Sunday, December 10, 2006

The Security Professional's Role in School Security

While tragically unfortunate, it is nonetheless a reality of today that school administrators must regularly ask themselves 2 important questions: “Are my schools safe and secure?” and “Will my schools’ security stand up to the legal scrutiny and challenges that will undoubtedly arise from a tragic incident?” In many cases, the honest answer to these questions is….“I don’t know.”

In the aftermath of Columbine and other such incidents across the country, security is an issue that must be of concern to anyone who is responsible for the safety and well-being of others. And now, with these types of incidents occurring with alarming frequency, the questions necessarily arise:

· Are there appropriate physical security safeguards in place?
· Is there a security plan?
· Does the security plan have commensurate policies, procedures, and training?
· Are tabletop and practical drills conducted to assure that the security plan is workable?
· Are there review procedures to assure that the security plan remains current?
· Has the security plan been reviewed to assure its adequacy and sufficiency – is it legally defensible (the standard that courts will use if your security plan is challenged)?

Many organizations, even those with proprietary capabilities in areas such as human resources, finance, or risk management realize the value of an outside, independent, objective audit process. Such a review assures that all issues of potential concern have been identified and addressed; and provides a fresh perspective to processes routinely managed by persons who may be too close to the situation to see it clearly and completely. And while many school districts rightly utilize their local law enforcement agencies to provide basic protective efforts and believe that such involvement is sufficient for their security planning needs, that is not necessarily the case. Consider that law enforcement agencies rarely have the knowledge or experience to conduct thorough assessments of a school’s total security program, because law enforcement officials focus primarily on problem response and resolution. Security professionals focus primarily on development of prevention and mitigation strategies. While both components (prevention/mitigation and response/resolution) are essential for a thorough school security plan, it is obviously much more beneficial to prevent problems whenever possible. So inclusion of the expertise of security professionals is something that should be considered.

A security assessment of a school and its campus is conducted to identify factors which create potential risk to students, staff, visitors, and facilities; to analyze and prioritize those potential risks; to analyze current security countermeasures in relation to the identified risks; and to offer recommendations as appropriate to prevent and/or mitigate as many potential risks as possible. The assessment process is usually accomplished via 3 basic methods:

· interviews with key administrative personnel and representative constituent focus groups, to identify security wants and needs; and to determine the current perceived state of security within the facilities
· review of any current policies, procedures and practices relating to security, to determine their adequacy and sufficiency
· a physical inspection and survey of facilities, to determine the current state of security; this inspection will include any current and/or proposed security systems, to determine their adequacy and sufficiency

So if your school administrators have been thinking about security needs, but didn’t know where to find professional, cost-effective direction and advice, look no further – a competent security professional may be your answer.

Sunday, November 26, 2006

Liabilities of Contract Workers

The use of outsourced/contracted services has grown significantly in the current economy which places a premium on keeping the number of actual employees as low as possible. So the work that was once done by employees is now frequently done by outside services (temps, contractors, etc.). This situation has created a vulnerability in an organization’s security that is frequently overlooked.

While some basic screening of a company being considered to provide outsourced services is often done, this type of screening is usually related to work performance. Many organizations incorrectly assume that contractor companies will adequately screen their employees, but that is often not the case. Service providers generally need large numbers of employees to staff their client accounts; but service providers usually pay relatively low wages, resulting in high turnover, which makes the hiring of employees a constant challenge. The need for personnel in general often outweighs (at least in the service providers’ minds) the need for competent, well-screened personnel. So, absent some specific contract direction from a specific client, the task of doing comprehensive background checks is frequently neglected. So organizations seeking a service provider presume that they are getting well-qualified, well-screened workers, when in fact this is frequently not the case.

This situation – potentially unscreened contract workers – can present a significant vulnerability and liability. Contract workers are usually given the same, if not greater, access to company facilities as are company employees. No one bothers to take a second look at “Joe the housekeeper” who is seen in and around the facility every day, going into every office and secure area in the course of his duties. But if “Joe” has not been properly screened – and worse, if “Joe” has some malicious intent using his position and access – then the organization has a threat that is already inside their “secure perimeter”, a threat that is often overlooked when problems begin.

