Protection of Assets: Security Management [Hardcover ed.] 1934904252, 9781934904251

Citation preview

PROTECTION OF ASSETS

SECURITY MANAGEMENT

PROTECTION OF ASSETS

SECURITY MANAGEMENT

PROTECTION OF ASSETS

SECURITY MANAGEMENT

ASIS International | 1625 Prince Street | Alexandria, VA 22314 USA | www.asisonline.org

Copyright © 2012 by ASIS International ISBN 978-1-934904-25-1 Protection of Assets is furnished with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. It is designed as a ready reference and guide to the covered subjects. While every effort has been made to ensure accuracy of contents herein, it is not an official publication and the publisher can assume no responsibility for errors or omissions. All rights reserved. No part of this publication may be reproduced, translated into another language, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise without the prior written consent of the copyright owner. Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

ACKNOWLEDGMENTS ASIS International (ASIS), the world’s leading society for security professionals, originally founded in 1955 as the American Society for Industrial Security, acquired Protection of Assets in December 2003. The acquisition of this work underscores the Society’s leadership role in professional education. It is the sincere desire of ASIS and its editorial staff to continue to enhance the value of this important reference. Protection of Assets, which has been in existence since 1974, is recognized as the premier reference for security professionals and the publisher wishes to acknowledge the two founding authors and subsequent editors. Timothy J. Walsh, CPP

Richard J. Healy, CPP

Timothy L. Williams, CPP Managing Editor Editorial Associates David G. Aggleton, CPP Milton E. Moritz, CPP Mike Hodge, J.D. Sanford Sherizon, Ph.D., CISSP Timothy J. Walsh, CPP, Editor Emeritus As we move forward, confronted with issues that present a challenge to the security industry, our mission is to ensure that Protection of Assets provides the strategic solutions necessary to help st professionals meet the demands of the 21 century and beyond. We also pledge to assemble a group of subject matter experts who will enhance this reference as necessary to achieve our mission. Michael E. Knoke, CPP Managing Editor Eva Giercuszkiewicz, MLS, Project Manager Evangeline Pappas, Production Manager Peter E. Ohlhausen, Technical Editor

PREFACE

OBJECTIVES OF PROTECTION OF ASSETS Protection of Assets (POA) is intended for a security professional to find current, accurate, and practical treatment of the broad range of asset protection subjects, strategies, and solutions in a single source. The need for such a comprehensive resource is quite widespread according to the editors, writers, and many professional colleagues whose advice has been sought in compiling this text. The growing size and frequency of all forms of asset losses, coupled with the related increasing cost and complexity of countermeasures selection, demand a systematic and unified presentation of protection doctrine in all relevant areas, as well as standards and specifications as they are issued. Of course, it would be presumptuous to assume that any small group of authors could present such material unaided. It is, therefore, a fundamental objective of Protection of Assets to draw upon as large a qualified source base as can be developed. The writers, peer reviewers, and editors attempt to distill from the available data, common or recurrent characteristics, trends, and other factors, which identify or signal valid protection strategies. The objective is to provide a source document where information on any protection problem can be obtained.

Protection of Assets  Copyright © 2012 by ASIS International

v

READERSHIP Protection of Assets is intended for a wide readership: all security professionals and business managers with asset protection responsibility. The coherent discussion and pertinent reference material in each subject area should help the reader conduct unique research that is effective and organized. Of particular significance are the various forms, matrices, and checklists that give the reader a practical start toward application of the security theory to his or her own situation. POA also serves as a central reference for students pursuing a program in security or asset protection.

DIALOGUE We hope that Protection of Assets becomes an important source of professional insight for those who read it and that it stimulates serious dialogue between and among security professionals. Any reader who is grappling with an unusual, novel, or difficult security problem and would appreciate the opinions of others is encouraged to write a succinct statement describing the problem and send it to us at ASIS [[email protected]]. At the reader’s request his identity will not be disclosed, but the problem will be published with invitations for comment. Readers are also encouraged to communicate agreement or disagreement with strategies or applications recommended in POA and to suggest alternatives. We reserve the right to publish or refrain from publishing submitted material. The editors also solicit statements of reader opinion on matters of asset protection policy in which a cross-sectional view would be helpful.

SUPPLEMENTAL TRAINING Readers with supervisory or management responsibility for other security and asset protection personnel will find POA to be a useful resource from which to assign required readings. Such readings could be elements of a formal training syllabus and could be assigned as part of related course sessions. With all these objectives in mind, we present to you Protection of Assets, in the sincere belief it will enhance your expertise in the security field.

Michael E. Knoke, CPP Managing Editor

vi

Protection of Assets  Copyright © 2012 by ASIS International

CONTRIBUTORS The success of this publication is directly related to the peer review process recognized by most professions. Security professionals, members of academia, and other subject matter experts were involved in contributing current information, conducting research, reviewing submissions, and providing constructive comments so that we are able to provide a publication that is recognized as the “go to” reference for security professionals worldwide. It is with sincere appreciation that I wish to thank the below-named individuals who contributed to Protection of Assets.

Teresa M. Abrahamsohn, CPP

Lucien G. Canton, CPP

Donald J. Fergus

Sean A. Ahrens, CPP

James P. Carino, Jr., CPP

Eugene F. Ferraro, CPP, PCI

Marene N. Allison

Sue Carioti

James H. Fetzer, III, CPP

Randy I. Atlas, CPP

James S. Cawood, CPP, PCI, PSP

Michael T. Flachs, CPP

George J. Barletta, CPP

Steve Chambers, CPP, PSP

Linda Florence, Ph.D., CPP

Mark H. Beaudry, CPP

Richard E. Chase, CPP

Richard H. Frank, CPP

Regis W. Becker, CPP

John C. Cholewa, III, CPP

Kenneth M. Freeman, CPP

Brent Belcoff, CPP

Tom M. Conley, CPP

Peter J. French, CPP

Howard J. Belfor, CPP

Geoffrey T. Craighead, CPP

Mary Lynn Garcia, CPP

Adolfo M. Benages, CPP

Michael A. Crane, J.D., CPP

John W. Gehrlein, CPP

Lawrence K. Berenson, CPP

Bruce A. Dean, CPP

Eva Giercuszkiewicz, MLS

Alexander E. Berlonghi

Fritz X. Delinski

Gregory A. Gilbert, CPP

Raymond J. Bernard, PSP

Edward P. De Lise, CPP

Frederick G. Giles, CPP

Henri A. Berube

David A. Dobbins, PSP

Timothy D. Giles, CPP, PSP

Martin T. Biegelman, J.D.

Colin Doniger, CPP, PSP

David H. Gilmore, CPP

Daniel E. Bierman, CPP, PSP

Clifford E. Dow, CPP

Christopher Giusti, CPP

Patrick C. Bishop, CPP

Christina M. Duffey, CPP

Leo Gonnering, PSP

Dennis R. Blass, CPP, PSP

Brandon Dunlap

Brian D. Gouin, PSP

Keith C. Blowe, CPP

Nick Economou

Richard P. Grassie, CPP

Paul F. Boyarin, CPP, PCI

Cheryl D. Elliott, CPP, PCI

Benjamin P. Greer

Tom Boyer

James W. Ellis, CPP, PSP

Steven R. Harris

Pete Brake, Jr., CPP

William R. Etheridge

Ronald D. Heil, CPP

Darryl R. Branham, CPP

Gregory Alan Ewing, CPP, PSP

Ed Heisler, CPP, PSP

Joseph P. Buckley, III

Kenneth G. Fauth, CPP

Richard J. Heffernan, CPP

Jason Caissie, CPP, PSP

Lawrence J. Fennelly

Chris A. Hertig, CPP

Protection of Assets  Copyright © 2012 by ASIS International

vii

William T. Hill, CPP

Owen J. Monaghan, CPP

Charles A. Sennewald, CPP

Ronald W. Hobbs, CPP

Wayne Morris, CPP, PSP

Dennis Shepp, CPP, PCI

Mark D. Hucker, CPP

Patrick M. Murphy, CPP, PSP

Shari Shovlin

W. Geoffrey Hughes, PCI

Carla Naude, CPP

Marc Siegel, Ph.D.

John L. Hunepohl

James W. Nelson

Laurie Simmons, CPP, PSP

Gregory L. Hurd, CPP

Robert L. Oatman, CPP

Dennis Smith, CPP

Gregory W. Jarpey, PSP

Gerald A. O’Farrell, CPP

Stan Stahl, Ph.D.

Sheila D. Johnson, CPP, PSP

Peter E. Ohlhausen

Paul J. Steiner, Jr., CPP

Thomas R. Jost

Leonard Ong, CPP

Pamela M. Stewart, PCI

Diane Horn Kaloustian

Harm J. Oosten, CPP

Dan E. Taylor, Sr., CPP

Cathy M. Kimble, CPP

S. Steven Oplinger

Lynn A. Thackery, CPP, PSP

R. Michael Kirchner, CPP

Denis A. O’Sullivan, CPP

Mark L. Theisen, CPP

Glen W. Kitteringham, CPP

Jaime P. Owens, CPP

Dave N. Tyson, CPP

Michael E. Knoke, CPP

Gerard P. Panaro, J.D.

Joann Ugolini, CPP, PSP

Terrence J. Korpal

James F. Pastor, Ph.D.

Darleen Urbanek

James M. Kuehn, CPP

David G. Patterson, CPP, PSP

Mike VanDrongelen, CPP, PCI, PSP

David Lam, CPP

John T. Perkins, CPP

Karim Vellani, CPP

Rich LaVelle, PSP

Karl S. Perman

Barry J. Walker, CPP

Robert F. Leahy, CPP, PSP

Kevin E. Peterson, CPP

Michael W. Wanik, CPP

Robert E. Lee

Charlie R. A. Pierce

Roger D. Warwick, CPP

Jeff Leonard, CPP, PSP

Doug Powell, CPP, PSP

Fritz Weidner

Todd P. Letcher

Patrick K. Quinn, CPP

Richard C. Werth, CPP

Emblez Longoria, CPP, PSP

Roy A. Rahn, CPP

Allan R. Wick, CPP, PSP

Cynthia Long

John D. Rankin, CPP

Anthony S. Wilcox, CPP

Richard E. Maier, CPP

William G. Rauen, CPP

Donald S. Williams, CPP

Loye A. Manning, CPP, PSP

David L. Ray, LL.B.

Reginald J. Williams, CPP

Robert L. Martin, CPP

Joseph Rector, CPP, PCI, PSP

Richard F. Williams, CPP

Ron Martin, CPP

Ty L. Richmond, CPP

Timothy L. Williams, CPP

Roger B. Maslen, CPP

Lisa M. Ruth

Coleman L. Wolf, CPP

Judith G. Matheny, CPP

Jeffrey J. Ryder, Jr., CPP, PSP

Richard P. Wright, CPP

Edward F. McDonough, Jr., CPP

Mark A. Sanna, CPP

Richard Y. Yamamoto, CPP

Richard A. Michau, CPP

Stephen Saravara, III, J.D., CPP

Scott S. Young, CPP

Bonnie S. Michelman, CPP

viii

Protection of Assets  Copyright © 2012 by ASIS International

TABLE OF CONTENTS PREFACE CONTRIBUTORS Chapter 1. ADMINISTRATIVE MANAGEMENT PRINCIPLES . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 1.2

1.3

1.4

Overview . . . . . . . . . . . . . . . . . . . Organizational Strategy . . . . . . . . . . 1.2.1 Developing the Strategy . . . . . 1.2.2 Communicating the Strategy . . Principles of Business Administration . . 1.3.1 Human Resource Management 1.3.2 Knowledge Management . . . . 1.3.3 Corporate Structure . . . . . . . Conclusion. . . . . . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . .

1 3 4 5 5 6 10 11 11

Chapter 2. FINANCIAL MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1 2.2

2.3

2.4 2.5

2.6

Financial Strategy . . . . . . . . . . . . . . . . . . . . . . . Financial Statements . . . . . . . . . . . . . . . . . . . . . 2.2.1 Income Statement . . . . . . . . . . . . . . . . . 2.2.2 Balance Sheet . . . . . . . . . . . . . . . . . . . . 2.2.3 Cash Flow Statement . . . . . . . . . . . . . . . Financial Analysis . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Profitability Ratios . . . . . . . . . . . . . . . . . 2.3.2 Risk Ratios. . . . . . . . . . . . . . . . . . . . . . Limitations of Financial Statement Analysis . . . . . . . . Budgets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.1 Return on Investment . . . . . . . . . . . . . . . 2.5.2 Creating a Budget . . . . . . . . . . . . . . . . . Implementing Financial Strategy and Financial Controls

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

14 15 15 17 20 21 22 25 26 27 28 29 30

Chapter 3. STANDARDS IN SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.1

3.2

3.3

Introduction to Standards . . . . . . . . . . . . . . . . . 3.1.1 Characteristics of Standards . . . . . . . . . . 3.1.2 Benefits of Standards . . . . . . . . . . . . . . 3.1.3 Standards Development Issues . . . . . . . . . Development of International Standards: ISO Example 3.2.1 Characteristics of ISO Standards . . . . . . . . 3.2.2 ISO Standards Development Process . . . . . Development of National Standards: U.S. Example . . 3.3.1 Characteristics of ANSI Standards . . . . . . . 3.2.2 ANSI Standards Development Process . . . .

Protection of Assets  Copyright © 2012 by ASIS International

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

33 34 34 36 38 38 39 40 40 41

ix

3.4

Management Systems Standards . . . . . . . . . . . . . . . . 3.4.1 Characteristics of Management Systems Standards 3.4.2 Benefits of Management Systems Standards . . . . 3.4.3 Plan-Do-Check-Act Cycle . . . . . . . . . . . . . . . 3.4.4 Well-Known Management Systems Standards . . . 3.5 ASIS Global Standards Initiative . . . . . . . . . . . . . . . . 3.5.1 Process . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.2 Product Status . . . . . . . . . . . . . . . . . . . . . 3.5.3 Organizational Resilience Standard . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

42 42 44 46 47 48 48 50 56 61

Chapter 4. INTRODUCTION TO ASSETS PROTECTION . . . . . . . . . . . . . . . . . . . . . . . . . . 63 4.1

Basis for Enterprise Assets Protection . . . . . . . . . . . . . . . . . . . . . 4.1.1 Defining Assets Protection . . . . . . . . . . . . . . . . . . . . . . 4.1.2 Relation to Security and Other Disciplines . . . . . . . . . . . . . 4.1.3 Historical Perspectives. . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Current Practice of Assets Protection . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Underlying Principles . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.2 Assets Protection in Various Settings . . . . . . . . . . . . . . . . 4.3 Forces Shaping Assets Protection . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Technology and Touch . . . . . . . . . . . . . . . . . . . . . . . . 4.3.2 Globalization in Business . . . . . . . . . . . . . . . . . . . . . . . 4.3.3 Standards and Regulation . . . . . . . . . . . . . . . . . . . . . . . 4.3.4 Convergence of Security Solutions . . . . . . . . . . . . . . . . . . 4.3.5 Homeland Security and the International Security Environment 4.4 Management of Assets Protection . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 Concepts in Organizational Management. . . . . . . . . . . . . . 4.4.2 Management Applications in Assets Protection . . . . . . . . . . 4.4.3 Security Organization within the Enterprise . . . . . . . . . . . . 4.5 Behavioral Issues in Assets Protection . . . . . . . . . . . . . . . . . . . . . 4.5.1 Behavioral Science Theories in Management . . . . . . . . . . . . 4.5.2 Applications of Behavioral Studies in Assets Protection . . . . . . Appendix A: Insurance as a Risk Management Tool . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

64 64 65 66 70 70 71 76 76 78 79 83 83 84 85 86 87 89 89 91 93 105

Chapter 5. COST-EFFECTIVENESS AND LOSS REPORTING . . . . . . . . . . . . . . . . . . . . . . 107 5.1 5.2 5.3

5.4

x

Understanding the Problem . . . What Cost-Effectiveness Means . Elements of Cost-Effectiveness . 5.3.1 Return on Investment . 5.3.2 Security Metrics . . . . Boosting Cost-Effectiveness . . . 5.4.1 Budget Process . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

107 107 108 109 111 113 113

Protection of Assets  Copyright © 2012 by ASIS International

5.4.2 Cost Reduction . . . . . . . . . . . . . . . . . 5.4.3 Cost Avoidance . . . . . . . . . . . . . . . . . 5.5 Data Capture . . . . . . . . . . . . . . . . . . . . . . . 5.6 Data Analysis and Display . . . . . . . . . . . . . . . . 5.6.1 Claims Avoided . . . . . . . . . . . . . . . . . 5.6.2 Proofs of Loss . . . . . . . . . . . . . . . . . . 5.6.3 Recovered Physical Assets . . . . . . . . . . . 5.6.4 Uninsured Claims or Causes of Action. . . . 5.6.5 Other Actions . . . . . . . . . . . . . . . . . . 5.7 Systematic Incident Reporting . . . . . . . . . . . . . 5.7.1 Creating an Incident Database . . . . . . . . 5.7.2 Functions of an Incident Report . . . . . . . 5.7.3 Benefits of Incident Reporting . . . . . . . . 5.7.4 Policy on Submission of Incident Reports . . 5.7.5 Incident Database . . . . . . . . . . . . . . . 5.7.6 Management Reporting from the Database . 5.8 Predictive Modeling by the Security Organization . . 5.9 Protection Planning without an Incident Database . . 5.9.1 Pilot Verifications of the Model . . . . . . . . 5.9.2 Modifications of a Growing Database . . . . Appendix A: Incident Reporting Form . . . . . . . . . . . . . Appendix B: Loss Reporting Policy . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

113 114 116 119 119 119 120 120 121 122 123 124 125 125 126 126 128 129 130 130 131 133 134

Chapter 6. THEFT AND FRAUD PREVENTION IN THE WORKPLACE . . . . . . . . . . . . . . . . . 137 6.1

Understanding the Problem . . . . . . . . . . . . . . . . . . 6.1.1 Common Myths . . . . . . . . . . . . . . . . . . . 6.1.2 Motivation to Commit Theft and Fraud . . . . . . 6.2 Employee Theft . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.1 Prevalence of Employee Theft . . . . . . . . . . . 6.2.2 External Economic Pressure and Opportunity . . 6.2.3 Youth and Theft Nexus . . . . . . . . . . . . . . . 6.2.4 Job Dissatisfaction and Effects of Social Controls 6.2.5 Summary and Recommendations of Study . . . . 6.3 Fraud and Related Crimes . . . . . . . . . . . . . . . . . . . 6.3.1 Common Elements of Fraud . . . . . . . . . . . . 6.3.2 Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . 6.4 Scope of the Problem . . . . . . . . . . . . . . . . . . . . . . 6.4.1 Establishing a Model Prevention Program . . . . 6.5 Dangers of Undetected Theft and Fraud . . . . . . . . . . . Appendix A: Flowcharts . . . . . . . . . . . . . . . . . . . . . . . . Appendix B: 50 Honest Truths About Employee Dishonesty . . . References/Additional Reading . . . . . . . . . . . . . . . . . . .

