinion and testimony is more convincing than the other side’s, to one particular trier of fact, at one particular moment in time. The “winner” is not always truth and righteousness, and the “loser” is not always guilty. PERIOD. THE END.
So back to the issue of “experts.” For the sake of example, let’s say that the issue at hand is the appropriateness of actions taken by a security officer during an apprehension. The attorney for the “victim” (the plaintiff, the person who is complaining about the way that the apprehension was made) will probably have an expert who will testify that the procedure was totally wrong for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). And the attorney for the security officer and his company (the defendant) will probably have an expert who will testify that the actions were entirely appropriate and proper for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). SEE THE CONUNDRUM??????? Because there are no universal “standards” – an across-the-board, common way of doing things – who is to say who is right or who is wrong?? Sure, there are occasionally examples of actions so egregious that they are clearly wrong. But by and large, because there are no standards, it will boil down to whose expert and testimony was most credible and compelling. And this is why almost any attorney can almost always find an “expert” who will find some way to defend almost any action or position.
So…almost anyone in a given field can hold themselves out as an “expert” in that field. But being regarded as an expert in a court of law is a painstaking process that subjects the expert to widespread scrutiny of his qualifications, credentials and prior opinions. Most successful experts do little actual marketing, because their services are usually sought via word of mouth by attorneys or via reputation gained in similar and/or important cases.
I hope this sheds a little light…..
There is no magic “standard” by which one is considered an expert. Attorneys generally try to select an individual with extensive experience in the technical/specialized field and who has some “reputation” for his knowledge and experience – in other words, someone who is generally regarded as a “go-to guy” in his field. Then, after being selected by an attorney, appointed as the “expert” for the case, and formally rendering an “expert opinion” in the case, the expert is scrutinized by opposing counsel who usually tries to question and refute the expert’s qualifications. Opposing counsel tries to present evidence to discredit the expert’s qualifications and/or credibility (I have actually been in depositions in which my background qualifications have been questioned for more than 4 hours – and no, I have never been disqualified as an expert). And if and/or when a case finally appears before a Judge, the expert may be formally recognized by the Court as an “expert”. This means that a Court has formally accepted the credentials of the expert and formally acknowledged his status as an “expert in his field.”
The opinions rendered by an expert during a legal proceeding may be presented/used in several ways: They may be used solely as advice/consultation by an attorney to help understand the issue and prepare his case; they may be used as the basis for a written "opinion report" which becomes part of the formal legal proceedings and case record; and/or they may be used as the basis for the expert’s testimony at deposition and/or trial. When an expert formally renders an opinion (via written report or testimony), that opinion is routinely scrutinized by the opposing side in the case; and opposing counsel may very well retain his own expert to review or refute.
Now comes the tricky part, and the part where the issue of “standards” comes into play. When an expert renders his opinion, he is really being asked to opine based on what in his own knowledge and experience is the most appropriate way of handling a particular situation under a given set of circumstances; and then to be able to convince the trier of fact (Judge or jury) that his way is better than the way being promulgated by the opposing side.
Let me digress for a moment to make a statement that I make immediately at the start of the class I teach on courtroom demeanor and testimony: Contrary to popular opinion, a trial is NOT a proceeding in which truth and justice are determined (although that may happen, albeit accidentally); a trial IS a proceeding in which one side’s opinion and testimony is more convincing than the other side’s, to one particular trier of fact, at one particular moment in time. The “winner” is not always truth and righteousness, and the “loser” is not always guilty. PERIOD. THE END.
So back to the issue of “experts.” For the sake of example, let’s say that the issue at hand is the appropriateness of actions taken by a security officer during an apprehension. The attorney for the “victim” (the plaintiff, the person who is complaining about the way that the apprehension was made) will probably have an expert who will testify that the procedure was totally wrong for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). And the attorney for the security officer and his company (the defendant) will probably have an expert who will testify that the actions were entirely appropriate and proper for a variety of reasons (issues like the officer’s actions in relation to training, policies, industry practices, exigent circumstances, and the like). SEE THE CONUNDRUM??????? Because there are no universal “standards” – an across-the-board, common way of doing things – who is to say who is right or who is wrong?? Sure, there are occasionally examples of actions so egregious that they are clearly wrong. But by and large, because there are no standards, it will boil down to whose expert and testimony was most credible and compelling. And this is why almost any attorney can almost always find an “expert” who will find some way to defend almost any action or position.
So…almost anyone in a given field can hold themselves out as an “expert” in that field. But being regarded as an expert in a court of law is a painstaking process that subjects the expert to widespread scrutiny of his qualifications, credentials and prior opinions. Most successful experts do little actual marketing, because their services are usually sought via word of mouth by attorneys or via reputation gained in similar and/or important cases.
