Monday, September 24, 2007

The Basics of Risk Assessment

While every business knows that it is important for a variety of reasons to protect its assets, many business owners and managers do not know how to perform the risk assessment that will identify the specific threats to be guarded against. While a professional security consultant is frequently the best and most cost-effective way for a thorough risk assessment to be conducted, here are the basic steps that should be used to determine a sound security strategy:

· identify/itemize all assets that need to be protected (physical, human and intellectual)

· identify every conceivable threat/risk that may be encountered – be sure that everything bad that could happen is given at least cursory consideration

· determine/prioritize the likelihood of occurrence of each of the identified threats/risks – the bad things most likely to occur should be given the highest priority

· determine/prioritize the business impact if/when each of the identified threats/risks should occur – some risks have a potentially greater impact than others

· identify/itemize all security measures currently in place – are current protective measures adequate to counter all the identified threats/risks

· implement a sound security strategy that is adequate to protect the organization and its most vital assets

Even in industries in which security standards have been recommended or promulgated, the above outline forms the basis of the process that is recognized by both security professionals and the Courts as being adequate, sufficient, and legally defensible.

Thursday, June 14, 2007

The Trouble With Policies

In many facets of life, good intentions are frequently overshadowed by poor implementation. This is especially true with regards to company policies and procedures in the business world.

Policies and procedures are extremely important and absolutely necessary. Organizations must have policies and procedures so that operations run smoothly and personnel know what they can and cannot do. But the good intention of a policy or procedure can quickly transform into a nightmare if it is not developed, implemented and enforced with care and diligence.

The reason that “policy” and “procedure” are two different words is because they mean two different things. But all too often, the terms policy and procedure are used interchangeably; and therein lies the crux of the problem.

A “policy” should be a fairly specific statement of desired intent which includes a fairly broad statement of how that intent will be achieved. In contrast, a “procedure” should be a detailed enumeration of actions to be followed under certain defined circumstances for the achievement of a desired result and related policy. If a policy gets too specific in its statement of intent attainment, it wanders into the realm of procedure. If a procedure’s actions are outlined with great specificity in relation to broadly-defined circumstances, the procedures can be followed or applied to circumstances that were never intended. And if a procedure’s actions are contrary to the corresponding policy’s stated objective, confusion arises and mistakes are made.

In my more than 30 years of developing and reviewing policies and procedures in the security and loss prevention worlds, I have learned a lesson that has served me well: The best policies and procedures are those which are defined well enough to achieve the desired goals while still allowing enough leeway for common sense and initiative.

It should be fairly obvious that some latitude is necessary in policies and procedures. Very few things in life can be simply categorized as either black or white – we live in a world of grays. So even when a seemingly black-or-white situation arises (right vs. wrong; good vs. evil; rule adherence vs. rule violation), it is almost always different and unique from other such black-or-white situations, because while the act may be the same, the circumstances are always different. And since good policies and procedures should be developed with regard to circumstances, good policies and procedures must of necessity be constructed to allow for those differences in circumstances. In other words, policies and procedures should be designed with enough flexibility so as to allow for reasonable situational analysis, interpretation and initiative while still providing guidance towards desired results. Especially with regard to procedures, operational parameters are much better than specifically-fixed actions.

One of the reasons that poor policies and procedures abound is because the business world has become addicted to playing follow-the-leader. Whenever the current business guru with some new business management philosophy comes along, we have to try it out ourselves because if we don’t, and our competitors do, then it somehow makes us feel that we are inferior and “behind the curve.” As an example, the current buzzword and trend is “zero-tolerance” in policies. Perhaps well-meaning in theory but almost never good in practice, because such policies are usually developed just the opposite of what this article espouses: the objectives are too generally defined, and the mandated actions are too narrowly defined. Zero-tolerance policies almost never allow for the common sense and initiative that a truly good policy not only allows but encourages.

Let me illustrate: News accounts have been full of reports of children expelled from school because of the possession of something as innocuous as an aspirin. Why? Because the zero-tolerance policy used as the basis for the expulsion simply stated that students with drugs (a very broad, general term) must be automatically expelled (a very narrowly-defined action).

I presume that the person(s) responsible for such a policy’s development did not have that scenario in mind. But for a variety of reasons – time, budgetary, liability and so forth – there is a common misperception about policies in general:

· we believe that we must try to make as few policies as possible (easier to remember, cuts down on the size of the Policy Manual)
· we believe that each of those few policies must be as all-encompassing as possible (the fewer the policies, the more ground each has to cover)
· we believe that each procedure must specify very narrowly-defined actions (to tell the policy enforcers exactly what to do)
· we believe that the actions defined must leave no room for interpretation (the policy makes the decision, not the person enforcing the policy)
· we believe that each procedure must have strictly-enforced sanctions (if the policy says so, there can be no debate)

But the unfortunate result of such policies is that a never-anticipated situation will occur which does not exactly fit any specific policy. So a policy which remotely resembles the situation is brought into play, and a policy never intended for the specific situation is applied. And undesirable ramifications and consequences inevitably ensue.