Protection of Assets  Copyright © 2012 by ASIS International

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

137 140 140 141 142 142 143 143 144 145 146 148 148 148 153 154 171 174

xi

Chapter 7. PRIVATE POLICING IN PUBLIC ENVIRONMENTS . . . . . . . . . . . . . . . . . . . . . 177 7.1

Introduction . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 Historical Perspectives. . . . . . . . . . . . 7.1.2 Conceptual Perspectives . . . . . . . . . . 7.1.3 Public/Private Partnerships and Statistics 7.2 Contemporary Circumstances . . . . . . . . . . . . 7.2.1 Economic and Operational Issues . . . . . 7.2.2 Order Maintenance . . . . . . . . . . . . . 7.2.3 Crime (Fear of Crime) and Terrorism . . . 7.3 Principles of Private Policing . . . . . . . . . . . . . 7.3.1 Policing Role and Functional Distinctions 7.4 Private Policing Environments . . . . . . . . . . . . 7.4.1 Private Environment: Supplement . . . . . 7.4.2 Public Environment: Replacement . . . . . 7.4.3 Public Environment: Supplement . . . . . 7.5 The Future of Private Policing . . . . . . . . . . . . . 7.5.1 New Policing Model . . . . . . . . . . . . . 7.5.2 Structural/Operational Components . . . 7.5.3 Legal/Licensing Standards . . . . . . . . . References/Additional Reading . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

177 178 181 183 187 187 191 194 196 197 199 200 201 201 213 213 214 215 219

Chapter 8. CONSULTANTS AS A PROTECTION RESOURCE . . . . . . . . . . . . . . . . . . . . . . 227 8.1 8.2

The Value of Consultants . . . . . . . . . . . . Types of Security Consultants . . . . . . . . . . 8.2.1 Security Management Consultants . 8.2.2 Technical Security Consultants . . . . 8.2.3 Forensic Security Consultants . . . . 8.2.4 Advisory Security Committee . . . . . 8.3 How to Use a Consultant . . . . . . . . . . . . . 8.4 How to Find a Security Consultant . . . . . . . 8.5 Selecting a Security Consultant . . . . . . . . . 8.6 Consulting Fees and Expenses . . . . . . . 8.7 Working with Consultants . . . . . . . . . . . . 8.7.1 Coordinating the Project . . . . . . . 8.7.2 Organizational Orientation . . . . . . 8.7.3 Levels of Assistance . . . . . . . . . . 8.7.4 Scope of Work . . . . . . . . . . . . . 8.7.5 Work Plans . . . . . . . . . . . . . . . 8.7.6 Progress Reports . . . . . . . . . . . . 8.7.5 Final Reports . . . . . . . . . . . . . . 8.8 The Future of Consulting . . . . . . . . . . . . Appendix A: Alphabetical Soup of Consulting . . . . Appendix B: Application for Consulting Assignment

xii

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

227 229 229 230 230 231 232 233 234 236 240 240 241 241 242 243 244 244 246 247 248

Protection of Assets  Copyright © 2012 by ASIS International

Appendix C: Curriculum Vitae . . . . . . . . . . . . . . . . . . . . Appendix D: Professional Consulting Services Agreement . . . . Appendix E: Consulting Security Agreement—Joint Certification Appendix F: Conflict of Interest Statement . . . . . . . . . . . . . Appendix G: Professional Services Log . . . . . . . . . . . . . . . Appendix H: Statement of Professional Services . . . . . . . . . . Appendix I: Policy on Consultant’s Expenses . . . . . . . . . . . . Appendix J: Consultant Travel Policy . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

250 252 254 255 256 257 259 261 264

Chapter 9. EXECUTIVE PROTECTION IN THE CORPORATE ENVIRONMENT . . . . . . . . . . . . . 267 9.1 History of Executive Protection . . . . . . . . . 9.2 Research on Executive Protection. . . . . . . . 9.3 Basics of Executive Protection . . . . . . . . . . 9.4 Financial Implications of Executive Protection 9.5 Philosophy of Protection . . . . . . . . . . . . . 9.6 EP Risk Assessment . . . . . . . . . . . . . . . . 9.7 The Power of Information . . . . . . . . . . . . 9.8 Office and Home . . . . . . . . . . . . . . . . . 9.9 The Advance . . . . . . . . . . . . . . . . . . . . 9.10 Working the Principal . . . . . . . . . . . . . . 9.11 Protection Resources . . . . . . . . . . . . . . . 9.12 Future of Executive Protection . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

267 269 270 270 271 274 276 277 278 282 285 285 287

Chapter 10. SECURITY AWARENESS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 10.1 Levels of Awareness. . . . . . . . . . . . . . . . . . . . . . . 10.1.1 Executive Management . . . . . . . . . . . . . . . 10.1.2 Middle Management . . . . . . . . . . . . . . . . . 10.1.3 First-Line Supervision . . . . . . . . . . . . . . . . 10.1.4 Individual Employees . . . . . . . . . . . . . . . . 10.1.5 Non-Employees . . . . . . . . . . . . . . . . . . . 10.2 Purposes of Security Awareness . . . . . . . . . . . . . . . . 10.3 Developing and Delivering a Security Awareness Program 10.3.1 Techniques, Materials, and Resources . . . . . . . 10.3.2 Obstacles to an Effective Awareness Program . . 10.3.3 Measuring the Program . . . . . . . . . . . . . . . 10.4 Engaging Employees to Prevent Losses . . . . . . . . . . . 10.4.1 Positive Security Contacts . . . . . . . . . . . . . . 10.4.2 Policies and Procedures . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Protection of Assets  Copyright © 2012 by ASIS International

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

291 291 292 292 293 293 294 296 297 298 299 300 300 301 302

xiii

Chapter 11. WORKPLACE SUBSTANCE ABUSE: PREVENTION AND INTERVENTION . . . . . . . . 305 11.1 Historical Perspective . . . . . . . . . . . . . . . . . . . . 11.1.1 A Change of Mood . . . . . . . . . . . . . . . . . 11.1.2 Legal Controls . . . . . . . . . . . . . . . . . . . 11.1.3 War on Drugs . . . . . . . . . . . . . . . . . . . . 11.2 Human Cost of Substance Abuse . . . . . . . . . . . . . . 11.3 Role of the Employer . . . . . . . . . . . . . . . . . . . . . 11.4 Why the Workplace? . . . . . . . . . . . . . . . . . . . . . 11.4.1 Rationalization . . . . . . . . . . . . . . . . . . . 11.4.2 Opportunity . . . . . . . . . . . . . . . . . . . . . 11.5 Path of Workplace Substance Abuse . . . . . . . . . . . . 11.6 Drugs of Abuse . . . . . . . . . . . . . . . . . . . . . . . . 11.6.1 Controlled Substance Act . . . . . . . . . . . . . 11.6.2 Depressants . . . . . . . . . . . . . . . . . . . . . 11.6.3 Narcotics . . . . . . . . . . . . . . . . . . . . . . 11.6.4 Stimulants . . . . . . . . . . . . . . . . . . . . . . 11.6.5 Hallucinogens . . . . . . . . . . . . . . . . . . . 11.6.6 Marijuana . . . . . . . . . . . . . . . . . . . . . . 11.6.7 Analogue or Designer Drugs . . . . . . . . . . . 11.6.8 Prescription Drugs . . . . . . . . . . . . . . . . . 11.7 Addiction and Chemical Dependency . . . . . . . . . . . 11.7.1 Addiction . . . . . . . . . . . . . . . . . . . . . . 11.7.2 Chemical Dependency . . . . . . . . . . . . . . 11.7.3 Functional Abusers. . . . . . . . . . . . . . . . . 11.7.4 Denial . . . . . . . . . . . . . . . . . . . . . . . . 11.7.5 Enabling . . . . . . . . . . . . . . . . . . . . . . . 11.7.6 Codependency . . . . . . . . . . . . . . . . . . . 11.8 Role of Supervisors and Managers . . . . . . . . . . . . . 11.8.1 Drug-Free Workplace Policy . . . . . . . . . . . 11.8.2 Investigation and Documentation . . . . . . . . 11.8.3 Employee Hot Lines . . . . . . . . . . . . . . . . 11.8.4 Intervention . . . . . . . . . . . . . . . . . . . . . 11.8.5 When Intervention Fails . . . . . . . . . . . . . . 11.8.6 Employee Assistance Programs . . . . . . . . . . 11.8.7 Behavior Modification through Role Modeling . 11.8.8 Reintegration of the Recovering Employee . . . 11.8.9 Employee Education and Supervisor Training . 11.9 Drug Testing . . . . . . . . . . . . . . . . . . . . . . . . . . 11.9.1 Methods . . . . . . . . . . . . . . . . . . . . . . . 11.9.2 Accuracy . . . . . . . . . . . . . . . . . . . . . . . 11.9.3 Strategy . . . . . . . . . . . . . . . . . . . . . . . 11.9.4 Employer Incentives . . . . . . . . . . . . . . . . 11.9.5 Liability . . . . . . . . . . . . . . . . . . . . . . . Appendix A: Drug Glossary . . . . . . . . . . . . . . . . . . . . .

xiv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

306 307 307 308 308 309 309 309 310 311 313 313 314 314 316 318 320 320 321 322 322 323 323 324 325 326 327 327 328 329 330 332 332 333 334 334 335 335 336 336 339 341 342

Protection of Assets  Copyright © 2012 by ASIS International

Appendix B: Common Questions About Drug Testing. Appendix C: Supervisor’s Checklist . . . . . . . . . . . Appendix D: Intervention Checklist . . . . . . . . . . . Appendix E: U.S. Federal Legislation . . . . . . . . . . Appendix F: Sample Substance Abuse Policy . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

343 345 347 348 350 355

Chapter 12. ADDRESSING WORKPLACE VIOLENCE THROUGH

VIOLENCE RISK ASSESSMENT AND MANAGEMENT . . . . . . . . . . . . . . . . . . 357 12.1 12.2 12.3 12.4 12.5 12.6 12.7

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conceptual Framework . . . . . . . . . . . . . . . . . . . . . . . . . Focus Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Liability and Legal Considerations . . . . . . . . . . . . . . . . . . . Behavioral Dynamic of Workplace Violence . . . . . . . . . . . . . . Incident Management Team (IMT) and Resources . . . . . . . . . . Violence Risk Assessment Process . . . . . . . . . . . . . . . . . . . 12.7.1 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.7.2 Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.7.3 Intervention and Non-Emergency Situational Resolution 12.7.4 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.7.5 Review and Debriefing . . . . . . . . . . . . . . . . . . . . . 12.8 Future of Workplace Violence . . . . . . . . . . . . . . . . . . . . . . Appendix A: Model Policy for Workplace Violence . . . . . . . . . . . . . . References/Additional Reading . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

357 360 361 362 363 365 367 367 367 371 372 373 374 375 377

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Protection of Assets  Copyright © 2012 by ASIS International

xv

TABLE OF FIGURES 2-1 2-2 2-3 2-4 2-5 2-6

Income Statement Balance Sheet . . . Cash Flow Sheet . Margins . . . . . . Returns . . . . . . Risk Ratios . . . .

3-1 3-2 3-3

Plan-Do-Check-Act Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Standards Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Organizational Resilience: Security, Preparedness, and Continuity Management Systems-Requirements with Guidance for Use . . . . . . . . . . 60

4-1 4-2 4-3 4-4 4-5 4-6 4-7 4-8

Examples of Organizational Assets by Type . Paradigm Shift Frequency Model . . . . . . School Security Considerations . . . . . . . Selected Standard-Setting Bodies . . . . . . Selected Security Certification Web Sites . . Three Managerial Dimensions . . . . . . . . Assets Protection Customers . . . . . . . . . Maslow’s Hierarchy of Needs . . . . . . . . .

5-1 5-2 5-3

Return on Investment (ROI) Formula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Problems Discoverable on Security Officer Patrols . . . . . . . . . . . . . . . . . . . . . Main Methods Used in Social Science Research . . . . . . . . . . . . . . . . . . . . . . .

110 115 118

6-1 6-2 6-3

Financial Impact of Theft or Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Targets and Methods of Theft and Fraud . . . . . . . . . . . . . . . . . . . . . Comprehensive Model of Theft and Fraud Prevention, Investigation, and Program Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139 149

7-1 7-2 7-3 7-4 7-5

Provision . . . . . . . . . . . . . . . . . . Functions of Private and Public Police. . Public Safety Policing Model . . . . . . . Continuum of Governmental Authority . Functionality/Criticality Continuum . .

. . . . .

181 198 214 215 216

12-1 12-2

U.S. Fatal Occupational Injuries by Event or Exposure, 1994-2009. . . . . . . . . . . . . A Theoretical Behavioral Escalation Curve for Emotion-Based Violence . . . . . . . . .

359 365

xvi

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . .

. . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . . .

. . . . . . . .

. . . . . .

. . . . . . . .

16 19 21 23 23 26

65 69 73 81 82 84 85 89

150

Protection of Assets  Copyright © 2012 by ASIS International

CHAPTER 1 ADMINISTRATIVE MANAGEMENT PRINCIPLES

1.1

OVERVIEW Security managers are, as the name suggests, both security specialists and business managers. Most of Protection of Assets focuses on security-specific issues. However, to serve their organizations effectively, security managers must also understand business principles. With that knowledge, they can organize their efforts in a way that best supports the overall vision and mission of their organization. Without that knowledge, they may focus on security as an end in itself. Security managers who understand business are best positioned to collaborate with top management and to turn their departments into valuable corporate resources that support organizational success. Effective security managers are those that are recognized within their organization as business partners. In any business, people work and interact to produce a product, service, or both. This interaction leverages the labor of individuals to enable the business to realize a net profit that supports investors, managers, customers, and employees. At some point a business must determine the type of product or service to sell and how to develop, deliver, and finance that output. To manage this process successfully, managers and owners must employ practices that support the goals of their business. They must also develop metrics that define success and support business decisions. Ultimately these practices aim to define business success not only in the near term, but also over the life of the business through quantifiable metrics.

Protection of Assets  Copyright © 2012 by ASIS International

1

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.1 Overview

Two hypothetical food service businesses illustrate these themes: Expensive Italian restaurant. A famous chef opened a high-end restaurant to serve business clientele in a fashionable downtown district. He realized that his revenue per plate must be considerable to support his location and staff and generate a profit. The restaurant’s servers now provide exquisite customer service; cooks prepare the food with the best ingredients and attention; busboys keep the tables neat; and management coordinates and supervises their efforts. For this high level of service, a premium is charged. Customers are willing to pay because the restaurant provides a continued level of exquisite service and excellent food quality. As a result, the restaurant hosts a constant flow of high-profile professionals during the evenings. Inexpensive quick-service restaurant. Several blocks closer to the downtown offices, two young entrepreneurs saw a gap in quick, inexpensive food options in the area, so they opened a large, low-cost American fast food franchise. Understanding that providing a cost-effective lunch option would require large volumes as a result of the thin profit per meal, the owners marketed the restaurant heavily in nearby offices to generate the necessary customers, who now shuffle in and out quickly with inexpensive food during the weekday lunch rush. Further, the restaurant captures some late-night business from people working late and others heading out to nearby nightlife. The customer service is limited, but the food is tasty and filling, though not of the highest quality. Management focuses on quick service and a basic level of cleanliness and customer service. The restaurant is constantly busy serving customers who require food quickly so they can be on their way.

Which of the two restaurants is more successful? The Italian restaurant earns more profit per plate of food than the fast food restaurant, yet the fast food restaurant can serve significantly more customers. The success of each restaurant is determined by its management practices and expectations. The management of the Italian restaurant wants the establishment to be a premium dining facility serving customers looking for a high-end product. The fast food restaurant, on the other hand, is focused on people who are busy and need a quick, inexpensive bite to eat. Both businesses can be considered successful because their management-defined business processes support the restaurants’ specific purposes. The managers understand the types of customers they serve, the financial requirements of the business, and ways to coordinate staff efforts.

2

Protection of Assets  Copyright © 2012 by ASIS International

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.2 Organizational Strategy

The following example teaches the same lesson differently: Paper products company. The executive committee at a paper products company decided to invest heavily in high-end manufacturing equipment targeting local firms with an interest in printing marketing material. The company mainly produces letterhead, stationery, and basic business cards. After installing the equipment and setting up the production process for potential orders, the executive committee found that sales were not meeting the required levels for profitability. They had failed to see that their customers (local companies) were migrating to Web-based marketing and were limiting their use of printed marketing materials. As a result, the paper company began to realize losses in its new division. Clearly, a business must understand its purpose and create management practices that support it. To define the business purpose, management typically writes a business strategy. To implement that strategy, management develops appropriate administrative practices.

1.2

ORGANIZATIONAL STRATEGY The organizational strategy (also called a strategic plan) is set out in writing by a business unit’s top leadership. It does not focus on day-to-day operations but provides a general direction. The organizational strategy is the fundamental template for direction that defines and supports long-term goals. The organizational strategy serves as the foundation for developing business processes. Those processes should support the overall business structure required to meet the organizational strategy. Key metrics and performance indicators can be studied to determine whether the processes accurately reflect the organizational strategy. Using this feedback, an organization can, if necessary, change the implementation of the strategy or even shift the strategic focus itself. Defining an organization’s overall strategic purpose is essential for developing companyspecific management practices. The organizational strategy defines why the business exists and how it will maintain itself as a profitable, viable entity. Answering these questions requires looking at the business not only in the moment but also three to five years out.

Protection of Assets  Copyright © 2012 by ASIS International

3

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.2 Organizational Strategy

In developing an organizational strategy, it is helpful to ask such questions as the following:

1.2.1

x

What markets does the business want to serve? Are they narrow or broad?

x

What products do those markets require? Is there stiff competition? What are the technological costs to develop and sell the products?

x

Who will sell the products: the company, wholesalers, retailers?

x

Will the company make money through low margins with high volume or high margins with low volume?

x

What quality of product or service will be provided?

x

How will the company be financed? What revenues and profit margins are required to sustain the business?

x

What are the Strengths, Weaknesses, Opportunities and Threats involved in the business venture (SWOT)?

DEVELOPING THE STRATEGY The first step is to understand the business and where it needs to be in the future. The current state of the business can be deduced by looking at products offered, markets targeted, and financial results. To determine where the company should be in the future, leadership must consider how the company can maintain its profitability. Comparing the current company and the desired future company, leadership is likely to observe some distance between the two. If the company is already meeting leadership’s vision, the organizational strategy can be minimal, merely capturing existing practices to maintain and adjust them over time. If the company’s current state is far different from its desired state, the organizational strategy will play a greater role in setting the corporate direction.

4

Protection of Assets  Copyright © 2012 by ASIS International

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.3 Principles of Business Administration

1.2.2

COMMUNICATING THE STRATEGY Once a strategic direction is understood, it is essential to capture that direction and communicate it effectively within and outside the organization. The following topics can help communicate the organizational strategy:

Vision

The vision of an organization is a specific description of where the business will be in the long-term. The vision statement conveys a general understanding of the business, its culture, and its future goals.

Mission

The mission of the business specifies its types of products or services, level of quality, and other tangible aspects of the business and its plans. This is a more concrete statement. While the vision states objectives and business goals, the mission communicates business functionality and operational methods.

Objectives

1.3

This statement includes the specific organizational objectives so that all involved parties can understand what needs to be done. The objectives should highlight specific goals that the organization wants units to achieve in terms of sales, market share, product differentiation, or other relevant metrics. The objectives must be SMART (Specific, Measurable, Attainable, Relevant, and Time-bound).

PRINCIPLES OF BUSINESS ADMINISTRATION To meet its objectives and implement its strategy, a business must pay attention to its primary resource: its people. Effectively managing current employees and hiring new ones is essential. It is employees who will embrace the organizational strategy and execute its principles. Management principles make it possible to tailor daily operations to support the organizational strategy. For example, if the organization wishes to redevelop a business unit and focus on an emerging technology as opposed to relying on legacy products, then the operational focus for human resources should be to find people who can support emerging technology. Business principles define how an organization functions. Among the most important issues they must address are human resource requirements, knowledge management, and corporate structure.

Protection of Assets  Copyright © 2012 by ASIS International

5

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.3 Principles of Business Administration

1.3.1

HUMAN RESOURCE MANAGEMENT The Human Resource (HR) department is one of a company’s most valuable departments. A good HR department can find and keep high-level talent for the company and leverage that talent to maximum effectiveness. While the HR department’s daily focus is staffing, it also promulgates corporate policies and procedures to employees and provides training and performance measurement. In doing so, the HR department must align its actions with the overall corporate strategy.