I hope this sheds a little light…..
Tuesday, October 26, 2010
The Conundrum of Security
Here is a question for the ages: Why is it that – by and large – security has not been as widely accepted and embraced into corporate culture as virtually every other business operation discipline?
If this question could be answered, businesses would be much more secure, their assets would be better protected, and profits would necessarily grow commensurately. But we as individual practitioners and as an industry have failed to convince the C-Suite of this fundamental reality. Why??
While usually not analyzed as I will try to do, there is really very little difference between the security function and other operational disciplines. Consider:
· Security is generally considered a pure cost center. But isn’t protecting and retaining assets and profit (i.e., avoiding loss and liability) just as important to the bottom line as growing assets and profit?
· If money is spent ($ cost) to protect an asset and the asset is preserved, the full value of the asset is realized ($ retained + $ profit gained).
· If no money is spent ($ savings) to protect an asset and the asset is lost ($ value loss + $ profit loss) the asset needs to be replaced ($ cost), and then security will probably be added ($ cost) to protect the asset so it is not lost again.
So doesn’t providing proactive security actually save money in the long run and allow the setting by which profit can be gained?
Security is generally considered (at best) a “necessary evil” because it serves to protect against problems that may never occur. But isn’t that also a function of many other operational components that are considered integral to business functioning:
· Doesn’t Environmental Services clean spills so that someone doesn’t slip and fall (which may never happen even if the floor remains wet)?
· Doesn’t Maintenance make sure that machines keep on running properly so that production isn’t halted (which may never happen even if the machine isn’t maintained)?
· Doesn’t marketing develop ad campaigns so that products or services sell (even though products or services may sell even if the ads weren’t run)?
· Doesn’t Human Resources develop policies for issues like workplace violence and sexual harassment (even though workplace violence and sexual harassment may never occur)?
· Doesn’t Accounting have an outside auditor come in periodically to check the books (even though no mistakes or irregularities may be found)?
So why is security, which provides a secure environment so the business of the business can be conducted properly, not considered as important as those other functions? When – or if – this question is answered, the business world will be a better and safer place.
If this question could be answered, businesses would be much more secure, their assets would be better protected, and profits would necessarily grow commensurately. But we as individual practitioners and as an industry have failed to convince the C-Suite of this fundamental reality. Why??
While usually not analyzed as I will try to do, there is really very little difference between the security function and other operational disciplines. Consider:
· Security is generally considered a pure cost center. But isn’t protecting and retaining assets and profit (i.e., avoiding loss and liability) just as important to the bottom line as growing assets and profit?
· If money is spent ($ cost) to protect an asset and the asset is preserved, the full value of the asset is realized ($ retained + $ profit gained).
· If no money is spent ($ savings) to protect an asset and the asset is lost ($ value loss + $ profit loss) the asset needs to be replaced ($ cost), and then security will probably be added ($ cost) to protect the asset so it is not lost again.
So doesn’t providing proactive security actually save money in the long run and allow the setting by which profit can be gained?
Security is generally considered (at best) a “necessary evil” because it serves to protect against problems that may never occur. But isn’t that also a function of many other operational components that are considered integral to business functioning:
· Doesn’t Environmental Services clean spills so that someone doesn’t slip and fall (which may never happen even if the floor remains wet)?
· Doesn’t Maintenance make sure that machines keep on running properly so that production isn’t halted (which may never happen even if the machine isn’t maintained)?
· Doesn’t marketing develop ad campaigns so that products or services sell (even though products or services may sell even if the ads weren’t run)?
· Doesn’t Human Resources develop policies for issues like workplace violence and sexual harassment (even though workplace violence and sexual harassment may never occur)?
· Doesn’t Accounting have an outside auditor come in periodically to check the books (even though no mistakes or irregularities may be found)?
So why is security, which provides a secure environment so the business of the business can be conducted properly, not considered as important as those other functions? When – or if – this question is answered, the business world will be a better and safer place.
Thursday, September 09, 2010
Developing an Emergency Plan
There is unfortunately no magic template that will help an organization develop an emergency plan because there are so many variables such as size and location of business, nature of business, types of employees and invitees, internal resources available, external resources available, etc. etc. etc.
That being said, here are a few thoughts that might be helpful:
· There is no such thing as AN emergency plan. Different plans must be developed to address a variety of potential emergencies (this should be obvious but is not always – for example, a weather-related emergency is totally different from an active shooter scenario).
· A team approach to plan development is good, bringing to the table not only the persons/functions responsible for crisis management but other representative stakeholders as well (both internal and external).