The steps that an organization should take to mitigate this potential problem are as follows:

· The organization must establish its need for outsourced workers from a variety of operational perspectives, not just cost. Both the benefits as well as the pitfalls of using contract workers must be considered.

· The organization must determine exactly how and where contract workers will be used, so that management understands its potential vulnerabilities.

· The organization must assure that the background screening procedures of a potential service provider are adequate and sufficient, to the satisfaction of the organization (all screening procedures are not the same – what is “adequate” to one service provider may not be adequate to another). As a general guideline, screening procedures deemed acceptable from a service provider should be relatively comparable to the organization’s own screening procedures.

· The organization must develop contract specifications which require adequate background screening for all workers assigned to the organization’s facilities (both regular workers as well as temporaries and replacements).

· The organization must develop contract specifications that provide for the service provider’s background screening findings to be shared with the organization, for any worker to be assigned to the organization (the results and analysis of a background investigation must be satisfactory to the client organization, not just the service provider).

· The organization must establish operational procedures and parameters for contract workers. Such issues include access control (both perimeter and interior), uniforms, badging, adherence to workplace rules, etc. If company employees must follow established procedures and are not given free access to or within the facility, why should the contract workers?

· The organization must assure adequate control and oversight of contract workers: The organization should retain direct operational supervision of the workers, while administrative management is the responsibility of the service provider.

· The organization should retain the right to assess workers’ performance in accordance with established standards and criteria; and the organization should retain the right to have contract workers removed and replaced at its discretion.

Contract workers are often the “invisible” people in an organization, whose presence is taken for granted. They can be a source of great service and benefit to a company. But they can also be a source of many problems. So careful consideration must be given to their use, selection and oversight.

Friday, November 17, 2006

Aggressive Security As Deterrence

In one of my past lives I was involved in retail loss prevention as an agent, a suburban-store LP Manager, and finally as Corporate Director of LP. Our company, a high-end retailer, used aggressive policies (I guess the current, more pc term is "assertive") in terms of apprehension and prosecution. For all practical purposes, we prosecuted all adults. This practice has recently fallen into disfavor with many retailers. But the benefits that existed then are still applicable now.

We wanted everyone - other bad guys, honest shoppers, employees, everyone - to know that we aggressively went after people that did bad things in and to our company. And it didn't matter if we were doing externals or internals - an employee caught stealing was treated the same as someone off the street.

What did that policy do to how we were viewed (our "reputation")? Well, among other retailers and among the bad guys who consciously cared about such things, we were pretty much known as the place NOT to go to steal. Among the casual, opportunistic thieves, we taught them a lesson about aggressive LP policies, which paid off as evidenced by the virtually non-existent recidivism rates in our stores (although the same persons were frequently apprehended at other companies. Among our honest customers, we were known as a good place to shop, because we cared enough to actively search out and catch the people who stole and thereby made prices higher. And those same feelings were pretty much mirrored among employees: the honest ones thought we were great, and wanted to help as much as possible, and frequently assisted us (we had a good reward program), and frequently wanted to move from the merchandising side to the LP side. Needless to say, the bad employees didn't much like us, and thought we were too active and aggressive - of course they did, they couldn't take advantage of us as easily as they could some other retailers.

I firmly believe that LP policies and practices generate a "reputation" just as surely as do good prices and value and customer service.

And perhaps it's just a coincidence, but after I moved on from that particular employer, the company (which had been bought by a conglomerate after being an independent for more than 100 years) and my successor (hand-picked by the new owners) started taking a far less aggressive LP attitude. And guess what? The first year after the change, shrinkage more than doubled, and never returned to the low levels that I and my predecessors had achieved.

Hmm.....maybe we few dinosaurs who are left should start propagating, and again rule the planet............ [smile]

Tuesday, November 14, 2006

Security Efforts Must Be Constant

This principle should be self-evident; but, unfortunately, it is frequently not. Many organizations take the attitude that the protection of its assets will occur naturally or by happenchance, without conscious or due regard. That philosophy could not be further from the truth. Of course, the myth of “accidental” self-protection is often promulgated by short-term experience – that is, at any given time, for short periods of time, a formalized security program may not appear to be needed because nothing at the moment is threatening the organization’s assets. But as with any string of good fortune, reality sets in quickly and the need for a sound security program becomes readily apparent. As with virtually all other business decisions, success (in this case, the protection of the organization’s assets) should be determined by diligent attention to planning, not left to the capriciousness of luck.