Staffing The most visible component of the HR department is staffing. Whether a company outsources staffing searches or handles them internally, it is important for an organization to understand how to conduct an effective job requirements analysis, thorough candidate profiles, and effective interviews and evaluations. It is difficult to assess a candidate based solely on a résumé and a single interview. Staffing decisions should be measured against a detailed job requirements analysis. The analysis should be made not only by the manager responsible for hiring but also by other team members and organizational leaders. The position requirements thus developed must be narrow enough to be accurate but broad enough to include many good candidates. How might this work in practice? In a hypothetical example, the head of security for a global manufacturing firm might need a security manager for corporate headquarters. The security manager would work with corporate executives, supervise headquarters security personnel, and in general ensure that the facility is protected. The job requirements analysis addresses both direct and indirect requirements. The direct requirements are those that the candidate must meet to understand and function in the position. The indirect requirements are skills that will increase the candidate’s likelihood of success. The following are examples of direct requirements:

6

x

certifications, such as technical or driving certifications

x

education level, such as a bachelor’s or master’s degree

x

years of experience

x

previous job responsibilities

x

knowledge of computer applications, such as Microsoft Word or Excel

Protection of Assets  Copyright © 2012 by ASIS International

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.3 Principles of Business Administration

Indirect requirements, which are less specific, include the following: x

leadership ability

x

ability to multitask

x

organizational skills

x

communication skills

The job requirements analysis should weigh which skills are most valuable for the position. If a company needs a crane operator, the direct requirements may be more significant because of the safety issues involved and the skills required to operate a crane at an industrial site. However, if the company is trying to fill an engineering role, some of the indirect requirements may have more weight because of the need for the engineer’s design work to interface correctly with that of other engineers. Returning to the example of the headquarters security manager, analysis of the job requirements shows that the candidate must be able to ensure the physical security of the building, supervise security staff, and interact with corporate executives and high-level managers, who are the primary occupants of the building. The ability to handle the primary security functions is still the most valued requirement, but several other skills are also necessary, such as leadership, management, and interpersonal skills. The head of security will need to communicate these needs to the HR staff responsible for filling the position. Internal recommendations are the best way to recruit a good candidate; most employees would not recommend someone they did not believe could fill the position. Also, hiring people who have worked with other company employees may help create a more cohesive team. To encourage internal recommendations, HR should post jobs in a way that effectively reaches an internal audience. To reach a larger pool of candidates, it is useful to advertise the position in newspapers and online. To deal with the many résumés that may be submitted in response to a public listing, staff must filter the résumés and invite only the most viable candidates for an interview. One way to reduce this labor is to hire external recruiters. Once candidates have been selected, it is time to prepare for interviews. To appeal to the best candidates, a company must impress them just as much as they must impress the company. HR should ensure that interviewers provide a thorough overview of the company and the benefits of working for that company. The interviewer should also examine the candidate’s objective capabilities and subjective fit with the team the candidate would work with. This latter measure is sometimes the more important one.

Protection of Assets  Copyright © 2012 by ASIS International

7

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.3 Principles of Business Administration

Policies and Procedures The HR department must also establish policies and procedures to outline how business will be conducted at the organization. Policies cover items that the organization monitors and expects employees to conform to. Some policies are driven by government regulations, which differ for different types of business. Procedures deal with specific items—for example, how an employee should handle setting up vacation time. Many types of regulations can affect company policy. In the United States, regulations related to the following should be researched: x

minimum wage requirements (federal and state)

x

Family and Medical Leave Act

x

Occupational Safety and Health Administration

x

security regulations for organizations that handle sensitive government data

x

building codes

x

waste and hazardous material management

x

drug and alcohol abuse

x

harassment and liability issues

x

corporate property use

x

leave policies

x

information technology use

x

ethics

Different countries may have similar laws, and if conducting business abroad, the regulatory issues of such countries should be considered as well. Policies should be useful and simple and should not overload employees. When developing policies, it is useful to work closely with the managers whose teams will be most affected by the policies. They can provide details of current operations and the probable effects of policy changes. Collaboration can also create management buy-in that increases the likelihood that policies will be executed and maintained. Compliance with policies can also be strengthened through training or certification that teaches employees the details of the policies and the consequences of violating them. In addition to corporate policies, which provide broad descriptions of how operations will be conducted, specific procedures need to be developed so that employees will know how to react to various issues. Clearly articulating company procedures helps prevent confusion. These procedures should address a wide variety of topics and should be widely promulgated. Further, staff understanding of the procedures should be refreshed regularly to ensure that everyone is up-to-date and understands how to respond when an issue arises.

8

Protection of Assets  Copyright © 2012 by ASIS International

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.3 Principles of Business Administration

Procedures should encompass all topics that are important for daily functions. The following are possible subjects of company procedures: x

security

x

inclement weather

x

building evacuation

x

filing a complaint

x

requesting leave

x

timekeeping

x

purchasing

x

corporate property rights

The policies and procedures should reflect the ideal functionality of the organization. They support proper staff behavior and lead to a hospitable, safe workplace.

Performance Measurement and Training To aid employee development and retention, employers must review and reward employee performance and provide training mechanisms for employee growth. In today’s working world, it is easy for employees to transition to other companies if they feel they are not being engaged enough or their personal growth is suffering. Therefore, companies should use performance metrics and training modules to foster employee development. Training may be provided within or outside the company. Internal training is typically aimed at helping employees do their current jobs better. For instance, an electronics assembler can be trained on more efficient assembly techniques with different tool sets. Other training might foster employee growth by giving employees the opportunity to learn different disciplines within the company. Training can also be conducted outside the organization. Employees may pay for the training themselves, or the company may pay for it, and the training may take place on employees’ own time or during working hours. This external training may be taken in university courses, at seminars or conventions, or in other venues. It often imparts information that is outside the scope of the current work environment and that may promote innovative approaches to work tasks. The metrics for evaluating employees should align closely with the organizational strategy. For example, if the strategy calls for growth, then the metric for mid-level managers may be to grow their business units a certain percentage.

Protection of Assets  Copyright © 2012 by ASIS International

9

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.3 Principles of Business Administration

Employees should be measured on both how well they do their current jobs and how well they contribute to the growth of the company as a whole. Some workers focus on their current jobs and are content in those positions. Others use their current positions to gain experience or insights that may help them move into other positions or expand the responsibilities of their current positions. Measuring those two aspects separately allows for fair evaluation of the employees and clarifies what they must do to excel at their current positions, prepare for other positions, and contribute more to the company. Metrics for assessing how well employees are doing their current jobs include the following: x

work quality

x

performance on time

x

performance within budget

x

meeting of other requirements of the position

Metrics for assessing employees’ overall contribution to the company include the following: x

extra sales, extra hours, and work on several projects

x

work on tasks outside the position requirements

x

contribution toward improvements in the business process

x

leadership

Thus, an HR department can support the organizational strategy by establishing and communicating appropriate policies and procedures and by ensuring that the best people are hired, retained, and provided with growth opportunities.

1.3.2

KNOWLEDGE MANAGEMENT After employees, corporate knowledge is the second most valuable resource, and supporting knowledge management supports the organizational strategy. A central knowledge management system collects, distributes, and publicizes corporate data in a searchable, accessible format. It aids corporate departments by reducing redundant efforts and promoting knowledge sharing. For an engineering firm, centralizing product design documentation allows multiple engineers to collaborate on a single design and makes it unnecessary for engineers to design the same component for other projects. Centralization of information also helps preserve knowledge if an employee leaves his or her position or the company. In addition, cross-unit knowledge sharing can enable one department to learn from the processes, technologies, and ideas of another. For example, a company with two divisions— computer memory chip manufacturing and hard drive manufacturing—might be able to apply the efficiency techniques of the first division to improve efficiency in the second division.

10

Protection of Assets  Copyright © 2012 by ASIS International

ADMINISTRATIVE MANAGEMENT PRINCIPLES 1.4 Conclusion

Centralized knowledge systems can be used to collect data that measure the productivity and performance of business units and individual employees. Such measurement enables an organization to identify problems and spot opportunities to cut costs, increase efficiency, or expand the business. Relevant metrics may include return on investment, inventory turnover, and profit margins. If the organizational strategy emphasizes volume over profitability, an important metric will be growth in revenue. In such a case, the knowledge management system must be able to capture revenue streams and report them accurately. Of course, a central knowledge management system may also create a security vulnerability. Because the information could be accessed and exploited by competitors or other outsiders, it is essential to keep the information system secure.

1.3.3

CORPORATE STRUCTURE An organization should be structured in a way that supports its business strategy. For example, if a company focuses on product innovation, it may choose to have numerous technical teams that report development efforts to a small number of management executives. This type of structure reduces the chance that innovative ideas will be stifled by bureaucracy. By contrast, a construction company may opt to have several management layers to manage multiple projects, ensure employee safety, and meet schedule requirements. For any organization, the right structure can aid in delegating responsibilities and ensuring accountability. The initial step is to identify the essential business units. An engineering firm would likely consider its engineering group to be the essential business unit. Supporting units might include sales and marketing staff. If the company’s strategy calls for growth, marketing and sales may grow in importance.

1.4

CONCLUSION Management practices serve a company best when they are designed in accordance with its strategic plan. These practices are largely expressed through human resource management, knowledge management, and business structure. When the overall corporate strategy is ingrained in daily administration practices, the organization will have the best chance of success.

Protection of Assets  Copyright © 2012 by ASIS International

11

CHAPTER 2 FINANCIAL MANAGEMENT

As members of their employers’ management teams, security managers must understand more than security—they must also know business and finance. Knowledge of financial management is especially important, as it explains how a business makes some decisions. As a metaphorical example, a commuter with an unreliable car might weigh many factors when considering a solution: repair costs; the likelihood of breakdowns; and the purchase, maintenance, and insurance costs of various replacement cars. The person takes the time to make a justified financial decision. Businesses use similar but more elaborate processes to help them make sound business decisions. They may need to decide whether to purchase new equipment or extend credit, or they may need to estimate the growth potential of prospective investments. Like the commuter, they look at financial outlays, the expected returns on those outlays, and the potential risks associated with the investment. Financial management practices provide the analysis and decision tools that allow businesses to monitor the financial operations of an organization and make better financial decisions. The basis of financial management is understanding the accounting principles used in generating financial reports. Through those reports it is possible to analyze the current state of business finances and project how financial decisions will affect the business. From the financial analysis it is possible to develop budgets and set expected goals for revenue or return on investment (ROI). The result is a financial strategy that is based on thorough analysis and that employs sufficient controls to ensure success.

Protection of Assets  Copyright © 2012 by ASIS International

13

FINANCIAL MANAGEMENT 2.1 Financial Strategy

Both publicly traded and privately owned companies must follow accounting and financial reporting standards. Public companies must, by law, observe reporting standards (for investor protection). Oversight responsibility should be separated from authority. This is the purpose of having an independent auditor who analyzes the facts, draws conclusions and makes recommendations on the company’s financial status. Private organizations must, in practice, observe those standards when attempting to gain financing through a bank or when setting a value on a business. Therefore, it is imperative that individuals charged with managing finances—including security managers—understand the basics of financial management.

2.1

FINANCIAL STRATEGY Strategy is management’s effort to focus resources on specific targets that lead to business success through proper planning. A financial strategy is management’s financial approach to determining the expected returns of its investments (including its departments and operations) and estimating and managing the relevant risks. In establishing a financial strategy, the first step is to identify expected margins, or the profit that businesses generally make. In the software industry, profit margins tend to be high, perhaps because of the specialized nature of software and the low price of delivering it. Manufacturing companies, by contrast, typically rely on smaller margins but higher volume. Realistically a company has two options if it wishes to improve margins. It can reduce costs or increase the price of its product or service. Reducing costs requires increasing efficiency, perhaps by finding cheaper suppliers or by cutting overhead costs. Increasing price may or may not be successful, as it may lead to a decline in sales volume. Increasing revenue may involve expanding sales of a current product or identifying new businesses to fund sales. The growth option usually involves additional costs, as it costs money to produce more products or pursue new business ventures. The question is how to fund growth. Growth can be funded from internal cash reserves or through commercial financing and investors. Both approaches impose trade-offs. Using internal cash reserves could limit the ability of an organization to pay bills if costs exceed revenues. Use of external financing puts the company at risk if the investment does not create the expected revenue. The way to make such financial decisions and project returns is through analysis of financial statements.

14

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.2 Financial Statements

2.2

FINANCIAL STATEMENTS Three financial reports or statements have become accepted as standard: the income statement, balance sheet, and statement of cash flows. Through these statements it is possible to paint a clear picture of a company’s current and prospective financial health. Financial statements are created in accordance with generally accepted accounting principles (GAAP). These principles vary somewhat from country to country. Many countries are converging on the International Financial Reporting Standards (IFRS), established and maintained by the International Accounting Standards Board. In the United States, they are established by the American Institute of Certified Public Accountants, the Financial Accounting Standards Board, and documented, standardized accounting practices. The purpose of GAAP is to establish and maintain a standard for financial reporting that can be used across all organizations. The following sections outline the basics behind the three financial reports.

2.2.1

INCOME STATEMENT The income statement tells how much money an organization generates (revenue), how much it spends (expenses), and the difference between those figures (net income). It provides that information by offering a quantified view of an organization’s operations over a defined period. Revenue is the money a company receives for products or services. If its products sell for $1,000 each and the company sells 100 products during the reporting period, the revenue for that period is $100,000 (100 units times $1,000 per unit). Expenses, of course, are the costs of creating and delivering the products or services. If it costs the company $900 to produce and deliver each product, and 100 units are made, then expenses equal $90,000. Net income equals revenue minus expenses. Thus, in this case the company’s net income is $10,000 ($100,000 minus $90,000).

Protection of Assets  Copyright © 2012 by ASIS International

15

FINANCIAL MANAGEMENT 2.2 Financial Statements

YEAR 1

YEAR 2

YEAR 3

YEAR 4

YEAR 5

Product Sales

1,643,000

1,807,300

1,988,030

2,186,833

2,405,516

Service Sales

729,000

1,312,200

1,443,420

1,587,762

1,746,538

2,372,000

3,119,500

3,431,450

3,774,595

4,152,055

Procurement

(60,000)

(63,000)

(66,150)

(69,458)

(72,930)

Raw Materials

(50,000)

(52,500)

(55,125)

(57,881)

(60,775)

Development/Production Costs

(75,000)

(82,500)

(90,750)

(99,825)

(109,808)

Equipment Purchase

(100,000)

(100,000)

(100,000)

(100,000)

(100,000)

(285,000)

(298,000)

(312,025)

(327,164)

(343,513)

Payroll

(1,336,975)

(2,013,326)

(2,214,659)

(2,436,124)

(2,679,737)

Lease

(220,000)

(226,600)

(233,398)

(240,400)

(247,612)

Utilities/Lease Expenses

(44,000)

(45,320)

(46,680)

(48,080)

(49,522)

(1,600,975)

(2,285,246)

(2,494,736)

(2,724,604)

(2,976,871)

Marketing

(100,000)

(110,000)

(121,000)

(133,100)

(146,410)

Customer Training

(50,000)

(50,000)

(50,000)

(50,000)

(50,000)

(150,000)

(160,000)

(171,000)

(183,100)

(196,410)

336,025

376,254

453,689

539,727

635,260

(100,000)

(93,725)

(86,823)

(79,231)

(70,880)

Income Before Taxes

236,025

282,529

366,865

460,496

564,380

Taxes at 15% of Income

(35,404)

(42,379)

(55,030)

(69,074)

(84,657)

Net Income

200,621

240,149

311,836

391,421

479,723

Revenue

Cost of Goods Sold

General and Administrative Costs

Sales and Marketing Costs EBITA Interest Costs

Figure 2-1 Income Statement

16

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.2 Financial Statements

Expenses are typically grouped into several categories, such as the following: x

Cost of goods sold. This is the cost of creating a product or service, accounting for materials, labor, and other costs.

x

Sales and marketing. To promote themselves, companies may spend money on advertising, sales efforts, and customer training to support additional product sales.

x

Administrative. Also called operating costs, these are the necessary expenditures of office space, payroll, utilities, and other general administrative functions.

x

Interest. This is the cost of paying the interest portion of a loan.

x

Taxes. Companies pay a variety of taxes.

The income statement in Figure 2-1 shows how net income is derived from revenue and expenses in a yearly report. The term EBITA in the left column refers to earnings before interest, taxes, and amortization. Numbers in parentheses are negative—that is, meant to be subtracted. The income statement shows approximately 10 percent annual growth in product sales. It also shows a near-doubling of service sales from Year 1 to Year 2. That growth coincides with an increase in payroll, suggesting that the company may have hired more employees to meet customer demand for services. The income statement outlines the organization’s profitability but does not provide a picture of the organization’s overall financial health. The balance sheet aids in that assessment.

2.2.2

BALANCE SHEET The balance sheet summarizes an organization’s investing and financing. The report’s underlying equation is as follows: assets = liabilities + shareholder equity An asset is anything that a company owns or has title to that may provide a future economic benefit. Examples include land, buildings, retail inventory, and intellectual property, such as trademarks and copyrights. Liabilities are an organization’s financial commitments. Examples include loans, bills, and other obligations. Shareholder equity is the amount of ownership allocated to shareholders. This value is not an asset or liability but rather the ownership stake for which shareholders are responsible. If the liabilities of an organization far outweigh the assets, then shareholders are accountable

Protection of Assets  Copyright © 2012 by ASIS International

17

FINANCIAL MANAGEMENT 2.2 Financial Statements

for the extended liability. In contrast, if an organization’s assets exceed its liabilities, then the shareholders have positive equity (or ownership) in the company. Shareholder equity is derived from retained earnings, net income, and dividend payout. Retained earnings equals the amount of net income that is reinvested in an organization. If dividends are paid out or if net income is actually a net loss, retained earnings decrease. The balance sheet thus provides insight into the asset and liability mix and how it relates to shareholder equity. Through understanding the asset and liability mix, it is possible to determine what a company owns and what it owes in the short term and long term. Common terms used to describe assets on the balance sheet include the following: x

Cash. This is the amount of currency a company has in its accounts, including cash savings, cash checking, and other currency deposits

x

Inventory. This is the value of raw materials, works-in-progress, and finished goods that are stored as inventory to be sold later.

x

Accounts receivable. This is the amount due by customers for goods and services already delivered.

x

Property, plant, and equipment. This includes all relevant physical space (including land and buildings) and equipment that an organization requires to produce goods or services.

x

Prepaid accounts. It is possible to pay ahead for insurance, leases, and even taxes. These accounts are assets because they were paid before they were actually due.

x

Accumulated depreciation. As buildings and equipment age, they begin to lose value. The loss of value with each year is captured in accumulated depreciation to more accurately reflect the book value of an asset.

Terms related to liabilities include the following:

18

x

Accounts payable. These are accounts on which an organization owes money. Typical accounts payable include utilities or services acquired under informal agreements.

x

Interest payable. This includes interest payments on loans extended to an organization.

x

Leases. This is the amount owed on equipment and facility leases for that reporting period.

x

Current long-term debt. This includes the amount of principal that was paid for the reporting period.

x

Long-term debt. This is the amount that a company still owes on a loan or equity financing.

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.2 Financial Statements

Both assets and liabilities can be grouped into current accounts. Current accounts are assets and liabilities that can be converted quickly. For example, current assets, such as cash or accounts receivable, are those that can be used to cover costs or other business expenses for that reporting period. Current assets are considered cash equivalents on the balance sheet. Current liabilities are those that are paid in the reporting period.

YEAR 1

YEAR 2

YEAR 3

YEAR 4

YEAR 5

Cash

1,137,876

1,309,005

1,544,919

1,852,826

2,240,684

Inventories

—

—

—

—

—

Accounts Receivable

—

—

—

—

—

1,137,876

1,309,005

1,544,919

1,852,826

2,240,684

Property, Plant, and Equipment

100,000

200,000

300,000

400,000

500,000

Accumulated Depreciation

(100,000)

(200,000)

(300,000)

(400,000)

(500,000)

—

—

—

—

—

1,137,876

1,309,005

1,544,919

1,852,826

2,240,684

Accounts Payable

—

—

—

—

—

Current Leases

—

—

—

—

—

Current Long-Term Debt

69,020

75,922

83,514

91,866

101,052

69,020

75,922

83,514

91,866

101,052

868,235

792,313

708,799

616,933

515,881

Total Long-Term Liabilities

868,235

792,313

708,799

616,933

515,881

Total Liabilities

937,255

868,235

792,313

708,799

616,933

Retained Earnings

—

200,621

440,770

752,606

1,144,027

Net Income (Loss)

200,621

240,149

311,836

391,421

479,723

200,621

440,770

752,606

1,144,027

1,623,750

1,137,876

1,309,005

1,544,919

1,852,826

2,240,684

Current Assets

Property Assets Total Assets

Current Liabilities Long-Term Debt

Shareholder Equity Total Liabilities and Shareholder Equity

Figure 2-2 Balance Sheet The balance sheet in Figure 2-2 shows assets, liabilities, and shareholder equity. Total assets must equal total liabilities plus shareholder equity.