· Good emergency planning deals with issues related to emergency prevention/mitigation, response during the emergency, and aftermath response to include business continuity planning.
· A good emergency plan is as complex as needed yet as simple as possible.
· Having someone knowledgeable in emergency plan development is of paramount importance, to help the team focus on not only the major issues to be considered but the subtle nuances as well. This key resource person might be internal or external, might be an independent security consultant, or might be a local law enforcement or fire service representative. Public safety agencies need to be involved in planning and testing, but keep in mind that public safety agencies may not have the expertise and/or resources to serve as the key plan development resource (this is especially true in public safety agencies in smaller communities).
· Emergency plans, once formulated, need to be formalized via company policies, with appropriate sanctions for non-compliance.
· Emergency plans need to be tested on a regularly recurring basis, with both tabletop and practical drills, to include all entities that will be involved during an actual emergency. Things that look good on paper do not always translate equally to application. The purpose and ultimate value of drills is to not only look for the things that are right with the plan, but to actively seek out the things that are deficient so they can be modified/remedied.
· Emergency plans need to be reviewed on a regularly recurring basis. As organizations change (facilities, assets, resources, etc.), plans need to be modified accordingly.
Emergencies can and do occur – that is a basic fact of life. How well an organization copes with those emergencies is a function of sound planning and preparation.
That being said, here are a few thoughts that might be helpful:
· There is no such thing as AN emergency plan. Different plans must be developed to address a variety of potential emergencies (this should be obvious but is not always – for example, a weather-related emergency is totally different from an active shooter scenario).
· A team approach to plan development is good, bringing to the table not only the persons/functions responsible for crisis management but other representative stakeholders as well (both internal and external).
· Good emergency planning deals with issues related to emergency prevention/mitigation, response during the emergency, and aftermath response to include business continuity planning.
· A good emergency plan is as complex as needed yet as simple as possible.
· Having someone knowledgeable in emergency plan development is of paramount importance, to help the team focus on not only the major issues to be considered but the subtle nuances as well. This key resource person might be internal or external, might be an independent security consultant, or might be a local law enforcement or fire service representative. Public safety agencies need to be involved in planning and testing, but keep in mind that public safety agencies may not have the expertise and/or resources to serve as the key plan development resource (this is especially true in public safety agencies in smaller communities).
· Emergency plans, once formulated, need to be formalized via company policies, with appropriate sanctions for non-compliance.
· Emergency plans need to be tested on a regularly recurring basis, with both tabletop and practical drills, to include all entities that will be involved during an actual emergency. Things that look good on paper do not always translate equally to application. The purpose and ultimate value of drills is to not only look for the things that are right with the plan, but to actively seek out the things that are deficient so they can be modified/remedied.
· Emergency plans need to be reviewed on a regularly recurring basis. As organizations change (facilities, assets, resources, etc.), plans need to be modified accordingly.
Emergencies can and do occur – that is a basic fact of life. How well an organization copes with those emergencies is a function of sound planning and preparation.
Friday, July 16, 2010
The Security Return on Investment
If looked at solely from the perspective of immediate dollars-and-cents ROI, most security programs would be quickly eliminated, because they are almost always a “cost” center as opposed to a “profit” center – that is, they seldom generate enough revenue to at least pay for themselves. But this is a very narrow viewpoint that does not take into account the value of asset retention.
Since the primary foundation of a security program is to prevent or at least mitigate threats to assets, a successful program will be very difficult to “see.” It is hard to quantify that which does not occur. But the retention of assets (in other words, keeping the assets safely within the organization) is a concept that can be quantified and valued, at least in a general sense.
As a general rule, the failure to implement a sound security program until after a significant loss has occurred will be at least 3 times as expensive as implementing a security program from the outset: there will be the costs associated with the compromise/loss of the asset; there will the costs associated with the replacement of the asset that was lost; and there will be the costs associated with then implementing the protective measures that could have prevented the loss in the first place.
The investment in a sound security program can be likened to the investment in a good insurance policy: premiums continue to be paid for coverage that may never be needed; but coverage that is found to be truly indispensable and cost-effective when it is needed.
Since the primary foundation of a security program is to prevent or at least mitigate threats to assets, a successful program will be very difficult to “see.” It is hard to quantify that which does not occur. But the retention of assets (in other words, keeping the assets safely within the organization) is a concept that can be quantified and valued, at least in a general sense.
As a general rule, the failure to implement a sound security program until after a significant loss has occurred will be at least 3 times as expensive as implementing a security program from the outset: there will be the costs associated with the compromise/loss of the asset; there will the costs associated with the replacement of the asset that was lost; and there will be the costs associated with then implementing the protective measures that could have prevented the loss in the first place.