The development of sound protection strategies is a continuous process of analysis and upgrade, not merely a one-time program that is implemented then forgotten.

Monday, November 13, 2006

The Erosion of Security Management

Managers in general (at all levels, in most industries) are not the Type-A, aggressive personalities that they once were. Once the business management gurus with their new philosophies convinced the business world that management was a committee process (thereby making business management gurus a ton of money), it was the beginning of the end for strong management personalities. There is a “management-by-committee” adage that says “…when everyone’s in charge, no one’s in charge…” Once managers realized that they were not personally going to be held accountable for success or failure, the need for strong individual management traits waned. And this phenomenon was no where more apparent than in Security and Loss Prevention, because this new philosophy meant that the Security Manager (or Director, or VP) was no longer personally responsible or accountable for managing little things – like shrinkage or loss or security problems. In fact, there was actually incentive for a Security Manager to manage as little as possible – because the less that the Manager’s personal “stamp of approval” was on the overall security program, the greater was his “plausible deniability” that growing problems were not his fault. So Security Managers bought into this new philosophy hook, line and sinker - until today, when we have a bunch of easy-going, wishy-washy, namby-pamby Security Managers (and Directors and VPs) who cannot and do not assert their knowledge or authority to do the right thing.

See, management by committee is not a new concept; even I was involved in the management-by-committee process in the olden days. But there was a big difference: the “committee” that used to exist was the committee formed by the key managers and executives, each having fairly autonomous authority and responsibility for his own area of expertise. No one presumed to tell the Security Manager how to do his job because that is exactly what it was – HIS job (just as it was with Merchandising and Personnel and Marketing, etc.) So it was important for the Security Manager to be strong, because he would be sitting at the table with the strong Merchandise Manager, and the strong Personnel Manager, and the strong Marketing Manager, etc., each trying to push forward his own ideas and agenda.

But then the concept of management-by-committee changed – now it meant that EVERYONE had a say in EVERYTHING. And this was BAAADDD!!!!!!!! Because everyone did not have a thorough understanding of anyone else’s issues and problems. Management-by-committee as currently constituted is bad – it is slow, a waste of resources, and results in poorer decisions because the decisions are being made by uninformed persons. (Here's a great personal anecdote to illustrate: I was once assigned to be the team leader for a QA committee on parking. First question, per QA guidelines: "Who are our customers?" My immediate response - since I was the Security Director and responsible for parking - was "Everyone who parks on our property for any reason." WRONG!! Much too simple! We had to identify each and every one of our customers. So we spent 3 hours - approximately 60 man-hours of professional time - identifying each and every customer. And at the end of that time, do you know what our answer to the question was? "Everyone who parks on our property for any reason." The very answer I gave in 3 seconds, over 3 hours prior!!)

I’m from the old school – I have lost 3 positions as Corporate Director because I refused to water down the programs that I had so meticulously built. And here’s the scenario that played out in those 3 positions; and the scenario that plays out daily today in so many organizations:

Problems abound (shrinkage, theft, all kinds of security problems), so a strong leader is needed to solve the immediate problem. A pro-security executive is put in charge of the LP/Security function who recruits/hires a strong security manager/leader. A strong, aggressive program is built which ultimately solves the problems. The strong manager is assertive and dynamic, builds a strong program and is given full executive support.

BUT…. in the course of solving the problems with the strong program, a few feathers will almost of necessity be ruffled among the other ops managers, because things that make for good security do not always make life easy for everyone else (e.g., a security program that requires associates to use a single exit point and have belongings checked isn’t very popular; a security program that has those beautiful tall displays lowered because of sight lines isn’t very popular; the security program that scuttles the new refund procedure because it has the potential for rampant abuse isn’t very popular; etc. etc. etc.). So the strong security manager begins to be viewed as a naysayer and not a team player. And this is especially bad, because the manager has solved some problems, and now when other managers look at the result (as opposed to the reasons for the result), they only see the resulting success and say that a strong program (and a strong manager) are no longer needed. So a new executive is put in charge of security, who believes that the current state of low shrinkage and few serious problems is the natural state of things, and begins to cut the rug from under the strong manager. And a good strong manager who is dedicated to his principles will see what is going on and ultimately will not last. And he leaves and someone who fits the new mold (the easy-going, wishy-washy, namby-pamby manager) is brought in and the program suffers and things get bad and no one can figure out why??!!?? And the cycle begins anew.