Protection of Assets  Copyright © 2012 by ASIS International

19

FINANCIAL MANAGEMENT 2.2 Financial Statements

The balance sheet in Figure 2-2 shows that the company is generating cash from profits and is repaying long-term debt. The balance sheet also provides insight into the company’s use of profit to increase shareholder equity. In other words, the business is using profit to pay down debt. Together, the balance sheet and income statement provide views of the company’s operations, financing, and investments, but they do not outline where cash is being allocated. That insight comes from the cash flow statement.

2.2.3

CASH FLOW STATEMENT The cash flow statement, also called the statement of cash flows, provides insight into how cash inflows and outflows affect an organization. The statement demonstrates whether the organization is generating enough cash to cover operations and acquire additional assets as needed. The cash flow statement shows the following: x

Net operating cash flow. This is the amount of cash generated (or consumed) through company operations. Operations include production and sales of goods or services during the defined period. Operating cash flow is based on net income generated for a reporting period, as well as any changes in liabilities.

x

Net investing cash flow. This is the amount of cash generated (or consumed) by investing in other organizations or selling or acquiring buildings or property.

x

Financing cash flow. If a company obtains a loan or other financing, the cash generated is reported as financing cash flow.

By understanding these basic inflows and outflows, it is possible to identify where cash is being generated to cover business operations. For example, Figure 2-3 shows where the longterm debt on the balance sheet (Figure 2-2) comes from. In Year 1, the company secured a $1 million loan to support additional payroll to meet customer demand. The company did not strictly require financing, as it was able to meet cash requirements for the year. However, management may have felt that the financing would help the company through any cash shortages in the first year of operation. The cash flow statement also shows that the company has a simple financial structure—just one loan outstanding and one source of income. It does not have any additional investing cash flow and is free from other financing obligations.

20

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.3 Financial Analysis

YEAR 1

YEAR 2

YEAR 3

YEAR 4

YEAR 5

—

1,137,876

1,309,005

1,544,919

1,852,826

137,876

171,129

235,915

307,907

387,858

—

—

—

—

—

Net Operating Cash Flow

137,876

171,129

235,915

307,907

387,858

Investment Cash Flow

—

—

—

—

—

Net Investment Cash Flow

—

—

—

—

—

1,000,000

—

—

—

—

Dividends

—

—

—

—

—

Other Financing

—

—

—

—

—

Net Financing Cash Flow

1,000,000

—

—

—

—

Cash End of Year

1,137,876

1,309,005

1,544,919

1,852,826

2,240,684

Cash Beginning of Year Net Income Change in Liabilities

Issuance/Repayment Loan

Figure 2-3 Cash Flow Sheet

2.3

FINANCIAL ANALYSIS Financial decisions are based on past performance and projected future performance. For example, a company may use its financial information to project the sales that would be generated from a new product line and to estimate the cost of creating that product line. The key is to determine whether the financial return is worth the expected risk. Return is the amount of money an investment choice will give back to an investor. Risk is an estimate of the probability that an investor will gain or lose money. A familiar illustration is the relationship between credit scores and credit card rates. Lenders view consumers with low credit scores (due to late payments or defaulted loans) as presenting a greater risk of nonpayment, so the lenders justify the risk by charging higher rates of interest to increase their return. Financial analysis involves understanding various profitability measurements and business risks. The quantitative method of profitability analysis relies on ratios of numbers in financial statements. The ratios are helpful for comparing performance against expected values in an industry or against an organization’s historical performance.

Protection of Assets  Copyright © 2012 by ASIS International

21

FINANCIAL MANAGEMENT 2.3 Financial Analysis

2.3.1

PROFITABILITY RATIOS Profitability ratios aid in quantifying an organization’s ability to generate income beyond covering expenses. The larger the margin of net income, the more profitable an organization is. Analysis of profit margins, returns, and earnings is discussed below.

Profit Margins Profit margins reflect a company’s profitability. The following are different measures of margins: x

Gross profit margin. By measuring profit based strictly on sales and cost of goods sold, this figure provides insight into the efficiency of manufacturing a product. The higher the gross profit margin, the more efficient a company is at producing a product. If the revenue does not cover the cost of the products, then the product price may be too low or the manufacturing and materials costs too high. Gross profit margin is calculated as follows: Gross Profit Margin = (Revenue – Cost of Goods Sold – General and Administrative Costs)/Revenue

x

Operating margin. This equals earnings before interest, taxes, and amortization (EBITA) divided by revenue. This margin demonstrates the company’s overall operating efficiency in producing and selling a product. Operating margin is calculated as follows: Operating Margin = EBITA/Revenue

x

Net profit margin. This measures net profit after all expenses are included. It summarizes the net income as a percentage of sales. The higher the net profit margin, the more profitable the company is in its business. Net profit margin is calculated as follows: Net Profit Margin = Net Income/Revenue

Figure 2-4 shows the margin values that can be calculated from the income statement in Figure 2-1. These values show that the company has healthy margins, which dipped slightly in Year 2 due to growth but then recovered in subsequent years. The growth did not significantly improve gross margin or operating margin but did boost net margin considerably. By providing more services and allowing product sales to grow slowly, the company increased revenue without increasing total expenses.

22

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.3 Financial Analysis

YEAR 1

YEAR 2

YEAR 3

YEAR 4

YEAR 5

Gross Margin

20.5%

17.2%

18.2%

19.1%

20.0%

Operating Margin

14.2%

21.1%

13.2%

14.3%

15.3%

8.5%

7.7%

9.1%

10.4%

11.6%

Net Margin

Figure 2-4 Margins

Returns Two ratios demonstrate how well a firm has done in making money for a reporting period: x

Return on assets (ROA). This ratio demonstrates the organization’s ability to generate income based on its assets, independent of any financing. It is calculated as follows: ROA = Net Income/Total Assets

x

Return on equity (ROE). This ratio indicates how well a company uses financed assets to generate income. ROE is calculated as follows: ROE = Net Income/Shareholder Equity

The practice of borrowing capital to purchase assets that can increase revenue is called leveraging. For example, by taking out a loan a construction company can purchase more equipment and hire more people to address a greater demand for the company’s services. ROA measures how well a company makes profit on assets it already owns; ROE measures a company’s effectiveness at using loans to generate a profit. Figure 2-5 shows returns calculated from the income statement in Figure 2-1 and the balance sheet in Figure 2-2. YEAR 1

YEAR 2

YEAR 3

YEAR 4

YEAR 5

Return on Assets

17.6%

18.3%

20.2%

21.1%

21.4%

Return on Equity

100.0%

54.5%

41.4%

34.2%

29.5%

Figure 2-5 Returns

Protection of Assets  Copyright © 2012 by ASIS International

23

FINANCIAL MANAGEMENT 2.3 Financial Analysis

The ROA figures suggest that the company is not focused on using its assets to improve revenues. In fact, its growth relative to assets remains relatively stagnant. The ROE numbers reflect the fact that the company had little equity in its business during Year 1 and Year 2 but much more in subsequent years. The company has been able to generate a return despite being highly leveraged and exposed to much financial risk.

Earnings Two earnings-related ratios are commonly examined in financial analysis: x

Earnings per share (EPS). This is a useful metric for a company that has shares that are publicly or privately owned. EPS represents how much income (or loss) is generated per share of the organization. It is calculated as follows: EPS = Net Income/Total Shares

x

Price to earnings (P/E). This ratio relates a company’s share price to its EPS. The P/E ratio is useful in determining whether an organization is fairly valued. It can also be used to value private shares if an investor is thinking of purchasing an interest in a private organization. The general benchmark for publicly traded P/E values is around 17. The P/E ratio is derived from the following equation: P/E = Price per Share/EPS

The various profitability ratios are useful in evaluating whether an organization is meeting profit targets. A company’s profitability ratios should be compared to those in other companies or across an industry and also to the company’s past ratios and projected future ratios.

24

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.3 Financial Analysis

2.3.2

RISK RATIOS Profitability ratios provide a view of how well a company makes money. However, the ability to make money must also be compared to the risk an organization faces in its operations. Financial risk analysis deals with current or projected numbers that are derived directly from an organization’s financial decisions. This analysis focuses on whether a company will have the ability to cover expenses and operating costs in the near term as well as the long term. Several risk ratios are useful in this type of analysis: x

Current ratio. This examines the company’s ability to cover short-term obligations. It is derived from the following equation: Current Ratio = Current Assets/Current Liabilities If the current ratio is greater than one, the company has the ability to cover all its current liabilities with its current assets. In other words, it can meet its short-term obligations—assuming that the current assets can quickly be converted to cash equivalents. Some current assets, such as inventory, may be difficult to convert to cash.

x

Quick ratio. This measures an organization’s ability to cover current liabilities with current assets that can quickly be converted to cash. Such assets include cash, securities, and accounts receivable. The quick ratio (also known as the acid test) is calculated as follows: Quick Ratio = (Cash + Securities + Accounts Receivable)/Current Liabilities This ratio provides a more accurate picture of an organization’s ability to cover bills for the current reporting period.

x

Debt to equity ratio. This provides a long-term perspective in understanding a company’s financial health. It does so by analyzing how a company funds its growth and operations. The debt to equity ratio is based on the following equation: Debt to Equity Ratio = Total Liabilities/Shareholder Equity Debt to equity ratios above one demonstrate that a company is highly leveraged and is financing itself with outside loans and funding. While that approach may result in faster growth, it may also reduce profit because of interest expenses.

Protection of Assets  Copyright © 2012 by ASIS International

25

FINANCIAL MANAGEMENT 2.4 Limitations of Financial Statement Analysis

Figure 2-6 shows sample risk ratios based on the balance sheet in Figure 2-2.

Current Ratio Debt of Equity Ratio

YEAR 1

YEAR 2

YEAR 3

YEAR 4

YEAR 5

16.5

17.2

18.5

20.2

22.2

4.7

2.0

1.1

0.6

0.4

Figure 2-6 Risk Ratios To generate growth in service sales, the fictional company took on a heavy debt load in the initial years but paid it back quickly to minimize risk should market conditions turn unfavorable.

2.4

LIMITATIONS OF FINANCIAL STATEMENT ANALYSIS Financial statement analysis has its limitations. The primary limitation is that it does not directly consider changes in market conditions. The macroeconomic environment (e.g., robust growth or recession) greatly affects the way financial statements should be interpreted. Continued declines in margin may be a result of poor economic conditions rather than poor company operations. Therefore, it is important to incorporate external data, including the performance of the company’s sector and other macroeconomic influences. Another limitation is that all organizations operate differently and target different markets, even if their industry segments overlap. For instance, if one company is involved in manufacturing and services and a competitor simply manufactures products, then the analysis of each company will yield different results. The final limitation is that financial ratios are derived from numbers presented in financial reports, and those reports must be accurate for the ratios to have any meaning. Through the process of auditing, independent accounting firms attempt to determine whether the financial statements produced by a company’s internal accountants are complete and accurate. However, independent auditing firms do not always succeed in that mission. In the United States, financial frauds involving Enron and WorldCom led to the SarbanesOxley Act (SOX), officially known as the Public Company Accounting Reform and Investor Protection Act of 2002. SOX established a new regulatory entity, the Public Company Accounting Oversight Board, which is meant to monitor the independent auditing of publicly traded companies. In addition, SOX requires executive officers and chief financial officers to personally certify financial reports that are released to the public.

26

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.5 Budgets

2.5

BUDGETS One of the main purposes for understanding financial accounting and financial analysis is to be able to establish budgets. A budget is a process for planning where money is to be allocated for the year. It is a financial tool that estimates costs and revenue and provides a variance warning mechanism and fiscal uniformity for the company. Zero-based budgeting, for example, is a process wherein funds are placed in a budget only to the extent that planned expenditures are justified in detail. It also may force a manager to consider alternative ways of getting the job done. The budget generally includes both expenses and expected revenue. Thus, to meet budget requirements, businesses often need to generate a certain amount of revenue as well as limit spending to predetermined amount. The budget development process is often viewed as either a top-down or bottom-up process. A variation on these approaches is to make the process an iterative one, either during its initial developmental stages or through periodic re-forecasts of the original budget. In each case, executive management’s choice of strategy will have a far-reaching impact. Some organizations choose to implement their budget in a top-down approach to impose performance goals on lower management. An example of this would be executive management allocating a specific amount of money to the security department without input from the security department. In a bottom-up approach, frontline managers, who are involved in the day-to-day operations of their departments or divisions, are their organizations’ best resource for realistic budget information and would set their own budget. Neither is ideal. A more practical strategy is a combination of both where the lowest level of input will occur at the divisional or department level so that executive management can determine a realistic budget that is in line with the overall financial objectives of the company. Budgets are usually drawn up on a yearly or other periodic basis. It is essential to maintain consistency in the budget process so periods can be compared to understand budget effects. For example, a warehouse for an online retailer must estimate its yearly facilities costs (including utilities, labor, and leasing costs) so the proper amount of sales revenue can be set aside to cover those costs. Budget setting tends to be difficult and politically charged because the amount of capital that can be spread across all departments is limited. However, budgets are effective tools for allocating funds to business units based on the expected revenues they will generate. Using the warehouse example, if the utilities are not paid, then the online retailer will not be able to use the storage facility. Thus, it is essential to pay business expenses that allow a company to generate revenue. Also, the line items (specific entries) in budgets can be tracked to ensure that spending is within its predetermined limits. However, it can be costly to follow budgets too strictly. Sometimes, spending beyond the budget may be necessary to take advantage of opportunities that arise.

Protection of Assets  Copyright © 2012 by ASIS International

27

FINANCIAL MANAGEMENT 2.5 Budgets

An effective way to set the value of line items is to look at each budget expense as an investment and then calculate the expected return on that investment. In other words, one looks at the benefit of the investment divided by the cost—in simpler terms, cost/benefit. However, not all returns can easily be measured monetarily. For instance, a line item such as free lunch for employees may not generate a direct monetary return but may instead increase employee effectiveness or reduce turnover. To determine whether the lunch investment creates a greater benefit than other possible investments, such as free gym memberships for employees, it is useful to calculate the return on investment.

2.5.1

RETURN ON INVESTMENT Calculating the return on investment (ROI) is an effective way to compare the desirability of different ways of spending. It also assists in obtaining future budget monies. ROI can be calculated in two ways: ROI = [Investment Value at End of Period/Investment Value Beginning of Period] – 1 or ROI = [(Initial Investment plus Interest Earned (or Lost))/Initial Investment] – 1 ROI is easy to calculate for investments with guaranteed or nearly guaranteed returns, such as bank deposits. By contrast, ROI is more difficult to calculate for an item like research and development (R&D), which has a less predictable return. However, a company may be able to determine its average, historical return on R&D and use that estimate in its ROI calculations. For example, if company figures show that a $1,500,000 investment in R&D typically returns $630,000 in revenue within five years, the ROI calculation would be as follows: ROI = [($1,500,000+$630,000)/$1,500,000] – 1 = 42% The company may also consider paying down its debt instead of investing in R&D. An ROI calculation is useful for comparing the two options. Paying additional funds toward debt reduction is like an investment, and the interest avoided through early debt reduction is like revenue. If a $2,000,000 investment in debt reduction would save the company $772,000 in interest payments over five years, the ROI calculation would be as follows: ROI = [($2,000,000 + $772,000)/$2,000,000] – 1 = 39% From an ROI perspective, R&D looks like the better choice. However, the ROI analysis does not consider all factors. For example, it does not take into account the risk that the R&D may be unproductive. However, despite its limitations, ROI analysis can be useful in determining which line items of a budget are more important than others.

28

Protection of Assets  Copyright © 2012 by ASIS International

FINANCIAL MANAGEMENT 2.5 Budgets

When it comes to security, measuring return on investment is difficult even though the department may be adding to the company’s profits by preventing losses such as theft and damage to company assets. However, the return on the implementation of an effective security countermeasure can be measured by applying an efficiency versus cost, or cost versus benefit, ratio to show the long-range cost savings to the company. Also, in some cases the insurance premiums are lower when risk decreases.

2.5.2

CREATING A BUDGET A company’s budget takes both big-picture and detailed views. At the executive level, budget items are clustered in general categories that relate to the income statement. At department and unit levels, budget items are listed in greater detail. For instance, executive management may determine that for every million dollars in revenue, production costs are estimated to be $600,000 (60 percent of revenue). That is a big-picture view. By contrast, specific departments, such as a production facility, may divide expenses into many categories, such as the costs of materials, production machines, and labor. One of the reasons lower-level managers are more likely to accept bottom-up budgeting is because they had a stake in developing it. Budget line items must be detailed enough that all expected expenses are accounted for but not so detailed that every screw and nail must be counted. The budget should be organized to resemble the income statement. That approach generates the equivalent of a pro forma income statement, which projects future costs and revenue for a defined period. (By contrast, a normal income statement presents past data.) To project future revenue, a company may turn to its marketing and sales staff. They may be able to calculate expected sales revenue based on market data, customer input, and the company’s product or service offerings. It is unrealistic to expect sales projections to be very accurate. However, having a general idea of expected revenue enables the company’s various subdivisions to budget appropriately so they can support the expected sales. For example, if a company manufactures products, its manufacturing operations will need to estimate the costs of materials, labor, and other components required to create the needed products. The human resources department must estimate the cost of the benefits it will need to supply to the company’s personnel. The customer support department can determine how much money it needs to assist buyers of the product. The requirements for each unit are based on the company’s expected sales. Next it is necessary to decide which expenditures to fund and to what degree. That determination depends largely on the company’s financial strategy. If the company is looking to cut costs, it must analyze the budget to see where costs can be limited without affecting sales. On the other hand, if the company is trying to grow quickly, it may need to spend more freely.

Protection of Assets  Copyright © 2012 by ASIS International

29

FINANCIAL MANAGEMENT 2.6 Implementing Financial Strategy and Financial Controls

2.6

IMPLEMENTING FINANCIAL STRATEGY AND FINANCIAL CONTROLS To be effective, any financial strategy (cost reduction, rapid growth, or other) must be implemented and overseen with appropriate controls. Implementation depends greatly on clear communication of the strategy, its purposes, and its expected results. For example, if production managers understand that the company’s financial strategy is to reduce costs, they can organize their activities to support that goal. If they do not understand the strategy, they may focus on the wrong goal and undermine the strategy. Budgets, too, must be aligned with the company’s financial strategy. If a defined profit margin is to be achieved, executive-level management must work with the sales and production teams to determine the optimal price at which to sell the product and the cost at which it can be produced. From that discussion, budgets can be established. If a department is expected to grow, its budget should be flexible so the department can pursue business opportunities as they appear. However, spending must be carefully managed so the business can still cover expenses. Controls need to be in place to monitor execution of a financial strategy and to prevent fraud. Such controls are implemented through accounting processes and internal auditing. Financial controls monitor spending in reference to budget allocations. If more or less money than was budgeted is spent, the situation should be investigated. It is possible for fraud to be present even when spending is on budget. Establishing a solid financial strategy is essential to keeping an organization competitive and able to adapt to changes in the marketplace. The strategy is derived from a thorough analysis of the company’s current financial situation and its intended financial goal. Communicating the strategy to employees, investors, vendors, suppliers, and other stakeholders boosts confidence and makes it possible for all to focus on creating success from the strategic direction.

30

Protection of Assets  Copyright © 2012 by ASIS International

CHAPTER 3 STANDARDS IN SECURITY

3.1

INTRODUCTION TO STANDARDS A standard is a set of criteria, guidelines, and best practices that can be used to enhance the quality and reliability of products, services, or processes. Standards are part of everyday life, and the average person gives them little thought. Many modern conveniences are made possible by standards: light bulbs fit into lamps, files transfer over the Internet, and automated teller machine (ATM) cards work around the world. More than 95,000 standards are recognized in the United States alone (Siegel & Carioti, 2008). Because of the world’s numerous national and international standards, many parts, processes, and systems work regardless of who creates or performs them, who uses them, and where they are used. Standards are also used in the security arena. When they are developed in accordance with the principles of consensus, openness, due process, and transparency, they can help nations, communities, societies, organizations, and individuals improve their resilience in the face of security threats, both natural and man-made. In the past, some parties expressed concern that security standards, even though voluntary, might in practice force security professionals to conduct their work in a prescribed manner. Others observed that security standards, when written in general terms, would allow security professionals sufficient latitude in how they perform their jobs. Regardless of one’s view, the trend toward international security standards is under way, and security professionals can best influence the development of those standards by getting involved instead of leaving standards development to nonsecurity personnel. Moreover, adopting robust security

Protection of Assets  Copyright © 2012 by ASIS International

33

STANDARDS IN SECURITY 3.1 Introduction to Standards

standards may also reduce calls for intrusive government regulations—which would likely tie security professionals’ hands more tightly than voluntary standards ever could. Thus, standards development may not only help security professionals coordinate their efforts around the globe but also preserve their freedom to employ their professional judgment as they carry out their responsibilities. In a nutshell, security standards have arrived, more are under development, and they are likely to work best when security professionals participate in their development.