The investment in a sound security program can be likened to the investment in a good insurance policy: premiums continue to be paid for coverage that may never be needed; but coverage that is found to be truly indispensable and cost-effective when it is needed.
Monday, March 15, 2010
Security's "Cycle for Failure"
Here in simplistic terms is my perspective of the basic cycle that causes many of the problems that are faced throughout the security industry – what I have termed the “cycle for failure:”
1. In the business world, the security function is often misunderstood and frequently viewed (sometimes at best) as a necessary evil.
2. As a result, the security function is rarely given adequate, sufficient and/or appropriate resources and organizational support.
3. As a result, one of the key management functions related to a sound security program – recruitment, selection, vetting, hiring, training, supervision and retention of security personnel – is not handled appropriately; and the resources needed for appropriate physical security measures are not available.
4. As a result, basic security tasks such as security needs assessments leading to appropriate security strategies do not get accomplished or do not get accomplished well; and the things needed to provide adequate security are ignored.
5. As a result, a feeling and then a culture of apathy grows within the security department, because that which needs to be done is left undone.
6. As a result, the security function becomes far less effective than it could or should be, reinforcing #1 above and continuing the cycle.
I wish someone could prove me wrong. But after more than 30 years in this industry, as both Director of Security and an independent consultant, it is a cycle that I see time and time again. Organizations with adequate and sufficient security are the exception rather than the rule.
1. In the business world, the security function is often misunderstood and frequently viewed (sometimes at best) as a necessary evil.
2. As a result, the security function is rarely given adequate, sufficient and/or appropriate resources and organizational support.
3. As a result, one of the key management functions related to a sound security program – recruitment, selection, vetting, hiring, training, supervision and retention of security personnel – is not handled appropriately; and the resources needed for appropriate physical security measures are not available.
4. As a result, basic security tasks such as security needs assessments leading to appropriate security strategies do not get accomplished or do not get accomplished well; and the things needed to provide adequate security are ignored.
5. As a result, a feeling and then a culture of apathy grows within the security department, because that which needs to be done is left undone.
6. As a result, the security function becomes far less effective than it could or should be, reinforcing #1 above and continuing the cycle.
I wish someone could prove me wrong. But after more than 30 years in this industry, as both Director of Security and an independent consultant, it is a cycle that I see time and time again. Organizations with adequate and sufficient security are the exception rather than the rule.
Saturday, January 16, 2010
Political Correctness and Security
Like it or not, political correctness – loosely defined as being consciously cautious of doing or saying anything to minimalize or denigrate any particular group – is here to stay. And like it or not, political correctness is an impediment to good security.
As a career security practitioner, I have had to deal with a great diversity of persons and ideas. And even if I do say so myself, I am one of the least biased persons I know – I believe I am tolerant of just about everyone and everything...until I have some reason to not be tolerant. And therein lies the problem with political correctness.
Perhaps – I hope – it’s just a matter of our not finding a more appropriate term in our American-English language. But I think that we sometimes confuse political correctness with a legitimate response to facts; and when we deal with facts, political correctness should take a back seat. Let me illustrate:
Retail establishments frequently utilize security personnel to guard against thievery. When a review of theft incidents over a lengthy period of time factually determines that 83% of apprehensions for theft were of black (or white or yellow or brown) females between the ages of 15 and 24, why should it be considered politically incorrect to focus surveillance activities on the persons of that particular demographic? In fact, wouldn’t a store security agent be remiss in his duties if he ignored such documented facts and trends?
The groups “offended” by acts of political incorrectness have become so outraged and vocal that some of us have become overly cautious in our interactions. We choose our words and our actions so carefully that we almost never say what is really on our minds or say what we really mean – even when it is the truth. In fact, it is almost impossible to say or do anything that will not “offend” someone’s sensitivities.
But even when that is the case, security practitioners should not – and cannot – let the quest for political correctness override their protective responsibilities. No, we should not target or accuse anyone needlessly; but neither should we look the other way when facts clearly demonstrate that someone or some group bears additional scrutiny. We cannot ignore the female customers in the store per the example above; we cannot ignore the black driver cruising the white neighborhood at 3:00 AM; we cannot ignore the young Middle Eastern man buying a one-way ticket with cash at the airline counter. When we have objectively gathered the facts and the facts reveal distinct patterns, we cannot ignore those patterns for the sake of being politically correct. We must continue to use the information available to us to be diligent in the performance of our duties, for to do otherwise is in itself a serious abrogation of our responsibility.
Come to think of it, I guess I’m not being politically correct just by questioning political correctness.