So…how many managers and directors and VPs do you know that would have the intestinal fortitude to leave a position based on principle? I truly believe that there are not many of us left.

And THAT'S the cycle that leads to Security Managers who are not strong, who let others who are stronger run the security departments. THAT’S why local security managers report to local business and operations managers instead of senior security executives. (When I was in Retail at the store LP Manager level early in my career, I reported to the Director of LP…PERIOD! I once had a Store Manager unload a shipping cart of merchandise that was under surveillance because that was not my job...and I told him so...and he called the Director of LP who told him so. And the Store Manager unloaded the cart, and then I inventoried it. Those days are long gone.)

So as I’ve said, the current state of weak security management is largely our own fault………..

Thursday, November 09, 2006

The Need For Security

Security, not only as a theoretical concept but even more importantly as a viable business strategy, has been swept under the carpet and relegated to the realm of “necessary evil” for far too long. Our post-9/11 world, coupled with the realities of today’s economy, makes the practice of security a virtual necessity for the businessplace. No longer can the protection of an organization’s assets be relegated to good fortune and happenchance. Rather, a systematic approach to assure that everything reasonable is being done to guarantee an organization’s safety and financial well-being by keeping its assets under control is of vital importance. And the marketing of the concept of protective efforts is a job that must be continually and actively engaged in by security professionals, since the rest of the organization’s managers are frequently concerned only with their own financial bottom line.

Wednesday, November 08, 2006

Security As Science And Art

Security is very much like many other business disciplines. Much of it is common sense (whatever that is). And much of it is fairly logical (if one were to think through it and analyze it). But its complexity lies in the blending of science and art.

The science part of security practice is the body of security knowledge – the paraphernalia and the techniques that are used in protective efforts. And while technology is rapidly changing both the equipment and the techniques of operations, it is still a finite and reasonably manageable body of knowledge. There are only so many methods with which to secure a door; only so many ways to conduct an investigation; only so many devices to “see” into a darkened room; etc. So the practitioner has a reasonable chance, if so inclined, to maintain a current knowledge and understanding of the tools of the trade.

But the art of security is much more complicated, almost infinite, limited only by the knowledge and imagination and creativity of the practitioner. The art of security is taking the tools of the trade, and finding the most appropriate way of applying those tools to a given situation or circumstance.

The professional security practitioner must be able to take the “stuff” – the equipment, the technology, the techniques – and be able to figure out the best, most practical, most expedient way to apply that “stuff” to the needs of the situation at hand. The ability to blend the science and art of security into a sound, workable and efficient protective strategy is the mark of the competent practitioner.

Monday, November 06, 2006

Trends in Loss Prevention

If you have been in the LP or security business for any length of time, you have undoubtedly seen the trend in the reduction of resources allocated to LP. Recent posts on this forum confirm that many companies have
reduced their LP staffs such that there is only 1 LP agent in a store at any given time, and that there are times when there are no LP agents in the store. Yet the LP function has expanded, both in terms of duties as well as "tools" - that lone LP agent is no longer "just" responsible for floor surveillance and apprehension, and for investigation of in-progress check and credit card fraud. Now, that lone agent is also responsible for conducting audits, checking in receivables, escorting big-ticket sales items, watching CCTV monitors, reviewing surveillance tapes, checking EAS equipment, etc. etc. etc.

So...duties expand, and personnel are reduced. Yet the world is shocked when shrinkage occurs, or mistakes are made, or apprehensions go bad. Companies are so focused on the bottom line that they forget that many
things contribute to that bottom line - not just the routine everyday things that can go wrong; but the occasional catastrophic events that in one fell swoop take whole percentages from the bottom line.

With 30+ years as a security and LP Director, I am now a Security Consultant. I help a variety of organizations rather than focusing all time and efforts on a single employer. And one of my biggest challenges is convincing my clients that sound security and LP strategies are exactly like another pure-cost resource that is fondly embraced by companies, a resource that management personnel gladly pay for, regardless of cost: insurance.