I firmly believe – and the belief has served me well – that most operational policies and procedures must be developed with an eye towards allowing the persons responsible for their implementation and enforcement some latitude to exercise their own initiative, discretion and judgment. Since very few things in life are black and white, people must not be forced into only those two choices when situations involving policy interpretation and application present themselves. If the people entrusted with policy enforcement have been selected and trained well, they should be given not only the responsibility for enforcement, but the authority for reasonable interpretation and adaptation.

Monday, April 16, 2007

Foreseeability In Premises Liability Cases

Civil lawsuits resulting from security-related incidents on both public and private property generally are classified as “premises liability” cases. The basic concept of premises liability is that owners/landlords have a legal obligation to provide reasonable security based on foreseeability. But many persons with an interest in providing or assessing “reasonable security” – security and loss prevention practitioners, and attorneys – are sometimes misinformed about the concept of foreseeability.

“Foreseeability” as defined by most courts in the U.S. (with only few minor exceptions, most notably Michigan) is a broader concept than is recognized by many. Foreseeability is usually determined by a formal assessment of 4 distinct criteria:

The inherent nature of the premises: Every premises has a distinct nature, each with its inherent problems and risks. Bars, for example, have different inherent risks than do shopping malls, just as schools have different inherent risks than do hospitals. The intrinsic nature of the premises is the first factor to be considered in determining foreseeability.

The history of security incidents at the premises: History does have a tendency to repeat itself. A premises with a history of crime and security incidents can probably expect more crime and incidents in the future. The history of events at a premises is the second factor to be considered in determining foreseeability.

And with regard to the history of incidents at a premises, Courts have not necessarily held that criminal or security incidents of a specific nature are a determining factor. For example, a parking lot with a history of thefts and robberies will probably not be able to successfully claim that it was unaware of security issues when a carjacking occurs. Criminal and security incidents in general are considered, because security measures are usually not implemented to prevent or deter only one type of incident (the CCTV surveilling the parking lot is not only scanning for thieves and robbers).

The history of security incidents in the immediate geographic surroundings: Crime usually does not limit itself to specific sites. Criminals engaged in inappropriate activities are usually opportunists who are always looking for an easy target. So security problems that occur in a neighborhood will frequently find their way to and impact any given premises in that neighborhood. The history of events in the neighborhood is the third factor to be considered in determining foreseeability.

Industry security standards for the premises: Any organization whose industry has established some formalized standards or practices for security has an obligation to at least consider those security measures. Industry standards, guidelines and practices are usually not developed until and unless there is significant commonality among the members of the industry. So standards and practices that have been developed, especially for security, are probably relevant and must be considered. Industry security standards are the fourth factor to be considered in determining foreseeability.

So a quick review of past incident reports will not be sufficient for an organization to successfully argue that it has met its obligation with regard to foreseeability. And why is foreseeability so important? Because it is the results of the foreseeability assessment that determine what security measures are reasonable under the circumstances.

Wednesday, January 31, 2007

What Is the "Security Industry?"

There is no common public perception as to what “security” really is. And that’s because the industry is so large and diversified. When the term “law enforcement” is used, there is little doubt as to its meaning: it refers to public agencies that uphold the law. Pretty simple and straightforward. The more informed understand that there are differences in jurisdiction (local vs. county vs. state vs. federal, etc.) and in general function (ordinary policing vs. investigations vs. transportation enforcement vs. protective services, etc.). But when the ordinary citizen hears “law enforcement,” he or she pretty much knows exactly what is meant.

On the other hand, there really is no simple definition of the security industry (other than “providing protective services,” which is so all-encompassing as to be nebulous and non-helpful). Here is just a partial list of the “security industry:” proprietary security departments; contract security services; private investigations; guard and patrol services; armored courier services; alarm and equipment installers; security consultants; private information/intelligence services; auditors; risk management services; contingency planning services; business continuity services; special event specialists; bodyguards/personal protection specialists; etc.

And each of these categories has its subcategories: some proprietary security departments provide overnight guard patrol, some provide full security and law enforcement-like services; some contract security companies provide services to a variety of industries, some specialize in one; some alarm and equipment companies provide home burglar alarms, some provide integrated security systems that are literally global in scope; etc.

So when the term “security” is heard, should the ordinary citizen think of the night watchman-slash-boiler operator, or the corporate security executive who is responsible for $500 billion worth of company assets, or the bodyguard protecting Britney from a stalker, or… what should the ordinary citizen think of?