As a career security practitioner, I have had to deal with a great diversity of persons and ideas. And even if I do say so myself, I am one of the least biased persons I know – I believe I am tolerant of just about everyone and everything...until I have some reason to not be tolerant. And therein lies the problem with political correctness.
Perhaps – I hope – it’s just a matter of our not finding a more appropriate term in our American-English language. But I think that we sometimes confuse political correctness with a legitimate response to facts; and when we deal with facts, political correctness should take a back seat. Let me illustrate:
Retail establishments frequently utilize security personnel to guard against thievery. When a review of theft incidents over a lengthy period of time factually determines that 83% of apprehensions for theft were of black (or white or yellow or brown) females between the ages of 15 and 24, why should it be considered politically incorrect to focus surveillance activities on the persons of that particular demographic? In fact, wouldn’t a store security agent be remiss in his duties if he ignored such documented facts and trends?
The groups “offended” by acts of political incorrectness have become so outraged and vocal that some of us have become overly cautious in our interactions. We choose our words and our actions so carefully that we almost never say what is really on our minds or say what we really mean – even when it is the truth. In fact, it is almost impossible to say or do anything that will not “offend” someone’s sensitivities.
But even when that is the case, security practitioners should not – and cannot – let the quest for political correctness override their protective responsibilities. No, we should not target or accuse anyone needlessly; but neither should we look the other way when facts clearly demonstrate that someone or some group bears additional scrutiny. We cannot ignore the female customers in the store per the example above; we cannot ignore the black driver cruising the white neighborhood at 3:00 AM; we cannot ignore the young Middle Eastern man buying a one-way ticket with cash at the airline counter. When we have objectively gathered the facts and the facts reveal distinct patterns, we cannot ignore those patterns for the sake of being politically correct. We must continue to use the information available to us to be diligent in the performance of our duties, for to do otherwise is in itself a serious abrogation of our responsibility.
Come to think of it, I guess I’m not being politically correct just by questioning political correctness.
Monday, January 04, 2010
The Dichotomy of Security
We can’t have it both ways:
We want to be safe in our homes and in our everyday lives; but we don’t want to “waste” our free time by joining the neighborhood watch or by calling the police when we see something suspicious.
We want to feel safe in our workplaces, in our offices and parking areas, and we want our business visitors to feel safe and welcome; but we don’t want to have to use an access card or biometric reader to enter our workplaces or parking lots and we don’t want to be surveilled while we work and we don’t want to inconvenience our visitors by having them sign in.
We want to be safe on our streets; but we don’t want “Big Brother” watching us on surveillance cameras or to have police patrols randomly questioning us.
We want good service and low prices at the stores in which we shop; but we don’t want store security personnel watching us on surveillance cameras or following us while we shop.
We want banks to keep our money safe, and to make it available to us at a moment’s notice; but we don’t want to give our fingerprints to make a withdrawal or to have to remember and change our account passwords.
We want to move quickly and easily through airports and we want our flights to be safe; but we don’t want long security checkpoint lines or intrusive body searches or have our bags poked and prodded and inspected by security personnel.
We want to feel safe in our nation and we don’t want terrorists on our shores; but we complain about our taxes and criticize the military for their actions and want to afford terrorist detainees the same rights and protections as we citizens enjoy.
And on and on and on........
In other words – we want to be free and safe, but we want none of the prices that have to be paid to remain that way.
Unfortunately, we can’t have it both ways.
We want to be safe in our homes and in our everyday lives; but we don’t want to “waste” our free time by joining the neighborhood watch or by calling the police when we see something suspicious.
We want to feel safe in our workplaces, in our offices and parking areas, and we want our business visitors to feel safe and welcome; but we don’t want to have to use an access card or biometric reader to enter our workplaces or parking lots and we don’t want to be surveilled while we work and we don’t want to inconvenience our visitors by having them sign in.
We want to be safe on our streets; but we don’t want “Big Brother” watching us on surveillance cameras or to have police patrols randomly questioning us.
We want good service and low prices at the stores in which we shop; but we don’t want store security personnel watching us on surveillance cameras or following us while we shop.
We want banks to keep our money safe, and to make it available to us at a moment’s notice; but we don’t want to give our fingerprints to make a withdrawal or to have to remember and change our account passwords.
We want to move quickly and easily through airports and we want our flights to be safe; but we don’t want long security checkpoint lines or intrusive body searches or have our bags poked and prodded and inspected by security personnel.
We want to feel safe in our nation and we don’t want terrorists on our shores; but we complain about our taxes and criticize the military for their actions and want to afford terrorist detainees the same rights and protections as we citizens enjoy.
And on and on and on........