3.1.1

CHARACTERISTICS OF STANDARDS A standard may address a product, service, or process. A standard itself is voluntary and is hence different from a regulation. However, a regulation may require compliance with a standard. Over time, standards have evolved from a technical issue to a business issue of strategic importance. When a well-developed standard is in place, it brings benefits to many parties. Businesses can use standards to develop products and services that are widely accepted, enabling those businesses to compete freely in markets around the world. Customers can choose from a wide variety of products and services that are compatible with each other. Customers can also more easily judge product quality if a product is in conformance with certain standards. Standards are of nine main types: basic, product, design, process, specification, code, management systems, conformity assessment, and personnel certification. They require periodic review to remain relevant and state-of-the-art.

3.1.2

BENEFITS OF STANDARDS Security standards can play several roles in making a security professional’s job easier. They may do any or all of the following: x

34

Codify best practices and processes and share lessons learned. The idea is not to develop statements that are prescriptive but to share in a generic fashion what works best, how it works, and how it can be used to help improve the services and activities that an organization participates in. Unlike, for example, a standard addressing light bulb dimensions, which must be highly specific to be useful, security management standards do not dictate particular quantities (of staff or equipment) or techniques that must be used.

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.1 Introduction to Standards

x

Provide tools to assess threats, risks, vulnerabilities, criticalities, and impacts. A challenge in risk assessment is that different parts of an organization may not know how the other parts conduct and document their risk assessments. Thus they may have no way of measuring improvement consistently across an organization. Security standards can add consistency in this activity.

x

Define measurement methods. Standards provide guidance on benchmarks and testing methods and protocols.

x

Document equipment performance requirements to ensure effectiveness and safety. Standards can help define how effectively and how safely different types of equipment perform.

x

Establish design requirements for devices, systems, and infrastructure to withstand threats. These specifications make it easier to design systems and sell equipment across borders.

x

Define effective methods for identification of individuals. Again, standards can provide a useful consistency.

x

Enhance cross-jurisdictional information sharing and interoperability. Standards help in this regard when they develop communication and interoperability protocols. Disaster response works much better when responders can communicate with each other and when their equipment works with the equipment used by other responders.

x

Provide for consistency of services. Standards help define benchmarks for service delivery and provide frameworks for consistent performance.

A famous illustration of the cost of nonstandard equipment is the Great Baltimore Fire (Seck & Evans, 2004, pp. 6-7): Fire equipment responding from different cities to the Great Baltimore Fire in 1904 were hampered or rendered useless by the incompatibility of hose and fire hydrant connections … When fire hoses were first manufactured, the threads used to couple them differed among all the manufacturers. The same is true with the fire hydrant connections … Differences in hose connections on the hydrants, both diameters and threads, were part of the design that protected manufacturers from competition. Cities with different hydrant suppliers had fire fighting water supply systems with connections that were incompatible with those in other, sometimes neighboring, communities. History demonstrates that in major urban fires, the inability of fire fighting apparatus from other areas to utilize the water supply, because of incompatible hose connections, was a contributing factor to increased fire damage. The lack of uniform threads is commonly cited as a factor in the massive destruction of the th Great Baltimore Fire that started on Sunday afternoon, February 7 , 1904 … Engine companies from Washington, DC, transported by train, arrived in Baltimore to assist in fire fighting a few hours after the fire started. Unfortunately, their hoses would not fit Baltimore hydrants due to the difference in threads. The fire continued to claim block after block of

Protection of Assets  Copyright © 2012 by ASIS International

35

STANDARDS IN SECURITY 3.1 Introduction to Standards

buildings in the Baltimore business district as more fire companies arrived from surrounding cities and counties, Altoona, Annapolis, Chester, Harrisburg, New York, Philadelphia, Wilmington, and York. Some of the responding fire companies’ hoses fit the Baltimore hydrant connections; others did not.

After the fire, the National Fire Protection Association adopted a national standard for hydrant connections. Interestingly, 100 years later, only 18 of the 48 most populous U.S. cities had installed national standard fire hydrants (Seck & Evans, 2004, p. 6). rd

The issue of standards-based compatibility remains important. At the ASIS International 53 Annual Seminar and Exhibits in 2007, Stefan Tangen, ISO/TC 223 Secretary from the Swedish Standards Institute, told attendees, “When standards work, you just don’t notice them. You take them for granted. But when they are not working, then they become a problem.” He offered the example of a bridge linking Malmo, Sweden, to Copenhagen, Denmark, which was designed to comply with both countries’ road and rail standards. Unfortunately, planners did not harmonize emergency standards for equipment such as fire hoses (Plentiful Preseminar Programs, 2007, p. 44). Likewise, F. Mark Geraci, CPP, Chairman of the ASIS Commission on Standards and Guidelines, has observed, “Today’s security issues and challenges transcend borders and jurisdictions. Natural disasters and intentional disruptions … do not recognize boundaries. Therefore, ASIS is behind the effort to eliminate confusion by supporting … standards” (ASIS Supports Global ISO Standards, 2008, p. 93).

3.1.3

STANDARDS DEVELOPMENT ISSUES Standards are developed on several levels: national, regional, and international. The following issues apply at all those levels.

Many Players Involved Although ASIS is the largest membership organization of security professionals in the world, many organizations other than ASIS have developed security standards. For example, ASTM International (formerly the American Society for Testing and Materials) has developed standards for high-rise evacuation equipment to be used when primary routes to a safe zone are cut off, as well as standards related to homeland security, including one on the selection of antiterrorism physical security measures for buildings and hospital preparedness. In fact, ASTM has more than 100 active standards relating to a broad range of security concerns. Similarly, the National Fire Protection Association (NFPA) has issued several standards regarding security issues, including standards on premises security and installation of electronic premises security systems.

36

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.1 Introduction to Standards

Other security standards have been developed by various government agencies (including, in the United States, the Department of Agriculture) and by such organizations as the American Chemistry Council and the Biometric Consortium. Many countries have their own standards organizations (such as the American National Standards Institute in the United States, the Deutsches Institut für Normung in Germany, and the Japanese Industrial Standards Committee. With 159 member countries, the International Organization for Standardization, ISO, is the world’s largest standards developer. Based on international consensus, ISO standards address the global business community. To influence the direction of security standards worldwide, ASIS launched its Global Standards Initiative, which is discussed in detail in Section 3.5 below.

Standards Determined by Need Standards are generally developed to address specific needs, such as technical issues; health, safety, or environmental concerns; or quality or compatibility requirements. It is important to know why a standard is needed before deciding what type of standard will best suit those needs. It is also important to assess whether the marketplace will support the standard. If not, as in the case of fire hydrants and hose couplings discussed above, the effect of the standard will be limited. In addition, it is important to assess whether, instead of developing a new standard, an existing standard could be adopted or revised.

Broad Stakeholder Participation Beneficial A standard is more likely to be accepted when it is jointly developed by all interested parties or stakeholders. These are groups or individuals with an interest in the content of the standard. Producers, users, and others may be included as stakeholders, representing such parties as manufacturers, professionals, government authorities, educators, and consumers. Experienced standards developers note that security professionals who participate in standards development should be sure to attend the relevant meetings. Security professionals may serve as development committee members or leaders or as subject matter experts. No matter the capacity in which they serve, by serving on technical committees or attending meetings they will increase their influence, gain from valuable discussions, keep up with all circulated documents, demonstrate their interest, and boost their credibility.

Protection of Assets  Copyright © 2012 by ASIS International

37

STANDARDS IN SECURITY 3.2 Development of International Standards: ISO Example

3.2

DEVELOPMENT OF INTERNATIONAL STANDARDS: ISO EXAMPLE The International Organization for Standardization, called ISO, is the world’s largest developer and publisher of international standards. Its name is not an acronym but comes from the Greek word isos, meaning equal. Based in Geneva, Switzerland, ISO is a network of the national standards institutes of 159 countries. ISO is a nongovernmental organization bringing together stakeholders from the public, private, and not-for-profit sectors. It serves as a central point where standards bodies from around the world—and the organizations that participate in them—can gather to develop standards jointly. ISO standards address products (e.g., so USB drives will work anywhere in the world), processes (e.g., how to perform quality control or provide security services), and other issues. ISO does not regulate, legislate, or enforce. However, ISO standards often become recognized as industry best practices and de facto market requirements. Therefore, what ISO does is important to the security profession worldwide. Because ASIS has liaison status with various ISO Technical Committees, ASIS is able to play a leading role in shaping standards that will affect security practice.

3.2.1

CHARACTERISTICS OF ISO STANDARDS ISO standards are built on the following pillars:

38

x

Equal footing of members. Each participating member (country) in ISO has one vote.

x

Market need. ISO develops only those standards for which there is an identified market need or that facilitate international or domestic trade.

x

Consensus. ISO standards are not decided on a majority vote. Rather, they are based on consensus among the interested parties. All major concerns and objections raised during the development of the standard must be addressed to the satisfaction of the participants in the relevant committee. ISO comprises approximately 3,000 technical groups (including technical committees, subcommittees, working groups, and other bodies) in which more than 50,000 experts participate annually. The organization employs a transparent process for developing standards.

x

Voluntary participation and application. Participants in the ISO standards development process are not paid to participate; rather, they work on a standard because it is important to them. Moreover, ISO has no legal authority to enforce implementation of its standards. Its standards are simply meant to be a benefit to the marketplace. In ISO terminology, an organization comes into conformity with a standard, not compliance.

x

Worldwide applicability. ISO standards are designed to be globally relevant.

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.2 Development of International Standards: ISO Example

3.2.2

ISO STANDARDS DEVELOPMENT PROCESS ISO standards development work is carried out by technical committees that focus on specific areas of expertise. For example, in the security field ISO has the Societal Security Committee (ISO/TC 223); other committees address environmental management, quality management, and a variety of technical specifications. These technical committees include experts from the industrial, technical, academic, governmental, and business sectors that have asked for the standards and will put them to use. Other members include representatives of organizations interested in or affected by the standard’s subject matter. The committees prize balance, openness, and impartiality to ensure that the content of a standard is relevant, credible, and broadly acceptable (How are ISO standards developed? 2008). ISO has a detailed, written process for moving a proposed standard through the various stages of development and adoption. The slow, deliberative process is designed to build up the credibility of the standard. By the time the standard is completed and sent into the marketplace, it has a large constituency (those who participated in its development) that can increase the standard’s acceptance. In most cases, the countries that participate in standards development at the ISO level adopt ISO standards as their national standards. Each national standards-developing organization that serves as a member of an ISO technical committee is encouraged to establish a national mirror committee or technical advisory group of subject experts and interested parties. These mirror committees are broadly inclusive and typically comprise industry experts, government representatives, consumers, and others who might be affected by the standards. Members of the mirror committees meet to discuss development of the standards. Individual countries have their own processes for deciding who may participate in their mirror committees. Mirror committees frequently charge a participation fee for voting members. Liaisons are exempt from the participation fee and do not vote. Observers pay the participation fee and do not vote. Participation in a mirror committee is a convenient option for people who want to take part in standards development but are unwilling or unable to travel internationally. A mirror committee advises its country on what position it should take on the documents being developed. The committee reviews the documents as they are being prepared and prepares comments to submit to the ISO technical committee developing the standard. Then some members attend ISO plenary meetings or technical committee meetings, present the country’s position, and try to get their country’s views reflected in the standard. In brief, a mirror committee’s main responsibility is to develop a national consensus to present to ISO. In ISO, one of the committees working on security activities is ISO/TC 223: Societal Security. The committee has a broad scope, addressing security, business continuity, crisis manage-

Protection of Assets  Copyright © 2012 by ASIS International

39

STANDARDS IN SECURITY 3.3 Development of National Standards: U.S. Example

ment, disaster management, and emergency response. The committee examines crisis management and organizational continuity related to all types of disasters and disruptions, including intentional attacks, unintentional accidents, and natural disasters. The committee focuses on what an organization should do before, during, and after an incident. The committee also addresses interaction and interoperability between organizations.

3.3

DEVELOPMENT OF NATIONAL STANDARDS: U.S. EXAMPLE The American National Standards Institute (ANSI) was formed in 1916 to serve as a clearinghouse for Standards Developing Organizations (SDOs) in the United States. The Institute oversees the creation, promulgation and use of thousands of standards that directly impact businesses in nearly every sector: from acoustical devices to construction equipment, from dairy and livestock production to energy distribution, and many more. ANSI is also actively engaged in accrediting programs that assess conformance to standards—including globallyrecognized cross-sector programs such as the ISO 9000 (quality) and ISO 14000 (environmental) management systems.

3.3.1

CHARACTERISTICS OF ANSI STANDARDS ANSI is the administrator and coordinator of the U.S. private sector voluntary standardization system. It is a decentralized system that is partitioned into industrial sectors and supported by hundreds of private sector standards-developing organizations (SDOs). An SDO is an organization, company, government agency, or group that develops standards, including professional societies, industry and trade associations, and membership organizations that develop standards within their areas of expertise. ANSI is the only accreditor of U.S. voluntary consensus SDOs. Of the approximately 600 SDOs in the United States, some 200 are accredited by ANSI as developers of American National Standards. Examples of ANSI-accredited standards developers are ASIS International, the National Fire Protection Association, and the Security Industry Association. ANSI also conducts programs for accrediting third-party product certification. ANSI is the sole U.S. representative to and dues-paying member of the two major non-treaty international standards organizations: ISO and the International Electrotechnical Commission (IEC). The institute is designed to support a broad range of stakeholder engagement, address emerging priorities and new technologies, and allow stakeholders to find the solutions that best fit their needs. In addition, the ANSI system is market driven, flexible, sector based, led by the private sector, and supported by the U.S. government.

40

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.3 Development of National Standards: U.S. Example

The ANSI federation represents more than 125,000 companies and organizations and 3.5 million professionals worldwide. Members include academicians, individuals, government agencies, manufacturers, companies, trade associations, professional societies, service organizations, standards developers, consumer and labor interests, and more (About ANSI Overview, 2008).

3.3.2

ANSI STANDARDS DEVELOPMENT PROCESS The ANSI standards development process is designed so that standards users, not standards bodies, drive standardization activities. The process places a high degree of confidence in private-sector solutions for both regulatory and non-regulatory functions. The process is deliberately decentralized and provides a strong voice to standards users and individual stakeholders. ANSI accreditation, mentioned earlier, signifies that the procedures sponsored by an SDO satisfy ANSI’s requirements for an open, fair, consensus-based process that benefits stakeholders and the American public. Procedures provide due process and legal safeguards. Developers retain some flexibility in how they satisfy ANSI’s requirements. ANSI accreditation is a precondition for submitting a standard for approval as an American National Standard. The emphasis on proper procedures is crucial for mitigating the risks of standards-developing activities. The procedures require the following: x

openness, with no barriers to participation

x

timely and adequate notice of the initiation of development of a standard

x

a resolution process with a balance of interests

x

clearly and fairly defined interest categories

x

careful consideration, answering, and addressing of all views and objections

x

reporting of any unresolved objections to committee members

x

keeping of careful meeting records

x

an appeals process

ANSI approval of a standard means the standard was developed in accordance with ANSI’s requirements and is subject to ANSI’s procedural oversight, due process, and audit. The ANSI designation means the standard was developed through a process that includes the following: x

consensus by a group that is open to all materially affected and interested parties

x

broad-based public review and comment on draft standards

x

consideration of and response to comments submitted by voting members of the relevant consensus body, as well as by the public

Protection of Assets  Copyright © 2012 by ASIS International

41

STANDARDS IN SECURITY 3.4 Management Systems Standards

x

incorporation of submitted changes that meet the same consensus requirements into a draft standard

x

availability of an appeal by any participant alleging that these principles were not respected during the standards process

x

lack of requirement for compliance unless the standard is adopted into a regulation or statute

ANSI also examines any evidence that a proposed national standard is contrary to the public interest, contains unfair provisions, or is unsuitable for national use.

3.4

MANAGEMENT SYSTEMS STANDARDS Of the several types of standards, one particular type will likely have a large impact on the way security professionals work: management systems standards. The term management system refers to the organization’s method of managing its processes, functions, or activities. Management systems standards are designed to help organizations improve the ways in which they provide services and perform processes. Management systems standards are widely accepted and used in many fields and disciplines. The most famous management systems standards are ISO 9001:2008 Quality Management Systems—Requirements and ISO 14001:2004 Environmental Management Systems— Requirements with guidance for use.

3.4.1

CHARACTERISTICS OF MANAGEMENT SYSTEMS STANDARDS Management system standards are developed to be generic. They are designed to fit all sizes and types of organizations: private, public, faith-based, not-for-profit, etc. By taking a generic perspective, these standards avoid becoming overly prescriptive and including approaches that will be too difficult for some organizations to conform to. They provide a framework for what an organization should do while leaving how to do it at the discretion of the organization based on its financial and operating environment. A management systems standard can help an organization in several ways. For example, a company in conformity with a management systems standard may thereby give its customers, suppliers, and other stakeholders greater confidence in its reliability. Likewise, a company that supplies materials to a large manufacturing corporation (that must meet certain environmental standards) may better satisfy that company if it can show that it is in conformity with the ISO 14001 environmental management systems standard. In the same vein, if a company wishes to supply a critical piece in a supply chain, the customer may be happy to know that the prospective supplier is in conformity with the ISO 28000:2007

42

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.4 Management Systems Standards

Specification for Security Management for the Supply Chain and/or the ANSI/ASIS Organizational Resilience Standard. The customer may feel the supplier is less likely to suffer a disruption that would halt the customer’s production process. Management systems standards also provide organizations with a forum and mechanism for complying with regulations, industry requirements, and best practices. Of course, these standards are not regulations. Instead, they are tools to help an organization meet its goals, whether in terms of quality, environmental concerns, safety, security, preparedness, or continuity. Most management systems standards are based on the Plan-Do-Check-Act (PDCA or Deming Cycle) model of total quality management (TQM), which was developed decades ago and has been proven in the field of management. In sum, management systems standards include very generic requirements. They set a framework for a holistic, strategic approach to management. They address what an organization should do while leaving the details of how to achieve its objectives to the organization. The organization then has the flexibility to define the scope of the program and the means of implementing it. Moreover, an organization can strive to be in conformity with a management systems standard throughout the organization or only in a part of it. The standard’s generic quality also means the standard can work in different business cultures and different nations.

Why Management Systems Standards Work The process of implementing a management system—and thereby coming into conformity with a management systems standard—is meant to address the specific needs of the organization. The process requires examination of the organization’s assets, management’s expectations, the organization’s objectives, communication needs, measurements of success, and potential risks that could keep the organization from reaching its objectives. The implementation process encourages the organization to pay attention to the needs of the many interested parties—employees, suppliers, financers, the local community, and society as a whole—that may be affected by the organization’s operations. Because a management systems standard focuses on the organization’s goals, implementing a management system requires engaging top management. Doing so is the necessary first step in the process. By gaining the approval and insights of top management, the person implementing the management system can identify the goals, mission, and vision of the organization and clarify how its critical functions, activities, and services are defined. That information helps define the path toward which the management system will lead the organization. Among other benefits, a management system provides a factual basis for decision making and a system for continual improvement.

Protection of Assets  Copyright © 2012 by ASIS International

43

STANDARDS IN SECURITY 3.4 Management Systems Standards

The bottom line is that in working toward conformity with a management systems standard, the implementer is changing the organization’s culture. In the case of a security management systems standard, the implementer embeds a culture of security into the organization so all stakeholders understand that security is an important objective of the organization and that they are involved, will be held accountable, and should commit themselves to achieving the goals named in the management system.