Coupled with the vast diversity of services encompassed by the “security industry,” there are other issues of disparity that make it difficult for the ordinary citizen to understand what we do and who we are:

· There is a Police Officer on duty at the publicly-owned hospital, while there is just a “security guard” on duty at the private hospital across the street – and both are performing the same basic job function.

· Public law enforcement agencies, because they are public, are subject to public scrutiny, in everything from their budgets to their activities. Private security operations, because they work for private enterprises, are subject to virtually no public scrutiny (until something newsworthy – usually meaning “bad” – occurs).

· The high-speed police pursuit of a speeding motorist makes the nightly news because the media camp out on the Police Department’s doorstep. The 2-year investigation by the team of corporate investigators which results in the break-up of the international theft ring resulting in the recovery of $3 million worth of MP3 players goes unnoticed because there are no media present, because the company doesn’t want the publicity to jeopardize the three other investigations that are going on simultaneously.

· The company that installed the home burglar alarm may not be the proper responder when the alarm is activated.

· The “event staff” personnel are seen as being overly aggressive in removing the “…poor drunk guy…” from the concert – after he had just started the fight that knocked over the ten-thousand-dollar amplifier and injured 4 patrons.

In other words, the ordinary citizen cannot really know or understand the “security industry” because the industry is so vast and because “security guards” have such a diverse range of duties and responsibilities. And if you add into the mix the fact that many security strategies rely on unobtrusiveness to be successful……

Tuesday, January 30, 2007

The Fallacy of Liability Avoidance

We hear it everywhere: “…We better be careful or we’ll get sued” or “…We have to avoid liability.” But if you really analyze those two phrases (which are frequently used interchangeably), you’ll see that they are not necessarily the same, especially as related to the loss prevention or security function in the real business world.

“Getting sued” is not the same as “being liable.” In fact, “getting sued” is not even the same as “getting sued successfully.” But those concerned about true liability avoidance in our companies – the bean counters and attorneys – frequently take the path of least resistance and make an error when they equate avoiding lawsuits with avoiding liability.

We are a litigious society. Virtually anyone can sue virtually anyone else for virtually anything. And until limits are set on frivolous lawsuits, such will continue to be the case. So there is almost nothing that we can do in the area of assets protection that will not come under someone’s scrutiny at some point, to the extent that we will be sued.

A prime example of companies being so concerned about any lawsuit (as opposed to legitimate, successful lawsuits) is their internal policies that have no substantive basis in law. One of those areas in which company policies usually do not directly equate to law is the hiring process.

How many times have you heard that asking for a date of birth is an "illegal question" under EEOC guidelines, presumably because it could lead to age discrimination? A show of hands, please. Ahh….I see that almost everyone has raised a hand….

EEOC does NOT...I repeat NOT...stipulate that ANY hiring practice or strategy is inherently bad or unlawful; it simply requires that there be a LEGITIMATE AND DEMONSTRABLE BUSINESS REASON for a particular practice or strategy.

So back to the question of asking for a date of birth: It is a common misconception that it is an illegal question. In fact, under EEOC guidelines, THERE IS NO SUCH THING AS AN "ILLEGAL QUESTION." Rather, the USE of the information is what may be considered illegal if the information is gathered and used for the wrong reasons.

Case in point: In most states, a full background investigation of employees (especially employees in positions of trust, such as LP employees, persons handling large sums of money, etc.) is perfectly legal and may in fact be required. In some of those states, pertinent background information (such as criminal records) is filed by both name and date of birth – in order to do a background investigation, a date of birth is necessary. So....if a business can demonstrate a BUSINESS NEED (like assuring the integrity of employees in certain positions) for performing a LEGITIMATE AND LAWFUL BUSINESS FUNCTION (like conducting a background investigation) and that lawful function requires gathering SPECIFIC INFORMATION (like a date of birth) in a MANNER CONSISTENT WITH COMMON PRACTICE (like the records are filed requiring a date of birth), then gathering the date of birth is perfectly legal, acceptable and allowable under EEOC guidelines.

Now....this does not mean that these types of questions (date of birth, gender, etc.) should appear on every company application – that would not be appropriate because the information would probably not be needed during the hiring process for every company employee. But the questions can and should be asked and information gathered during the hiring process in situations in which the information is necessary.

As noted in another posting on this blog, company lawyers frequently take the path of least resistance when reviewing or recommending policies – they feel that it is easier to promulgate universal policies that will apply to most employees than to have a more complex policy that allows for legitimate (and necessary) exceptions.

For security professionals, it's frustrating to be subject to internal policies that restrict legitimate activities under the guise of "legal" when in fact the policies may have no foundation in law. Getting those kinds of “convenient” policies changed should be the job of senior security management – that should be why they make the big bucks.