In other words – we want to be free and safe, but we want none of the prices that have to be paid to remain that way.
Unfortunately, we can’t have it both ways.
Saturday, January 02, 2010
Security Challenges for 2010 (and beyond)
Based on history and experience, security challenges in 2010 will not diminish – in fact, they will probably grow. Here is my forecast:
1. The economy will continue to play a big part as related to security challenges. As (or if) the economy strengthens, business will focus on regaining that which was lost (sales, market share, profitability, etc.) and will tend to ignore (or at least overlook) maintaining what it still has. This means that security and loss prevention issues will probably remain overlooked until and unless specific and serious problems arise.
2. Strong security leadership will continue to erode. Security executives will be so busy focusing on keeping their jobs and covering their posteriors (the two go hand-in-hand) that they will continue to overlook doing what is really necessary to protect the organizations they serve. Political correctness will abound, usually at the expense of truly good security.
3. Because security is still viewed in many organizations as a necessary evil rather than as a necessary business partner, security functions will remain relegated to lower-level importance and responsibility. This, coupled with #2 above (the erosion of strong security leadership) will continue the seemingly-endless cycle.
4. Because of all of the above, it will be difficult to develop the next generation of competent security leadership. When employees see the difficulties and roadblocks faced by their executives, there is little incentive to aspire to those positions.
So is the future, beginning in 2010, totally bleak? No. These are predictions, not unchangeable destiny. We as both an industry and individual practitioners/professionals must continue to clearly demonstrate and promote the value of our service. We need the few remaining strong leaders to sound the trumpets and beat the drums to show corporate executives that security is part of the fabric that keeps organizations together, healthy and prosperous. We must continue to prove that protecting assets is as important as generating new sales. In short, we must convince our bosses that security is an important, vital and integral part of every business.
The fate of security rests in our own hands. If we practitioners fail in the primary task of the self-promotion of ourselves and our industry, we have no one but ourselves to blame when my predictions become self-fulfilling prophecy.
1. The economy will continue to play a big part as related to security challenges. As (or if) the economy strengthens, business will focus on regaining that which was lost (sales, market share, profitability, etc.) and will tend to ignore (or at least overlook) maintaining what it still has. This means that security and loss prevention issues will probably remain overlooked until and unless specific and serious problems arise.
2. Strong security leadership will continue to erode. Security executives will be so busy focusing on keeping their jobs and covering their posteriors (the two go hand-in-hand) that they will continue to overlook doing what is really necessary to protect the organizations they serve. Political correctness will abound, usually at the expense of truly good security.
3. Because security is still viewed in many organizations as a necessary evil rather than as a necessary business partner, security functions will remain relegated to lower-level importance and responsibility. This, coupled with #2 above (the erosion of strong security leadership) will continue the seemingly-endless cycle.
4. Because of all of the above, it will be difficult to develop the next generation of competent security leadership. When employees see the difficulties and roadblocks faced by their executives, there is little incentive to aspire to those positions.
So is the future, beginning in 2010, totally bleak? No. These are predictions, not unchangeable destiny. We as both an industry and individual practitioners/professionals must continue to clearly demonstrate and promote the value of our service. We need the few remaining strong leaders to sound the trumpets and beat the drums to show corporate executives that security is part of the fabric that keeps organizations together, healthy and prosperous. We must continue to prove that protecting assets is as important as generating new sales. In short, we must convince our bosses that security is an important, vital and integral part of every business.
The fate of security rests in our own hands. If we practitioners fail in the primary task of the self-promotion of ourselves and our industry, we have no one but ourselves to blame when my predictions become self-fulfilling prophecy.
Friday, December 11, 2009
The Demise of the Keeper of the Problem
While the concept of synergy has been widely espoused throughout the business world and certainly does result in many positive benefits, it is seldom the answer to problems, because the synergistic approach is intended to supplement other management philosophies and practices, not totally supplant them.
The basic concept of synergy – that cooperative interaction produces a result greater than the sum of individual efforts – has manifested itself in various ways, many of which are based on the Total Quality Management platform. But there is an old adage that says “When everyone is responsible, no one is responsible.” And the strict adherents to the synergistic approach unfortunately (or conveniently) forget that adage. Those proponents/adherents like to believe that group dynamics is the only way to problem-solve. But what they forget is that someone still has to accept ultimate responsibility for problem resolution – someone has to be the “Keeper of the Problem.”