Use of Management Systems Standards in Security As management systems standards become more common in the security field, security professionals face a change in their vocabulary—they will have to learn “managementspeak.” This change is likely to give them a professional advantage. When organizations’ environmental officers began to implement the ISO 14000 environmental management systems standard, they had to learn to communicate by using the same words and concepts that their top management used. They were able to justify their effort by putting it in terms that management used in carrying out the organization’s mission. By learning that language, environmental officers were elevated to the status of management. The same concept applies to security professionals. Being able to describe security goals in terms that management uses helps both parties. Management will better understand security issues, and security professionals will better understand management issues, which are really the issues of making the organization successful. Security then may be viewed as a strategic business and operational issue.

3.4.2

BENEFITS OF MANAGEMENT SYSTEMS STANDARDS A management systems standard can benefit an organization by doing the following:

44

x

Establishing benchmarks. These enable the organization to measure its progress and outcomes. The implementer must demonstrate that the management system is effective, and benchmarks help in doing so.

x

Forcing the organization to systematically identify risks and problems as well as potential solutions. Many organizations skip this step, make false assumptions, and therefore focus on issues that do not matter and ignore important ones.

x

Including more participants. A management systems standard requires the organization to include all levels of employees and stakeholders in planning. This more inclusive approach encourages normally reserved people to step forward and identify problems the organization may have overlooked. It also gives more people a sense of ownership of the process. They will then be more likely to get involved and participate in reaching the goals of whatever management system is being implemented (e.g., quality, environmental, security).

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.4 Management Systems Standards

x

Providing problem-solving and decision-making tools. The standard also links those tools to personnel training that will help employees do what the organization needs to reach its goal.

x

Leading the organization to study how standard operating procedures and operational controls can enhance the organization’s performance. Often organizations find that implementing a management systems standard improves their production and quality of service in ways completely separate from the standard’s particular goal.

x

Protecting the organization’s reputation or brand. In many cases, implementing and conforming with a management systems standard gives others greater confidence in the organization. News reports often show how a minor mistake, such as a breach of information security or a contamination problem, causes a company to lose market share or stock value. Better management systems can help prevent mishaps that lead to reputational damage.

x

Providing a model for continual improvement. A management systems standard does not call for a one-time action and specific output. Rather, the management system it leads to is an ongoing system. When an organization is audited for conformity, it is checked not for specific performance but for a mechanism for improving performance.

x

Helping an organization coordinate its resources and programs. These may include structure, responsibility, training, awareness, operational controls, and communication; policy and management commitment; planning and program development; review and improvement; checking and corrective action; knowledge of the organization; and planning, risk assessment, and impact analysis. These are all important, but in the absence of an effective management system, they may be like unconnected puzzle pieces and may not be usable in an effective, coordinated way.

Some specific outcomes that a management systems standard is likely to lead to include better organizational performance through improved capabilities; strategic alignment of improvement activities at all levels of the organization; the flexibility to react quickly to opportunities and a changing environment; and optimization of resources.

Protection of Assets  Copyright © 2012 by ASIS International

45

STANDARDS IN SECURITY 3.4 Management Systems Standards

3.4.3

PLAN-DO-CHECK-ACT CYCLE The Plan-Do-Check-Act (PDCA) cycle is the operating principle of ISO’s management systems standards. Also sometimes called the Assess-Protect-Confirm-Improve model, it is an approach to structured problem solving focused on continual improvement. It works as follows:

Plan

This most critical stage calls for identifying and analyzing the organization’s problems—events that could disrupt operations—and assets. One identifies the root causes of those problems and begins to rank them in terms of importance.

Do

Here one looks at the planning analysis, devises a solution, prioritizes next steps, and develops a detailed action plan. The key word is action. The goal is not to write a manual that sits on the shelf, gathering dust. Rather, the goal is to develop a plan that will be used actively to engage the organization and address problems and their causes—and then to implement that plan.

Check

At this step, one examines the solutions devised to address the problems. The point is to check whether the solutions are producing outcomes that are consistent with the plan. It is necessary to have a way of identifying deviations so one can analyze why some measures might not be working and how they can be improved.

Act

If the solutions are in fact addressing the organization’s problems, it is time to act to standardize those solutions throughout the organization, review the current list of problems, and start defining new problems and issues. This is where the cycle, in effect, begins again.

A good way to start this process is to focus initially on a problem that is relatively easy to solve. Picking a solvable problem provides practice in using the management system and demonstrates the system’s effectiveness before the organization moves on to more serious or difficult problems.

46

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.4 Management Systems Standards

Plan Define & Analyze a Problem and Identify the Root Cause

Do

Act

Devise a Solution

Standardize Solution

Develop Detailed Action

Review and Define Next Issues

Plan & Implement It Systematically

Check Confirm Outcomes Against Plan Identify Deviations and Issues

Figure 3-1 Plan-Do-Check-Act-Cycle

3.4.4

WELL-KNOWN MANAGEMENT SYSTEMS STANDARDS The most famous management systems standards (used by more than a million organizations in 161 countries) are the ISO quality management systems standard and environmental management systems standard. These have been around for several decades and have proven to be very efficient. The ISO 9000 family of standards addresses quality management to help an organization meet customers’ quality requirements, enhance their overall satisfaction, satisfy regulatory requirements, and continually improve the organization’s performance in pursuit of these objectives. The ISO 14000 family of standards addresses environmental management, which is a way of looking at the organization’s activities, products, and services to gauge their environmental effect, find ways to minimize any harmful effects, and improve the costeffectiveness of the organization’s processes. All ISO management systems standards are implemented using the same process and have the same structure and components. Thus, a single, well-designed management system within an organization can be used to show conformity to several standards.

Protection of Assets  Copyright © 2012 by ASIS International

47

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

3.5

ASIS GLOBAL STANDARDS INITIATIVE ASIS began its Global Standards Initiative (GSI) in 2007 to position itself as a world leader in international security standards development. The move was driven by members who noted a lack of a voice for security professionals in the standards being developed within various countries as well as internationally. It was also driven by members involved in cross-border activities, who faced different sets of rules and procedures every time they reached a national or jurisdictional border. These members urged ASIS to get involved at the ISO level to promulgate a more global perspective in security planning.

3.5.1

PROCESS An early step taken through the GSI was to have ASIS gain approval as a liaison in the major national and international standards bodies. Not being a country, ASIS cannot participate directly in ISO as a national member. However, as an international organization, ASIS was able to seek liaison status, which enables full participation except for voting. Through the GSI, ASIS is also developing strategic partnerships with other standards-developing bodies around the world. ASIS encourages its members to help identify standards of high priority to security professionals and then to participate in developing drafts for circulation at the national, regional, or international level. The goal is to get involved in the development of standards regarding issues where standardization will make security professionals’ jobs easier and improve the quality of security service delivery. Specifically, ASIS encourages members to participate in developing standards on mirror committees in their home countries. ASIS is also an ANSI accredited SDO. The GSI is actively developing ANSI American National Standards (ANSI-ANS) in the U.S. As an example of ASIS standards-developing activity, Figure 3-2 illustrates the ANSI-certified process ASIS follows to develop American National Standards. This chapter focuses on standards. It is worth noting, however, that before becoming involved in standards, ASIS promulgated several guidelines. They were meant to be less formal than standards in the sense that an organization could use some, none, or all of a guideline’s elements—there was no issue of being in formal conformity. ASIS began issuing guidelines in 2001 to help the private sector secure its business assets and critical infrastructure. Where applicable, these guidelines are being modified into different types of documents: either actual standards or handbooks for implementing actual standards. The latter type is appropriate when the original guideline is too detailed and prescriptive to be a standard but contains much useful guidance that practitioners may want to know as they apply a standard.

48

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

ASIS conducts the five-day Security Lead Auditor Course for ISO 28000:2007, which is accredited by the Registered Accredited Body, USA and Quality Standards Australia (RAB/QSA). Upon successful completion of the program, participants receive the internationally recognized Lead Auditor Competency Certification. ASIS is also providing implementation guidance for ISO standards; leading education and training on standards and guidelines issues; and developing auditor training and certification (for auditing conformity with standards).

Start

ASIS and S & G Commission Identifies Need for Standard

S & G Commission Establishes Standard Committee and Initiates Project

Committee Chair And Vice Chair Appointed

HQ Completes ANSI Project Initiation Notification (PINS) Form

PINS Form Submitted to ANSI for 30-Day Comment Period

Committee Develops Draft Standard and Assigns Working Group

HQ and Committee Develops Voting Body

Comments Received?

Working Group Reviews/Revises Draft Standard

HQ Sends Letter Ballot to Voting Body for Draft Standard Approval

No

HQ Submits ANSI BSR8 Form for 45 Day Public Review

Yes Yes Committee Reviews Comments and Makes Appropriate Revisions

Comments Received?

Yes

No

End

ANSI Approval and Publication

Substantive Revisions Required? No

Draft Standard Approved

HQ Submits ANSI Form BSR9 for Approval/ Appeals Process (See pg. 2 for Appeals Process)

Figure 3-2 ASIS Commission on Standards/American National Standards Institute Standards Development Process

Protection of Assets  Copyright © 2012 by ASIS International

49

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

3.5.2

PRODUCT STATUS This section describes the status of various security-relevant standards and guidelines. Because ASIS is converting some of its guidelines into standards or into products that accompany standards, both guidelines and standards are listed below.

ASIS Guidelines The following are the ASIS guidelines that are published or under development as of March 2011. All published guidelines can be downloaded from http://www.asisonline.org/guidelines/ published.htm.

50

x

Chief Security Officer Guideline (2008). This guideline addresses the key responsibilities, skills, and qualifications needed in an organization’s senior security executive. Status: published.

x

Facilities Physical Security Measures Guideline (2009). This guideline provides a methodology to select appropriate physical security measures to safeguard an organization’s assets. Status: published.

x

Threat Advisory System Response Guideline (2008). This provides private industry with possible actions to implement at various U.S. Department of Homeland Security alert levels. Status: published.

x

Information Asset Protection Guideline (2007). This offers general protection advice for an entity’s information assets, including proprietary, classified, and other sensitive materials. Topics include collection, storage, dissemination, and destruction. Status: published.

x

Preemployment Background Screening Guideline (2009). This guideline helps employers understand and implement the fundamental concepts, methodologies, and legal issues associated with the preemployment background screening of job applicants. Status: published.

x

Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery (2005). This guideline outlines various interrelated processes and activities—including readiness, prevention, response, recovery/resumption, testing and training, evaluation, and maintenance—that can be used in creating, assessing, and sustaining plans for use in a crisis that threatens an organization’s viability and continuity. Status: published.

x

Workplace Violence Prevention and Response Guideline (2005). This offers useful ways to maintain a safe and secure work environment. Means include identifying, evaluating, and controlling potential hazards and conducting employee informational training. Status: published.

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

x

Private Security Officer Selection and Training Guideline (2010). This guideline sets forth minimum criteria for the selection and training of private security officers. The criteria may also be used to provide regulating bodies with consistent minimum qualifications. Status: published but under revision.

x

General Security Risk Assessment Guideline (2003). This provides a seven-step methodology for identifying and communicating security risks at a specific location. It also addresses appropriate solutions. Status: published.

ASIS Standards The following are the ASIS American National Standards that are finished or under development as of March 2011. All published standards are available at http://www. asisonline.org/guidelines/published.htm. Many of these standards are being worked at the international level as well. x

Chief Security Officer (CSO) Organizational Standard (2008). The standard provides a model for organizations to use when developing a leadership position responsible for providing comprehensive, integrated risk strategies to protect an organization from security threats. The CSO’s role may be viewed as a stand-alone position or one that has been incorporated within an organization’s existing leadership team. The standard details the CSO reporting relationship, key responsibilities, core competencies, experience, education, and compensation. It also provides a model position description. Status: published as an ANSI-ANS.

x

Organizational Resilience: Security, Preparedness and Continuity Management Systems—Requirements with Guidance for Use (2009). Using the Plan-Do-CheckAct approach, this standard provides steps necessary to prevent, prepare for, and respond to a disruptive incident. It lists generic auditable criteria for establishing, checking, maintaining, and improving a management system that enhances prevention of, preparedness for, mitigation of, response to, and recovery from disruptive incidents. An annex to the standard provides guidance on system planning, implementation, testing, maintenance, and improvement. Status: Status: published as an ANSI-ANS.

x

Business Continuity Management Systems Requirements with Guidance for Use (2010). This joint ASIS/BSI ANSI standard includes auditable criteria for preparedness, crisis management, business and operational continuity and disaster management. It uses a management systems process approach according to the Plan-Do-Check-Act model and is based on the British Standards Institution’s standard on business continuity, BS 25999. Status: published as an ANSI-ANS.

Protection of Assets  Copyright © 2012 by ASIS International

51

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

52

x

Workplace Violence Prevention and Intervention (2011). Joint standard with the Society for Human Resource Management (SHRM) that provides an overview of general security policies, processes, and protocols that organizations can adopt to help prevent threatening behavior and violence affecting the workplace and better respond to and resolve security incidents involving threats and episodes of actual violence. Status: Published as an ANSI-ANS for WVPI.

x

Auditing Management Systems for Security, Preparedness and Continuity Management with Guidance for Application. Management systems standards emphasize the importance of audits as a management tool for monitoring and verifying the effective implementation of an organization’s policy. Moreover, audits are an essential part of conformity assessment. This standard addresses the systematic, objective activities in evaluating management system performance for security, preparedness, and continuity management. Status: Under development.

x

Physical Asset Protection. This standard uses the Plan-Do-Check-Act approach to identify, apply, and manage physical security measures to safeguard an organization’s assets—people, property, information, and intangibles—that are based in facilities (not in transit). It describes a process that includes setting goals; identifying, assessing, and managing risks; and selecting appropriate physical security measures. The standard describes basic functions of physical security measures in deterrence, detection, delay, and response. Status: Under development.

x

Organizational Resilience Maturity Model—Phased Implementation. Standard describes a maturity model for phased implementation of the ANSI ASIS Organizational Resilience Standard as a series of steps designed to help organizations evaluate where they currently are with regard to resilience management and preparedness, set goals for where they want to go, benchmark where they are relative to those goals, and plot a business sensible path to get there. The model outlines six phases ranging from no process in place for resilience management to going beyond the requirements of the Standard. It can be used in conjunction with the ANSI ASIS Organizational Resilience Standard or as a tool for continually improving a generic resilience management and preparedness program. Status: Under development.

x

Management Systems for Quality of Private Security Company Operations— Requirements with Guidance. Provides requirements and guidance for a management system with auditable criteria for Quality of Private Security Company Operations (PSC), building on the Montreux Document on pertinent legal and security companies in conditions where the rule of law has been undermined by conflict or disaster. Standard provides auditable requirements based on the Plan-Do-Check-Act model for third-party certification of Private Security Company Operations—private security providers working for any client. Status: Under development.

x

Conformity Assessment and Auditing Management Systems for Quality of Private Security Company Operations. Provides requirements and guidance for conducting conformity assessment of the Management System for Quality of Private Security

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

Company Operations (PSC) Standard. Standard provides requirements for bodies providing auditing third party certification of Private Security Company Operations— private security providers working for any client. It provides requirements and guidance on the management of audit programs, conduct of internal or external audits of the management system and PSC operations, as well as on competence and evaluation of auditors. Status: Under development. x

Resilience in the Supply Chain. Standard expands the scope of the ANSI ASIS Organizational Resilience Standard to include resilience in the supply chain. It provides a framework for evaluating the internal and external context of the organization with regard to its supply chain, enabling it to develop a comprehensive, balanced strategy to reducing both the likelihood and consequences of a disruptive event. It also is consistent with the risk management principles and framework of the ISO 31000. The standard provides auditable criteria to prevent, prepare for, respond to and recover from a disruptive event using a comprehensive approach to managing risks thereby eliminating the siloing of risks and their impacts. Status: Under development.

x

Risk Assessment. This standard provides a means of analyzing the efficacy of risk management controls designed to protect an organization’s assets. Status: Under development.

Standards Activity ASIS has become involved in numerous security-related standards development projects in concert with other organizations. Note that security in the ISO context is a very inclusive term, referring to the entire flow of events that can take place surrounding a disruptive incident, such as prevention, preparedness, mitigation, response, continuity, and recovery. ASIS also has relationships with national bodies and is participating in developing standards with them. The subsequent goal is to take completed standards and submit them to ISO for consideration as international standards. Doing so accelerates the process and gives a larger voice to security professionals so standards will truly address their needs and the services they provide. Members are encouraged to volunteer to participate in technical committees on standards that affect their areas of practice and expertise. The following are some key areas of ASIS involvement: x

ISO/TC 223: Societal Security. ASIS Type A liaison status with ISO allows ASIS full participation. ASIS is a member of the Chairman’s Advisory Group, the Resolutions Committee, and all work groups and task groups involved. ASIS has been actively involved in drafting the documents that have been circulated through the technical committee.

Protection of Assets  Copyright © 2012 by ASIS International

53

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

54

x

ISO/TC 247: Fraud and Countermeasures. ASIS Type A liaison status with ISO allows ASIS full participation. ASIS has been actively involved in drafting the documents that have been circulated through the technical committee.

x

ISO/TC 8: Marine and Maritime. ASIS participates as a liaison, particularly in the ISO 28000 Security in the Supply Chain series.

x

ISO/PC 262: Risk Management. ASIS Type A liaison status with ISO allows ASIS full participation. ASIS has been actively involved in drafting the documents that have been circulated through the technical committee.

x

ISO/IEC JTC 1/SC 27: Information Security. ASIS participates as a liaison, particularly in the ISO 27000 series.

x

ISO/TMB WGRM: Working Group on Risk Management. ASIS participates as a liaison. This group recently finished a draft of a new ISO 31000 Risk Management Standard.

x

JTCG Task Force Auditing for the revision of ISO 19011. ASIS represents ISO/TTC 223 as a liaison to this group on auditing of security and security management systems. This task force is looking at how to expand auditing (as is done in quality and environmental management systems standards) to the realms of security, information technology, occupational health and safety, and other fields where management systems standards are being developed or have been developed.

x

ISO/SAG-S: Strategic Advisory Group on Security. ASIS also participates in this group, which advises the ISO Board on strategic issues related to security. The group is open only to national bodies, not to liaisons, but ASIS sits at the table as a member of the Dutch contingent (that is, as a technical expert with the Nederlands NormalisatieInstituut).

x

Supply Chain Risk Leadership Council. ASIS participates in the Supply Chain Risk Leadership Council in strategies to address supply chain standards development both nationally and internationally.

x

CEN/BT/TF 167: Security Services, CEN/BT/WG 161: Protection & Security of the Citizen, CEN/PC 384: Airport and Aviation Security Services, CEN/TC 391: Societal and Citizen Security, and CEN/TC 379: Supply Chain Security. ASIS participates in CEN, the European Committee for Standardization, which is a consortium of European standards bodies. In the first committee listed, ASIS has observer liaison status; in the second committee, ASIS maintains close relationships with active members.

x

ASIS International partners with National Standards Bodies (NSB) around the globe to develop national standards, promotes collaboration between the local ASIS Chapters and the NSB, and provides joint training programs.

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

x

ANSI’s Board of Standards Review (BSR) body. ASIS is a voting member of the ANSI BSR, which is responsible for the approval and withdrawal of American National Standards and for hearing appeals of its decisions.

x

ANSI’s Executive Standards Council (ExSC) body. ASIS is a voting member of the ANSI ExSC which is responsible for the procedures and criteria for national and international standards development activities of the Institute, and accredits national standards developers and U.S. Technical Advisory Groups (TAGs) to ISO. The ANSI ExSC hears appeals related to its areas of responsibility.

x

ANSI National Policy Committee (NPC) body. ASIS is a member of the ANSI NPC, which is responsible for broad-based policy and position decisions regarding national standards issues and government relations and public policy issues.

x

ANSI International Policy Committee (IPC) body. ASIS is a member of the ANSI IPC, which is responsible for development of ANSI strategic directions and policies related to international and regional standardization.

x

ANSI ISO Council (AIC) body. ASIS is a member of the ANSI AIC, which is responsible for developing ANSI positions and preparation of ANSI representatives to ISO General Assembly and ISO Council and its subgroups, including ISO policy development committees.

x

ANSI International Conformity Assessment Committee (ICAC) body. ASIS is a member of the ANSI ICAC, which is the U.S. interface to the ISO Council Committee on Conformity Assessment.

x

ANSI Committee on Education (COE) body. ASIS is a member of the ANSI COE, which is responsible for initiatives related to standards and conformity assessment education and outreach, as well as fulfilling the objectives of the United States Standards Strategy.

x

ANSI Standards Boost Business (SBB) campaign. ASIS participates in the ANSI SBB effort to increase executives’ and other private-sector leaders’ (C-level) understanding of how the U.S. voluntary standards system and its activities can boost business performance.

x

ANSI Organizational Member Forum (OMF) body. ASIS is a member of the ANSI OMF, which provides a forum for U.S. professional societies, trade associations, standards developers, and academia to come together to discuss national and international standards and conformity assessment issues of interest.

x

ANSI Homeland Standards Security Panel (HSSP). ASIS is a member of the ANSI HSSP, which identifies existing consensus standards, or, if none exists, assists the Department of Homeland Security (DHS) and those sectors requesting assistance to accelerate development and adoption of consensus standards critical to homeland security. Additionally, ASIS is a member of the ANSI Homeland Standards Security Panel Steering Committee, an advisory committee to the HSSP.