Here is the usual company scenario: there are few actual, everyday problems, so security has been reduced - shrink is at an acceptable level, so the world is good. Then I come in and point out the vulnerabilities: not the
things that ARE happening, but the things that CAN happen because of the lack of attention to security. And the key executive always has the same response: "Sure, it can happen; but it hasn't happened yet, so why should I worry about it now? Why should I spend money and reduce my bottom line to protect against something that may never occur?" And here is my usual response:

"Have you ever suffered a major, catastrophic fire?" (answer almost always "NO") "So"...I say..."then I presume you have decided to save a good chunk of money by canceling your fire insurance coverage, because you would certainly never want to spend money on something that isn't happening and which only
MAY happen." The executive gives his immediate reply: "Are you crazy for suggesting that? Don't you know how tremendously my business would be affected if we ever had a big fire? The loss of product, the injuries and potential loss of life........" And then he stops because he realizes what he has just said - he has admitted that in the case of a terrible potential event (fire) it is better to have protection that is not needed than to need it and not have it; it makes good financial sense. Then we begin a dialogue on the same concept as related to security strategies: the potential for loss of product, and injuries and potential loss of life and resulting bad publicity and resulting loss of sales etc. etc. etc.

Here's the history lesson - back in the olden days, in my younger retail days, my organization had an LP staffing policy: there would be at least 3 LP personnel on duty at all times (and this was at a time when responsibilities were pretty much limited to floor surveillance and apprehension, and investigation of in-progress check and credit card fraud). We made lots of apprehensions, and they very rarely resulted in significant scuffles. Why? Because our apprehension policy called for 2 LP agents to make the apprehension whenever possible, and to immediately handcuff almost every detainee. The number of agents policy was enacted so that there would be little opportunity for the thief to resist because of superior numbers; and the handcuff policy was enacted to reduce the opportunity for fight or flight, thereby limiting the chances for injury to anyone (agents, bad guy, associates, or bystanders). I was able to convince my organization (and my 2 after that) that this was just like fire insurance: something that may rarely be needed, but something that will be invaluable when it is needed. I could show (through research of relevant case law) that a single catastrophic event (like a botched apprehension) would be financially devastating and would more than eat up the amount of money spent on providing adequate protection measures.

Here's some ammunition (free of charge for you) - information that I recently presented to the annual conference of defense trial attorneys in Wisconsin:

1. Retail stores are the second-most sued type of business in premises security liability cases - that is the category of case which includes adequacy and sufficiency of security, the basic issue on which a store will
be sued when an apprehension goes bad (adequacy and sufficiency of security includes such things as reasonable amount of security measures, proper hiring and training of security personnel, etc.).

2. Assault and battery, false imprisonment and wrongful death comprise 61% of the reasons why businesses are sued (yes, even an LP agent can be accused of "assault and battery" when his actions during the course of an apprehension are deemed to be excessive and/or improper).

3. Over a 10-year period (1992 thru 2001, the period for which such analysis has most recently been done), defendants won the litigation in 52% of the cases - good news, right? Nope. The trend is reversing....for example, in 2001, plaintiffs won in 41.5% of cases. Why the changing trend? Because as more case law evolves, there is growing attention to the issue of "adequacy and sufficiency of security" and there has been much focus on the conditions which determine adequacy and sufficiency. And this is what the courts are saying: security measures, in order to be LEGALLY DEFENSIBLE, must be commensurate with foreseeable circumstances, taking into account a variety of other things. So when persons on this post state that they individually make 100s or 1000s of apprehensions annually, and that they are frequently the only LP representative in their stores, and that they either make the apprehensions alone or rely on fellow store associates for back-up (who presumably are untrained), I shudder at the potential ramifications, knowing that luck will never replace preparation for any significant amount of time and that a bad stop or detention will inevitably occur. And that the store will be hard-pressed to justify having only that 1 LP agent available to do all those things.

A long post, with hopefully helpful information.

Liability in Loss Prevention

The issue of liability, particularly in retail, has been around forever, and has been a concern - primarily for the bean counters - for just as long.