Businesses cannot operate successfully when everything is done by the committee process (which is usually the outward manifestation of the synergistic approach) – there are simply too many different disciplines involved in the running of a successful enterprise for everyone to be deeply involved in everything. Yes, looking at issues from a variety of disparate points of view brings new perspectives and uncovers additional potential strategies and solutions. But what happens after the identification of deficiencies and their resolutions is what distinguishes the traditional management philosophy from a totally synergistic approach. In the synergistic model, all stakeholders in the problem and resolution identification process believe that they all share responsibility for resolution implementation. This is usually a logistically-unworkable situation. But the traditional model recognizes the value of outside input while still placing responsibility for resolution implementation squarely where it belongs, with the person or department with direct and specific expertise, authority and responsibility for the issue at hand – the “Keeper of the Problem.”
Even in organizations which claim to totally embrace the synergistic approach, there usually are some vestiges of the traditional management model: Departments are usually delineated by common function; individuals usually have job descriptions/titles connoting their specific functions; and some hierarchical structure usually exists. So there is some recognition of role and rank delineation, based on subject-matter expertise, which in itself concedes that everyone cannot know everything about everything; and which also concedes that order and efficiency necessitates some role and hierarchical rank delineation. In other words, every organization needs to identify subject-matter expertise and assign commensurate authority and responsibility – to the “Keeper of the Problem.”
Keeping everyone aware and advised of everyone else’s issues and problems is basically a good concept – it gives a broader perspective and helps everyone understand the “big picture.” But what usually happens is that people begin to think that they know everything about everything, and that they can thus fix everything. So everyone becomes involved in everything ELSE, frequently to the exclusion of their own job.
In days of yore, when dinosaurs roamed and ruled the planet, everyone had a neat and compartmentalized job. Everyone knew exactly what his job was, and it was expected – nay demanded – that the jobs be performed to a high degree of excellence. And when everyone had a job and knew how to do it and in fact did it, everything got done well. And that included security and loss prevention. And our companies’ assets were protected, and the world was happy. Because there were “Keepers of the Problem” – people with responsibility and commensurate authority and accountability.
This is not a new concept – it is tried-and-true. We didn’t get away from this concept because it didn’t work; we got away from it because the management gurus (ala Tom Peters) found that offering new ways of doing things with the HOPE that things might get better would sell their programs. But what they forgot to put in their books and videos and training programs was that change does not always bring positive results; change can also bring negative results. Change is not necessarily better, it is just different. And……. something that has been said for far longer than any of us have been around is still oh-so-true today:
Too many cooks spoil the broth.
The basic concept of synergy – that cooperative interaction produces a result greater than the sum of individual efforts – has manifested itself in various ways, many of which are based on the Total Quality Management platform. But there is an old adage that says “When everyone is responsible, no one is responsible.” And the strict adherents to the synergistic approach unfortunately (or conveniently) forget that adage. Those proponents/adherents like to believe that group dynamics is the only way to problem-solve. But what they forget is that someone still has to accept ultimate responsibility for problem resolution – someone has to be the “Keeper of the Problem.”
Businesses cannot operate successfully when everything is done by the committee process (which is usually the outward manifestation of the synergistic approach) – there are simply too many different disciplines involved in the running of a successful enterprise for everyone to be deeply involved in everything. Yes, looking at issues from a variety of disparate points of view brings new perspectives and uncovers additional potential strategies and solutions. But what happens after the identification of deficiencies and their resolutions is what distinguishes the traditional management philosophy from a totally synergistic approach. In the synergistic model, all stakeholders in the problem and resolution identification process believe that they all share responsibility for resolution implementation. This is usually a logistically-unworkable situation. But the traditional model recognizes the value of outside input while still placing responsibility for resolution implementation squarely where it belongs, with the person or department with direct and specific expertise, authority and responsibility for the issue at hand – the “Keeper of the Problem.”
Even in organizations which claim to totally embrace the synergistic approach, there usually are some vestiges of the traditional management model: Departments are usually delineated by common function; individuals usually have job descriptions/titles connoting their specific functions; and some hierarchical structure usually exists. So there is some recognition of role and rank delineation, based on subject-matter expertise, which in itself concedes that everyone cannot know everything about everything; and which also concedes that order and efficiency necessitates some role and hierarchical rank delineation. In other words, every organization needs to identify subject-matter expertise and assign commensurate authority and responsibility – to the “Keeper of the Problem.”
Keeping everyone aware and advised of everyone else’s issues and problems is basically a good concept – it gives a broader perspective and helps everyone understand the “big picture.” But what usually happens is that people begin to think that they know everything about everything, and that they can thus fix everything. So everyone becomes involved in everything ELSE, frequently to the exclusion of their own job.