Protection of Assets  Copyright © 2012 by ASIS International

55

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

x

Security Industry Standards Council (SISC). ASIS is a member of the SISC, which votes on proposed standards that are being considered from other security-related SDOS in addition to review and coordination of standards activities.

x

U.S. Department of Homeland Security Title IX program (Voluntary Private Sector Accreditation and Certification Preparedness Program). The ANSI ASIS Organizational Resilience Standard has been adopted in the Title IX PS-Prep program.

x

U.S. Department of Defense. The Department of Defense reached out to ASIS to develop Standards for Private Sector Security. Two standards projects under development; Management System for Quality of Private Security Company Operations, and Conformity Assessment and Auditing management systems for quality of private security company operations.

The position of ASIS is that these areas represent the best thinking of security professionals around the world and also help to ensure an organized approach to the challenges facing corporations and the public and private sectors today.

3.5.3

ORGANIZATIONAL RESILIENCE STANDARD In March 2009, the ASIS Global Standards Initiative published the American National Standard ANSI/ASIS.SPC.1: Organizational Resilience: Security, Preparedness and Continuity Management Systems—Requirements with Guidance for Use. This flagship standard was developed by technical committees in Australia, the Netherlands, and the United States. The management system standard provides a framework for a comprehensive approach to managing the risks of a disruptive incident by addressing reduction of both likelihood and consequences. It continues to gain international acceptance. The Netherlands and Denmark have adopted it as a national standard in their countries, and several other countries are in the process of adoption, translation, and publication. It has also been submitted to ISO for consideration as an international standard. This is a practical management systems standard that deals with organizational resilience. It focuses on security, preparedness, and continuity management all in one management systems standard. It looks at how an organization can prevent, prepare for, mitigate, respond to, and recover from a disruptive incident that could, if not controlled, turn into an emergency, crisis, or disaster. Like ISO standards, it uses the Plan–Do–Check–Act model. The standard was designed to be business-friendly (improving its likelihood of adoption in the marketplace) and is completely aligned and compatible with existing management systems standards, such as ISO 9001:2000: Quality Management, ISO 14001:2004: Environmental Management, ISO/IEC 27001:2005: Information Technology Security, and ISO 28000:2007: Supply Chain Security Management. An advantage of this alignment is that an organization

56

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

can meet the requirements of other standards through the process of meeting the requirements of this organizational resilience standard. The standard is also meant to be an auditable complement to the new ISO31000: Risk Management standard, thereby enabling an organization to seamlessly integrate resilience and security management into its overall risk management strategy. The standard’s goal may be illustrated by considering a company that, on a normal day of operation, is working at 100 percent capacity. Suddenly a disruptive incident occurs. Without a plan in place, the company could completely lose capacity. Once that happens, management may have no idea how long it will take to return to full capacity, if indeed the company ever does. This standard encourages management to preempt the problem by looking at what could potentially disrupt the operation, how to prevent it, and how, if it takes place, to respond quickly to mitigate the impact of the incident (reduce the drop in capacity) and shorten the recovery period. The standard also helps management consider how to bring the most critical processes back online as quickly and efficiently as possible. The goal, then, is to help the organization survive and thrive. The following is a summary of the steps contained in the standard, as directed to security management:

1. Start: Know the Organization Many organizations unwisely skip this most critical step and start looking for solutions to what they think are the problems, rather than analyzing what are the core issues they need to address. This step includes several tasks: x

Identify the internal and external context of the organization.

x

Define the scope and boundaries for the security, preparedness, and continuity management program.

x

Identify critical objectives, operation, functions, products, and services. Prioritize them according to their importance to the organization’s survival.

x

Make a preliminary determination of likely risk scenarios and consequences.

By understanding and prioritizes the issues most important to the organization, it is possible to focus on problems that are manageable and for which one can effectively develop a system. It is not advisable to deal with all problems of the organization at once. The process should be approached from a business point of view with a continual improvement perspective.

Protection of Assets  Copyright © 2012 by ASIS International

57

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

2.Security Policy The next step is to obtain management commitment, participation, and leadership, which are critical to the exercise. The standard is, after all, for a management system. Security policy will be elevated to a critical interest of the organization and hence requires the participation of the entire organization. The policy will state and constitute a commitment to the protection of critical assets as well as commitment to continuous improvement. Obviously, management demonstrates its commitment by providing adequate resources to implement the management system.

3.Planning This is the time to conduct a risk assessment and impact analysis. The standard simply states that the organization must have a defined and documented method for doing so. The organization may choose from the many existing risk assessment methodologies and means of analyzing business impact, but it must choose a specific, formal methodology and not merely rely on its general sense of the problem. It is recommended that the organization follow the risk assessment process outlined in ISO31000:2009: Risk Management Guidelines. At this stage it is also necessary to determine the legal and other requirements with which the organization must comply and then choose a method of addressing them. With these three analyses, the organization has a basis for developing objectives and determining its means and resources for attaining them. Plans for security management programs emphasize incident prevention, while plans for response management emphasize reducing an incident’s impact and quickly returning to full operation.

4.Implementation and Operation This is the step for developing the organization’s approach to improving resiliency. Here are key topics to examine:

58

x

Organizational structures and responsibilities needed to develop the strategic plan. Organizational roles, responsibilities, and authorities are clearly defined to support the management system and all the activities needed to address the risks of disruptive events.

x

Training, awareness, and competence. Programs must be developed that will give employees the confidence and competence to do what they should. They should be educated on what could happen and how they should respond.

x

Communication. The standard addresses communication both within the organization and with external parties. Key issues include how to prepare in advance to respond to external questions and who will speak for the organization.

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

x

Documentation. This process requires developing standard operating procedures regarding security, preparedness, and continuity management, as well as documenting the management system itself. If it is not documented, no one can check to see if it is working.

x

Incident preparedness and response plans. These contain the specifics of what should be done to prevent an incident and mitigate its consequences, as well as what should happen after an incident, covering such issues as alternative work sites, mutual aid agreements, and meeting points.

5.Checking and Corrective Action The standard then addresses these topics: x

Performance evaluation: The organization establishes performance metrics and evaluates its resilience performance, including compliance with legal and other obligations. Exercises and testing are used to evaluate performance.

x

Monitoring and measurement. This step discusses how to identify nonconformity, address it through corrective and preventive actions, and document those steps.

x

Important business records. This step addresses the need to identify, store, and protect vital documents, as well as keep them accessible to the people who need them. Again, the standard does not specify how to perform these tasks but merely insists that the company have a specific plan for doing so.

x

Audits. These make it possible to track the performance and effectiveness of all required tasks.

6.Management Review Information from all the preceding steps is then fed back for management review. This is the stage to ensure that the management system is adequate and effective and to discuss any need for improvement. Then, for continuous improvement, one repeats steps 1 to 6 indefinitely. Figure 3-3 shows the process in graphic form. The standard’s structure is simple, but each step is rather involved. If the organization contains a person who wishes to focus on security, preparedness, and continuity management, that person may be the best candidate to bring this management systems standard to management. Alternatively, an organization may use an external consultant with expertise in developing such systems. However, the management system is implemented by the organization with the advice and guidance of the consultant. Ownership throughout the organization is the key to success.

Protection of Assets  Copyright © 2012 by ASIS International

59

STANDARDS IN SECURITY 3.5 ASIS Global Standards Initiative

Standards are nothing to fear. If the security community sits back and waits for others to develop security standards—whether people from other disciplines or standards developers with no security expertise or practical understanding—then the standards developed could be overly prescriptive and make it more difficult for security professionals to do their jobs. On the other hand, if the people who will use the standards get involved in developing them, the standards are more likely to be useful tools.

Start: Know your Organiz on - Define scope and boundaries for preparedness, re nuity and recovery management program - Iden ves, oper ons, ons, products and services - Preliminary det on of likely risk scenarios and consequences

Policy - Management Commitment cal - Commitment to Protec Assets and Con nuous Improvement - Commitment of Resources

Management Review - Adequacy and Effec veness - Need for Changes es for Improvement -

Checking & Corr ve Ac on - Monitoring and Measurement - Evalua on of compliance and system performance - Nonconformity, Correc ve and Preven ve Ac on - Records - Internal Audits

Connua l Improvement

Planning - Risk Assessment and Impact Analysis - Legal and Other Requirements ves and Targets - Strategic Preven on, Preparedness and Response Programs (Before, er an Incident)

Implementa on and Oper on - Structure and Responsibility - Training, Awareness, Competence - Communica on - Documenta on - Document Control - Oper onal Control - Incident Preven on, Preparedness and Response

Figure 3-3 Organizational Resilience (OR) Management System Flow Diagram

60

Protection of Assets  Copyright © 2012 by ASIS International

STANDARDS IN SECURITY References

REFERENCES About ANSI Overview. (2008). American National Standards Institute. Available: http://www.ansi. org/about_ansi/overview/overview.aspx?menuid=1 [2008, December 8]. ASIS supports global ISO standards. (2008, January). Security Management, 93. How are ISO standards developed? (2008). International Organization for Standardization. Available: http://www.iso.org/iso/standards_development/processes_and_procedures.htm [2008, December 8]. Plentiful preseminar programs. (2007, November/December). ASIS Dynamics, 44. Seck, M. D., & Evans, D. D. (2004). Major U.S. cities using national standard fire hydrants, one century after the Great Baltimore Fire. National Institute of Standards and Technology. Gaithersburg, MD. Siegel, M., & Carioti, S. (Speakers.) (2008). Standards changing the world of security professionals (ASIS Virtual Forum CD Recording EDUPRG.VF-06). Alexandria, VA: ASIS International.

Protection of Assets  Copyright © 2012 by ASIS International

61

CHAPTER 4 INTRODUCTION TO ASSETS PROTECTION

Protecting an organization’s assets is a daunting task. The business world, the security arena, and life itself are changing at lightning speed. Globalization, information technology, instant communications, complex and asymmetric threats, public opinion, mergers and acquisitions, conglomerates and partnerships, and regulation all have a major influence on how security professionals must perform their mission. In addition to needing a broad array of security expertise, today’s security professional must be an adaptable, strategic thinker, skilled in process management and fast, accurate program implementation. Protection of Assets is designed as a support tool for security professionals and others with similar responsibilities. It provides information on all aspects of security and related functions and helps readers balance costs and results in planning, developing, and implementing sound risk management strategies. Because of the rapid pace of change, POA is a living document. It features periodic updates and guides readers to other sources for further information.

Protection of Assets  Copyright © 2012 by ASIS International

63

INTRODUCTION TO ASSETS PROTECTION 4.1 Basis for Enterprise Assets Protection

4.1

BASIS FOR ENTERPRISE ASSETS PROTECTION

4.1.1

DEFINING ASSETS PROTECTION For many people, the term assets protection suggests finance. Security professionals, however, think of assets protection in a different, broader sense. In the security arena, one often speaks of protecting three types of assets: people, property, and information. The larger view of assets protection, however, also considers intangible assets, such as an organization’s reputation, relationships, and creditworthiness. In considering all of an organization’s assets and all potential hazards, both natural and man-made, the security function should take the lead on some matters and play a supporting role in others. This approach helps ensure that the security function is, and is seen to be, a value-adding element of the organization. The greatest protection of corporate assets occurs when an appropriate mix of physical, procedural, and electronic security measures is in place in relation to the assets being protected. This creates an effective defense-in-depth asset protection program. Graduate students in a security management program were recently asked to define assets protection from their perspective. The students were all experienced, mid-career professionals in security, law enforcement, or the military. Almost all the students mentioned elements like asset definition, threat assessment, vulnerability and risk analysis, security methods for reducing risk, and the need to balance security costs with the benefits of protective measures employed. However, several additional aspects of assets protection emerged as well: x

Both tangible and intangible assets must be considered.

x

A key objective is maintaining smooth business operations.

x

Post-incident business or mission continuity is an important element.

x

Both the current and future risk environments must be considered.

x

Providing a safe and healthy environment should be factored in.

x

Liability reduction/management is an important component.

As those students seemed to understand, assets protection must be a comprehensive, proactive function that is directly tied to the organization’s mission. In addition, it is essential to know what needs to be protected. In many cases, asset owners (such as business owners or managers) lack a thorough understanding of what their real assets are. Some think purely in financial terms, while others focus on tangible goods, such as facilities, inventory, vehicles, or equipment. A wider view of assets might include those listed in Figure 4-1.

64

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.1 Basis for Enterprise Assets Protection

TANGIBLE

INTANGIBLE

MIXED

Facilities/buildings

Reputation/image

People

Equipment

Goodwill/trust

Intellectual property

Inventory

Brand recognition

Knowledge

Vehicles

Relationships

Proprietary processes

Raw materials

Vendor diversity

Cash/money

Longevity/history

Information technology capabilities

Accounts receivable

Past performance

Land/real estate

Supplies/consumables

Experience

Infrastructure

Telecommunications systems

Quality assurance processes

Credit rating/financial stability

Other capital assets

Workforce morale/spirit/loyalty

Customers (customer base)

Workforce retention

Contracts in place

Management style

Financial investments

Human capital development

Geographic location

Liaison agreements

Staffing sources/recruiting

Market share

Certifications (e.g., ISO 9000) Continuity posture/resiliency Safety posture

NOTE: Tangible assets are generally those one can see, touch, or directly measure in physical form. Mixed assets have both tangible and intangible characteristics.

Figure 4-1 Examples of Organizational Assets by Type

4.1.2

RELATION TO SECURITY AND OTHER DISCIPLINES Because assets protection is a broad, complex function, many departments or elements of an organization may be involved in it. However, a single office or person should be designated as the assets protection focal point. Assets protection professionals should either lead or follow, but in either case they should not allow themselves to be left out of key deliberations and decisions. Though it is the responsibility of senior management to provide the resources needed to enhance the protection of assets, it is the assets protection professional’s responsibility to provide them with the best information for their decision-making process. Assets protection incorporates all security functions as well as many related functions, such as investigations, risk management, safety, quality/product assurance, compliance, and emergency management. Therefore, the senior assets protection professional must have

Protection of Assets  Copyright © 2012 by ASIS International

65

INTRODUCTION TO ASSETS PROTECTION 4.1 Basis for Enterprise Assets Protection

strong collaboration and coordination skills as well as a thorough understanding of the workings of the enterprise. In today’s asset protection program, countermeasures need to include people, hardware, and software. Of particular interest today is convergence, which is the “integration of traditional and information [systems] security functions” (ASIS International, 2005). Such convergence makes collaboration even more important.

4.1.3

HISTORICAL PERSPECTIVES From the dawn of mankind, organizations have faced threats to their safety and security. One of the tribe’s important functions was the protection of its assets, which might include land, crops, water supplies, or its cultural or religious heritage. Over the centuries, upon arriving in a new country, immigrants from particular regions have tended to settle together in communities that became known as ghettos. These ghettos have had a strong assets protection aspect. Like tribes, gangs today emphasize assets protection. Their assets may include “turf,” recognition, members, weapons, or market share of illegal activities. Families, too, protect their assets, which include family members, the home and its contents, vehicles, financial assets, pets, occupations, and status in the community. Families use such methods as security equipment, insurance, education, communications procedures, and neighborhood watch groups. Different assets protection methods work in different situations (Webster University, 2006): The protection of assets is not an exact science. What works in one situation may have disastrous results in another. Asset owners and security professionals alike must analyze specific situations or environments; recognize needs, issues and resources; and draw conclusions regarding the most appropriate protection strategies and applications.

Assets protection can be performed by internal entities, external entities, or a combination. In th the United States, the first private security firms emerged in the mid-19 century. They began as investigative agencies and expanded to provide other assets protection functions, such as executive protection, intelligence collection, counterintelligence, cargo escort, and protection of railroads, a critical infrastructure of the day (Securitas, 2006). The concepts, techniques, tools, and philosophies of assets protection change as threats mutate, technologies advance, management approaches develop, and business around the world becomes transformed.

66

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.1 Basis for Enterprise Assets Protection

Influences in Assets Protection Many recent developments have affected the practice of assets protection. In the early 1970s, for example, computer security began to flourish as a separate discipline (National Institute of Standards and Technology, 2006) because of society’s increasing reliance on information systems. Another influence was the recognition of the vulnerability of critical infrastructure to both natural and intentional attacks. In the United States, critical infrastructure was initially defined as comprising the following industry sectors: transportation, oil and gas, water, emergency services, government services, banking and finance, electrical power, and telecommunications. More sectors were added later. Significantly, most U.S. critical infrastructure is owned or operated by private enterprises. In the United States, attention to the security of critical infrastructure increased greatly after the 1993 attack on the World Trade Center in New York City and the bombing of the Alfred P. Murrah Federal Building in Oklahoma City two years later.

Damage to the Pentagon caused by the September 11th attack. Photograph by Kevin Peterson

Protection of Assets  Copyright © 2012 by ASIS International

67

INTRODUCTION TO ASSETS PROTECTION 4.1 Basis for Enterprise Assets Protection

To security professionals, the terrorist attacks of September 11, 2001, represented the most significant turning point in assets protection around the world. That attack x

led to increased security budgets and reduced constraints on security policies and procedures,

x

fostered communication between security officials and front-office executives, and

x

enhanced threat awareness and vigilance by business managers and employees

In some cases, knee-jerk reactions to 9/11 wasted valuable resources. For example, one company with facilities in several countries ordered each site to post a security officer at its entrance. However, the new security officers had no idea of their roles and responsibilities and had no way to communicate with other security staff at the sites. At best they were able to provide a false sense of security. Similarly, after 9/11 many organizations spent much more than necessary on security technology. The shock of 9/11 also caused an overemphasis—in terms of security solutions—on terrorist attacks instead of the broader spectrum of realistic security risks. Even now, resources that could have been dedicated to information technology (IT) security, information asset protection, and traditional crime or loss prevention are being diverted to antiterrorism measures, such as blast-resistant materials, stand-off zones, bollards, chemical/biological hazard sensors, and similar items. Even in school security, interest in traditional, comprehensive assets protection has often given way to preparation for terrorist attacks. Over time, the 9/11 attacks have partly redefined assets protection. The following are some of the beneficial changes:

68

x

a change in public expectations and an increase in the level of security measures that the public will tolerate

x

an ongoing examination of personal privacy versus public protection

x

more serious study of security and protective services budgets and strategies

x

better information sharing within and between the security and law enforcement communities, leading to improved crime-fighting capabilities

x

greater application of advanced technologies to threat analysis, vulnerability assessment, information sharing, and protective measures

x

more widespread discussion of strategic protection concepts incorporating risk management and comprehensive assets protection

x

more emphasis on security and assets protection research

Protection of Assets  Copyright © 2012 by ASIS International

INTTRODUCTION TO O ASSETS PROTEECTION 4.1 Basis for Enterrprise Assets Prootection

Sim milarly, the 2001 anthrax scare in the e United Staates led to m much greater emphasis o on the security of maillroom operattions. In add dition, the Saarbanes-Oxleey Act in the United State es has req quired public cly traded corrporations to o perform m more extensivve assessmen nt and reportting. Resspondents to o one securrity-related survey s rated d the act as the second d most impo ortant legiislation haviing a moderrate or majo or impact on n their orgaanization (AS SIS Internatiional, 200 05, p. 48).