Because we are such a litigious society - translation: anyone can sue anyone for anything, regardless of merit - the holders of the business purse strings are understandably concerned about liability. But as someone who lectures and trains on the issue of liability and liability avoidance, I can categorically state that they are concerned about liability for the wrong reason. And it is our job to demonstrate the difference between what they are concerned about and what they should be concerned about.

What bean counters are concerned with is avoiding all lawsuits, period. What they should be concerned about is avoiding and losing legitimate lawsuits.

A "liability" does not exist until and unless a legitimate claim is made and lost (the operative words being "legitimate" and "lost").

OK...I know I will get responses that say that it doesn't matter if a claim (lawsuit) is lost because there is still a cost involved in fighting any claim. But it is not the same: the cost of fighting a lawsuit - presuming that you can demonstrate that the claim is erroneous - is a business expense, not a liability (a subtle but significant difference). Companies pay to have attorneys on staff, or have attorneys on retainer, regardless of whether the attorneys have anything to do - a reasonable, proactive expense, not a liability (just as is car insurance - the premium is paid regardless of whether the insurance is used or not). So paying an attorney to fight a lawsuit known to be without merit or frivolous is a business expense, not a liability. Here's a question to ask your bean counters: in order to save money, shouldn't we cancel our fire insurance since we haven't had a fire? Same concept: some business expenses are important and necessary.

IF (a big, capital IF) things are done correctly - meaning procedurally correct from both a legal and a company policy perspective - the chances of a legitimate, successful lawsuit are minimized to a totally acceptable degree. Can there still be lawsuits? Sure. Will those lawsuits have to be challenged and fought? Of course. But will there be successful lawsuits? Probably not.

There is always the possibility for lawsuits - not just from LP activities, but for any business operational reason: slips and falls, price manipulation, a rude associate, etc. By now, businesses should realize that they cannot avoid all lawsuits. What business CAN do is establish policies and procedures that minimize the potential for legitimate claims.

The retail industry, as well as the insurance industry, is deathly afraid of any and all lawsuits. It is a demonstrable fact that both the retail and insurance industries settle far more claims than they fight in court. The stated reason? It is "far more cost-effective" to settle than to fight. But therein lies the misperception. For any given claim it may be more cost-effective to settle. But in the long run it is not, because the knowledge that claims will be settled is the incentive that people use to file many more claims than they would if they knew - KNEW - that they would have to pursue the claim through lawsuit and court proceedings. Settling claims as a policy is poor practice which spawns frivolous and without-merit claims because the claimants know that anything they get will be the proverbial gravy, because it costs them little or nothing to file the initial claim; and the likelihood of getting something is great. Settling claims creates avoidable - and thus unnecessary - liability risk.

On the other side, fighting lawsuits is a proactive practice that will reduce the number of frivolous lawsuits and claims; and the number of lawsuits and claims will drop dramatically.

What I do in my training lectures is present this information from the legal and financial perspectives so that the decision-makers understand what they are doing. I get them to understand that protecting assets is the ultimate goal and that this is a multi-step process. This is the message that everyone has to make sure that their organizations understand so that LP work can be done successfully, with a minimum of liability risk.

This is what your jobs should also be.

Sunday, November 05, 2006

Pupose Of This Blog

Why should a blog like this be necessary? Isn’t it fairly obvious that a security practitioner should be the embodiment of integrity and justice, a valued and sought-after peer of the professionals with whom he serves in an organization? Simply, yes. But that is all-too-frequently not the case.

And it is intended not just for security practitioners. It will hopefully be just as, if not more, valuable for those organizational executives who select or direct security practitioners, because it will give them insight into who their protectors are and how their protectors should operate.

The Security Consultant

This is the inaugural post for The Security Consultant. After 30 years as a security practitioner - a career that has included service as a Director of Security for 3 organizations; as the Security Consultant to a large Sheriff's Department; as an independent Security Consultant to business, industry and government; and as an expert witness providing litigation support services for both plaintiffs and defense - I felt that I was sufficiently qualified and experienced to not only provide some guidance into the operational aspects of security practice, but to provide some insights into the philosophies, values and ideologies which should guide and govern professional security practitioners in the course of their duties and responsibilities. If the information I provide and the views I express help any person or organization to better practice their chosen profession or better protect their assets, I will feel that I have been successful in achieving my objective in creating this blog. The Security Consultant