In days of yore, when dinosaurs roamed and ruled the planet, everyone had a neat and compartmentalized job. Everyone knew exactly what his job was, and it was expected – nay demanded – that the jobs be performed to a high degree of excellence. And when everyone had a job and knew how to do it and in fact did it, everything got done well. And that included security and loss prevention. And our companies’ assets were protected, and the world was happy. Because there were “Keepers of the Problem” – people with responsibility and commensurate authority and accountability.
This is not a new concept – it is tried-and-true. We didn’t get away from this concept because it didn’t work; we got away from it because the management gurus (ala Tom Peters) found that offering new ways of doing things with the HOPE that things might get better would sell their programs. But what they forgot to put in their books and videos and training programs was that change does not always bring positive results; change can also bring negative results. Change is not necessarily better, it is just different. And……. something that has been said for far longer than any of us have been around is still oh-so-true today:
Too many cooks spoil the broth.
Saturday, October 10, 2009
An Equitable System for Evaluating Personnel
In my communications with security practitioners, I frequently hear the lament about the inadequacy of standards or criteria used for evaluating personnel (and I suspect that this is an issue in many other industries as well). So in an attempt to shed some light on a subject for which I was personally responsible during my years as a Security Director, I offer the following insights:
The fact that there can be so many variables in a person’s employment situation – the type of enterprise, location of facilities, reporting structure, philosophy of immediate supervisor, etc. – makes it of utmost importance to have a performance evaluation system in place that accounts for these differences.
I have always believed that every job title needed 3 corresponding personnel-related formal documents:
Job Description - This is a document unique to a job title, applicable to anyone with that job title. It contains the formal, HR-based, legally-required information such as generalized duties and responsibilities; reporting structure; OSHA and FLSA classifications; salary grade; minimum knowledge, skills and abilities required; working conditions, etc.
Performance Expectations – This is a document unique to a job title, applicable to anyone with that job title. It contains the general guidelines outlining what is minimally expected and required of any and all individuals in a given job title – what is minimally necessary to succeed in and retain the job.
Performance Standards - This is a document related to a job title, but customized and tailored specifically to each employee with that job title. It contains the objective, measurable and quantifiable standards common to the job title, which are then apportioned and weighted in a unique way to each individual based on the individual’s unique combination of experience and situation (as a very simplified example: the performance standards for every individual with the “LP Agent” job title contains a line item for “making external apprehensions.” But Joe’s standard is weighted at 30 percent because Joe has 3 years of company experience, 2 years of prior experience, and is assigned to a store with many external problems; while Jim’s standard is weighted at only 10 percent because he is a new, inexperienced agent assigned to a store with very few external problems). The Performance Standards then forms the basis for the numerical point total or “grade” that the individual gets at his performance evaluation, and which is then directly and objectively linked to any merit salary raise (for example: 79 points equals a 2.5 percent increase).
After MANY years in management, this is still the most equitable way I know of to account for each employee’s unique situation, rate every employee on an equitable, objective basis, and take away any challengeable differences in salary administration.
The fact that there can be so many variables in a person’s employment situation – the type of enterprise, location of facilities, reporting structure, philosophy of immediate supervisor, etc. – makes it of utmost importance to have a performance evaluation system in place that accounts for these differences.
I have always believed that every job title needed 3 corresponding personnel-related formal documents:
Job Description - This is a document unique to a job title, applicable to anyone with that job title. It contains the formal, HR-based, legally-required information such as generalized duties and responsibilities; reporting structure; OSHA and FLSA classifications; salary grade; minimum knowledge, skills and abilities required; working conditions, etc.
Performance Expectations – This is a document unique to a job title, applicable to anyone with that job title. It contains the general guidelines outlining what is minimally expected and required of any and all individuals in a given job title – what is minimally necessary to succeed in and retain the job.
Performance Standards - This is a document related to a job title, but customized and tailored specifically to each employee with that job title. It contains the objective, measurable and quantifiable standards common to the job title, which are then apportioned and weighted in a unique way to each individual based on the individual’s unique combination of experience and situation (as a very simplified example: the performance standards for every individual with the “LP Agent” job title contains a line item for “making external apprehensions.” But Joe’s standard is weighted at 30 percent because Joe has 3 years of company experience, 2 years of prior experience, and is assigned to a store with many external problems; while Jim’s standard is weighted at only 10 percent because he is a new, inexperienced agent assigned to a store with very few external problems). The Performance Standards then forms the basis for the numerical point total or “grade” that the individual gets at his performance evaluation, and which is then directly and objectively linked to any merit salary raise (for example: 79 points equals a 2.5 percent increase).
After MANY years in management, this is still the most equitable way I know of to account for each employee’s unique situation, rate every employee on an equitable, objective basis, and take away any challengeable differences in salary administration.
Subscribe to:
Posts (Atom)
Posts