Pattterns of Chaange In assets prote ection, the period p betwe een major p paradigm sh hifts (includiing technolo ogical dev velopments and a concepttual shifts) has h been deccreasing. As Figure 4-2 sshows, durin ng the major parad 195 50s and 196 60s several years y passed d between m digm shifts. In more recent dec cades, the in nterval betwe een those sh hifts has decrreased to the point whe ere changes ttoday follow each other rapidly.

© Innovative Prrotection Soluttions, LLC, 2006. Used by p ermission. Figure 4-2 m Shift Frequeency Model Paradigm

The ese paradigm m shifts inc clude chang ges in surveeillance tech hnology, inttegrated seccurity systtems, the scope of securrity professio onals’ dutiess, legal and lliability issue es, the regullatory env vironment, the t use of computers in n the securitty function, public/privvate partnersships, anttiterrorism, convergence c e, and globall business reelationships.. Security prrofessionals must be prepared p forr rapid chang ge in the worrkplace. Ano other chang ge is that asssets protecttion is increeasingly bassed on the principle off risk management, a term ratherr recently ap pplied to seccurity managgement and assets prote ection ebster Unive ersity, 2006)). The ASIS Internation al 2006 Gen neral Risk Security Guid deline (We deffines “risk” as the possibiility of loss re esulting from m a threat, seecurity incident, or eventt. The con ncept is a perrfect fit for asssets protecttion, the prim mary objectivve of which iis to manage e risks by balancing b th he costs and benefits b of prrotection meeasures.

Protection of o Assets  Coppyright © 2012 by ASIS International

69

INTRODUCTION TO ASSETS PROTECTION 4.2 Current Practice of Assets Protection

4.2

CURRENT PRACTICE OF ASSETS PROTECTION This section discusses two important issues in assets protection: the field’s underlying principles and the practice of assets protection in various industry sectors.

4.2.1

UNDERLYING PRINCIPLES One framework for viewing the underlying principles of assets protection states that three concepts form a foundation for any assets protection strategy. Those concepts are known as the five avenues to address risk, balancing security and legal considerations, and the five Ds.

Five Avenues to Address Risk This concept contends that there are five distinct avenues for addressing identified risks to assets: risk avoidance, risk transfer, risk spreading, risk reduction, and risk acceptance. Carefully considering these avenues is an effective way for assets protection professionals and management to think creatively in designing ways to protect assets.

Balancing Security and Legal Considerations Organizations need to find the right balance between a security approach and a “legal” approach. Some enterprises rely entirely on legal measures, such as patents, copyrights, trademarks, and service marks, to protect their critical information. They mistakenly believe that with these legal protections in place, they do not need stringent security programs. Alternatively, some executives believe a strong security program eliminates the need for legal measures. Of course, both types of measures are needed. The legal approach must also consider when and how incidents will be litigated, what preliminary measures must be in place for successful litigation, and how litigation costs will be managed.

The Five Ds This security approach complements the “legal” approaches discussed above. In this concept, the first objective in protecting assets is to deter any type of attack. The second objective is to deny the adversary access to the asset, typically through traditional security measures. The third objective, if the first two fail, is to detect the attack or situation, often using surveillance and intrusion detection systems, human observation, or a management system that identifies shortages or inconsistencies. Once an attack or attempt is in progress, the fourth objective is to delay the perpetrator through the use of physical security and target hardening

70

Protection of Assets  Copyright © 2012 by ASIS International

INTTRODUCTION TO O ASSETS PROTEECTION 4.2 Current Practiice of Assets Prootection

methods, or use e of force. Finally, in toda ay’s terrorist environmen nt with more violent crim minals, it may m become necessary n to destroy the aggressor a if th he situation w warrants it. In short, s assets protection should s invollve a compreehensive straategy, not ju ust piecemea al elements (officers,, closed-circu uit television n, access con ntrol systemss, etc.).

4.2.2

ASS SETS PROTEC CTION IN VA ARIOUS SETTIINGS Ma any security principles p an nd procedure es are comm mon across sectors, geog graphic areass, and variious sizes and a types off organizatio ons. Howeveer, each parrticular indu ustry has its own cultture, environ nment, and issues that in nfluence asseets protection n

Heaalth Care Secctor Hosspitals are op pen to the public p 24/7 and a tend to h have an opeen env vironment. Patients are vu ulnerable, an nd hospitals ccan be a high hstre ess environm ment for all co oncerned: patients, visitorrs, and staff. Hosspitals also have to be concerned about a inform mation assetts, esp pecially patie ent privacy,, the protec ction of wh hich is ofteen gov verned by reg gulation, suc ch as, in the United Statees, the Healtth Insu urance Porta ability and Ac ccountability y Act (HIPAA A) and criteriaa set by the JJoint Commiission on Accreditatio on of Healtthcare Organ nizations (JC CAHO). In addition, m many health care insttitutions, esp pecially at universities, u engage e in m medical reseaarch, an actiivity that callls for pro otection of sensitive s info ormation, in ntellectual p property, faccilities, and materials. A Assets pro otection stafff may also ne eed to focus on o maintain ning the hosp pital’s reputa ation, anothe er key asse et. The e most serio ous threats in n health carre involve wo orkplace and d domestic violence, threats, harrassment, intternal theft, vandalism, extremist acctivity, fraud, threats to h high-risk or highpro ofile patients, and violenc ce in emerge ency departm ments. Hea alth care se ecurity profe essionals can n gain man nagement su upport throu ugh these m means (Ste ewart, 2006):: demonstra ating a knowlledge of hosp pital managem ment issues and respectin ng the busine ess aspects of the t enterprise e maintaining a dialogue wiith managemeent to ensure tthey understa and the hospita al’s risks and vu ulnerabilities, as well as the assets protecttion program itself

Wh hether securiity officers in n health care e settings sh hould be arm med is the su ubject of ong going deb bate.

Protection of o Assets  Coppyright © 2012 by ASIS International

71

INTRODUCTION TO ASSETS PROTECTION 4.2 Current Practice of Assets Protection

Educational Sector Educational institutions range from preschools to universities and include both public and private institutions. Schools at all levels have historically been viewed as somewhat insulated from the ills of society, but in recent years more attention has been paid to school security. At the lower academic levels, security responsibility may fall under the school board, county or city, or local police department. Most colleges and universities maintain their own security function, which may or may not be connected to the campus police department. Educational institutions face a wide range of threats, such as assaults against students and staff, facility damage, vandalism, theft of goods (computers, equipment, supplies, etc.), theft of private information, attacks against IT, white-collar crime, liability, and natural disasters. Universities also face the theft of research information. At most schools, much of a security director’s time is spent on crisis management. Evacuation planning, preparations for shelter-in-place situations, liaison with first responders, awareness, training, and exercises are all critical in that environment. In addition, schools may be called on to serve as community shelters or medical triage centers during disasters. Figure 4-3 lists some of the common security issues at each educational level. Universities include more than classrooms—they may also feature dormitories, restaurants, stores, libraries, entertainment venues (clubs, theaters, bowling alleys, fitness centers, game rooms, etc.), sporting facilities, worship centers, conference centers, and hospitals. Further security issues are raised by the fact that some students may be living away from home for the first time and may not behave as well as they should or show the right level of safety and security consciousness. Universities also host many students from other countries, who may violate bans on certain exports or may overstay their visas. High crime rates, high-profile incidents, and a questionable campus safety record can harm a university’s image and lead to a loss of students, revenue, grant money, and research projects. Security directors in the educational environment must take a comprehensive risk management approach to their assets protection program. In their security planning, they should consider many factors, such as the size and demographics of the school, the characteristics of the surrounding area, the mission and culture of the institution, the types and values of assets, the school’s image, its management style, and any identifiable threats.

72

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.2 Current Practice of Assets Protection

Level

Considerations

Preschool

Health and safety Teacher/staff backgrounds Constant student oversight Potential for parental/stranger abduction

Elementary (K through 8)

Student oversight Teacher/staff backgrounds Inappropriate discipline Early gang and drug abuse prevention Exposure to inappropriate issues Student interrelationships

Secondary and High School

Student independence/student interrelationships Teacher/staff backgrounds Teacher/staff relationships with students Gang and drug/alcohol abuse prevention Exposure to inappropriate issues Weapons and contraband exclusion Facility access control Protection of equipment, chemicals, other resources

College and University

Students as an asset and a threat Lifestyle (student independence, drugs, alcohol, etc.) Residential setting Multiple facilities (retail, food service, entertainment) Overall crime environment Potential for hate crimes and activist groups Sports and entertainment venues Laboratory/research facilities and information

© Innovative Protection Solutions, LLC, 2006. Used by permission.

Figure 4-3 School Security Considerations

Protection of Assets  Copyright © 2012 by ASIS International

73

INTRODUCTION TO ASSETS PROTECTION 4.2 Current Practice of Assets Protection

Fast Food Sector This sector, also known as the quick-service restaurant (QSR) industry, features many company-owned restaurants and franchise stores around the world. The largest companies often have an in-country or regional assets protection director, who reports to the local business unit head and the corporate assets protection director. The wide geographical dispersion also makes QSRs vulnerable to varying levels of ordinary crime, activism, vandalism, and terrorism. Companies in this industry work hard to protect the value of their brand. The industry emphasizes cost control, margins, and profit and loss management. Thus, assets protection professionals must focus on theft prevention, anti-fraud programs, strategic planning, and supply chain/vendor/distribution integrity. The QSR industry employs a range of security technology, including closed-circuit television (CCTV) tied to point-of-sale systems (e.g., cash registers). Assets protection teams in the industry also investigate suspected false claims of employee or customer injuries. Because of the high employee turnover rate and the geographic dispersion of stores, security training is both essential and difficult. Modern IT can enhance the company’s ability to conduct safety and security training—for example, by facilitating distance learning. One focus of employee training is simply teaching whom to call and how to report suspicious activity. Most companies maintain toll-free hot lines. In addition, employee awareness can be bolstered using security posters, changed regularly.

Telecommunications Sector Assets protection in the telecommunications sector has changed in the wake of industry deregulation; the boom in wireless, Internet, fiber optic, and other telecommunications technologies; and, in the United States, the designation of the telecommunications system as a national critical infrastructure. Assets protection in the telecom sector now encompasses four major areas: x

Information security: protecting competitive and proprietary information; protecting information about the telecommunication infrastructure; and protecting voice and data signals

x

Network and computer security: protecting networks from hacking and other forms of cyber attacks; protecting computers and other equipment from viruses

x

Fraud prevention: protecting the company from toll fraud, calling card misuse, and other frauds

x

Physical security: protecting the people, places, and things that make telecommunications networks function

Assets protection in telecommunications is greatly affected by government regulation. Some jurisdictions mandate specific security practices, limiting the ability of assets protection

74

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.2 Current Practice of Assets Protection

managers to tailor programs to their particular environment. Another security challenge arises from the wide exposure of the industry’s product (electronic signals), which are susceptible to both physical and electronic threats. Finally, telecom companies’ fiber and cables are often routed through or under property owned by others. Therefore, assets protection strategies must consider property rights and access issues.

Aerospace Sector The aerospace sector, which includes civil aircraft, military aircraft, missiles, space systems, and aerospace services, is characterized by fierce, global competition; large, complex contracts; international joint ventures; and a huge network of vendors, all of which factors significantly complicate assets protection strategies. In addition to traditional corporate safeguards, firms in this sector should consider the following: NASA Photo

x

protection of sensitive, proprietary, and exportcontrolled technical information

x

handling of government classified information

x

regulatory and reporting compliance at the local, national, and international levels

x

integration of safety and security programs

x

domestic and international travel security

x

test and evaluation program security

The larger aerospace firms maintain large security departments staffed with various security specialties. By contrast, small aerospace vendors often have no security resources. Therefore, it is best to discuss security support at the outset of a new project and agree who will be responsible for various aspects of assets protection and what resources each player will contribute. Assets protection in the aerospace industry is also affected by the climate of risk taking; the extent of high-value information that must be protected; and the industry’s high profile, which attracts adversaries in the form of competitors, activist groups, and white-collar criminals. These industry snapshots illustrate the wide variety of issues, concerns, and environmental factors that affect assets protection programs. They highlight the meshing of security concerns with business and management issues in planning for a safe and secure setting in which to conduct the enterprise’s mission.

Protection of Assets  Copyright © 2012 by ASIS International

75

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

4.3

FORCES SHAPING ASSETS PROTECTION This section examines five forces that are shaping the practice of assets protection: x

technology and touch

x

globalization in business

x

standards and regulation

x

convergence of security solutions

x

homeland security and the international security environment

Some of these forces are at least partially within an assets protection manager’s ability to influence, while others are not. In either case, security professionals should study and leverage these forces as they formulate tomorrow’s protective strategies.

4.3.1

TECHNOLOGY AND TOUCH Assets protection has always required a balance between human and technological solutions. Sometimes the balance swings too far toward technology. The following statements are described as symptoms of “high-tech intoxication” (Naisbitt, 1999): x

We look for the quick fix.

x

We fear and worship technology.

x

We blur the distinction between real and fake.

x

We accept violence as normal.

x

We love technology as a toy.

x

We live our lives distanced and distracted.

We Look for the Quick Fix Security solutions are often implemented haphazardly. Decision makers may buy surveillance cameras or install card readers without an independent assessment or clear understanding of the real needs. That approach addresses only the symptoms, not the cause. Through advance planning and meaningful dialogue, the security professional can guide the corporate decision makers on the best long term security solution for the company. Security professionals should take the time to ask questions and determine what the actual problem is and then create a comprehensive assets protection strategy, not a short-sighted quick fix.

76

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

We Both Fear and Worship Technology at the Same Time Assets protection professionals cannot afford to be technophobes. Security systems and procedures increasingly demand an understanding of technology, and technology is becoming a major element in most business processes. On the other hand, some people see technology as the solution to everything. Most common functions today consist of several layers of technology. If something does not work, the tendency is to add another layer of technology (Naisbitt, 2006). Careful examination of the problem might show that a solution blending technology and other solutions (training, policies, or personnel) is best.

We Blur the Distinction Between Real and Fake The quality and quantity of electronic images (on television and in video games) tends to desensitize people to real situations. Frequently seeing people attacked or killed may make those events seem commonplace. The ramifications for security include a potential dampening of reaction by security officers and others. For example, console operators might react less quickly to events shown on their monitors because they see such things all the time in games or on television. The delay may be aggravated by information overload as security staff are expected to monitor more and more images.

We Accept Violence as Normal When violence is considered normal, employees may not bother to report incidents or suspicions to corporate security officials. Failure to report such matters promptly can make it more difficult to stop such situations as workplace violence, terrorism, sexual harassment, and hate crimes. The perception of violence as normal can also affect the reaction of security officials. If they become desensitized to crime and violence, they may take incidents less seriously or react more slowly than they should.

We Love Technology as a Toy Viewing technology as a toy can lead to a neglect of sound, risk-based assets protection strategies. For example, one company installed biometric access controls on the entrance to each of its office suites, even though there was no obvious need for high security. When asked why the equipment was installed, a manager replied, “We thought it was cool.” High technology plays an important role in assets protection, but it exacts ongoing costs, such as training and maintenance. In many situations it makes sense to step back and take a “back to basics” approach. For example, “Given a specific security challenge, imagine how you would develop a solution if you had no access to technology at all. You can then think outside the box and interject some traditional creativity into the problem-solving process” (Naisbitt, 2006).

Protection of Assets  Copyright © 2012 by ASIS International

77

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

We Live Our Lives Distanced and Distracted Being surrounded by technology changes our relationship to other people. Assets protection professionals must never lose sight of the people factor in identifying and protecting critical assets (Naisbitt, 2006): Any security issue involves human psychology—and always will. The issues of safety and security are simply fundamental to every human being. When planning for security, the professionals should always consider the culture of the organization. … Does the corporate culture foster a sense of community? Do employees respect and care for one another? Does the nature of their work allow them to develop relationships, or do they work in a vacuum? How much human interaction is there?

In addition to the six preceding symptoms of high-tech intoxication, two other issues are worth considering: x

whether the prevalence of security technology leads employees to shirk their responsibility for protecting the organization’s assets because they think technology will take care of those assets

x

whether a high-tech environment depersonalizes the workplace and leads employees to feel it is acceptable to commit pilferage, industrial espionage, fraud, embezzlement, and other workplace crimes

The bottom line is that human factors must always be considered in the development of security strategies. For example, the security approach called crime prevention through environmental design (CPTED) uses psychology, architecture, and other measures to encourage desirable behavior and discourage undesirable behavior. Some critics claim that CPTED does not show a conclusive link between the design concept and a reduction in crime. However, where CPTED has been used, the recording agencies claim that there are fewer reported incidents when compared to similar structures or developments within their jurisdiction.

4.3.2

GLOBALIZATION IN BUSINESS Globalization brings a wider range of goods, services, vendors, suppliers, capital, partners, and customers within a company’s reach. It also brings threats closer and may increase vulnerabilities. Risks related to business transactions, information assets, product integrity, corporate ethics, and liability, as well as far-flung people and facilities, expand and evolve with increasing globalization. As the director of the U.S. Defense Intelligence Agency notes (Wilson, 2002): Values and concepts [such as] political and economic openness, democracy and individual rights, market economics, international trade, scientific rationalism, and the rule of law … are being carried forward on the tide of globalization—money, people, information, tech-

78

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

nology, ideas, goods and services moving around the globe at higher speeds and with fewer restrictions. Our adversaries increasingly understand this link. … They are adept at using globalization against us—exploiting the freer flow of money, people, and technology … attacking the vulnerabilities presented by political and economic openness … and using globalization’s “downsides.”

Globalization makes it necessary for assets protection managers to consider a wider variety of customs, cultures, laws, business practices, economic factors, language issues, workforce characteristics, and travel requirements. A more radical vision of the impact on organizational structures is described in William Davidow and Michael Malone’s The Virtual Corporation. They argue that the centerpiece of the new economy is a new kind of product: the virtual product where major business functions are outsourced with hardly any internal departmentalization. This will give the corporate security manager even more challenges in the protection of proprietary information, product security, supply chain security, and business continuity. As in all cases the dissemination of sensitive or proprietary information should be on a need-toknow basis. Security professionals should not erect barriers to international business but instead should help their organizations overcome those challenges and comply with the many regulations and standards that apply around the world (Heffernan, 2006).

4.3.3

STANDARDS AND REGULATION Security standards are becoming increasingly important, and their development is the subject of much interest. The establishment of standards and guidelines has been described as the centerpiece of a comprehensive assets protection program, especially in today’s global society (Dalton, 2003, p. 185). This section discusses standard-setting bodies; statutory, voluntary, and mixed standards; the use of certification and licensing as a form of standards; and the impact of regulation.

Voluntary Standards Standards from the well-known International Organization for Standardization (ISO) and the American National Standards Institutes (ANSI) are voluntary but widely adopted. Some have been integrated into various countries’ regulatory frameworks. ISO standards that are relevant to assets protection involve such issues as safety and security lighting, identification cards, radio frequency identification), protection of children, and IT and information security. In the United States, voluntary standards are also set by the National Fire Protection Association (NFPA). Many NFPA standards are incorporated into regulations, such as building codes.

Protection of Assets  Copyright © 2012 by ASIS International

79

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

Several standards from Underwriters Laboratories (UL) relate to security equipment, such as locks, alarms, and access control systems. Other standards are set by trade and professional associations, such as the Illuminating Engineering Society (lighting standards and practices) and the Electronic Industries Association (electronic components and products).

Statutory or Regulatory Standards Unlike voluntary standards, statutory or regulatory standards are binding under the law and can be enforced by formal authorities. In the United States, binding security standards are promulgated in various sources: x

Code of Federal Regulations

x

National Industrial Security Program Operating Manual

x

Executive Orders, Presidential Directives, and Homeland Security Policy Directives

x

regulations of the Occupational Safety and Health Administration, Nuclear Regulatory Commission, Federal Energy Regulatory Commission, and Federal Trade Commission

An international source of binding standards is the International Maritime Organization.

Mixed Standards The distinction between statutory and voluntary standards becomes blurred when voluntary standards are incorporated into laws or regulations. For example, many of the requirements in Occupational Safety and Health Administration directives are verbatim references to standards from such organizations as the NFPA. In other situations, a standard may remain technically voluntary but practically obligatory. For example, security standards from UL or Factory Mutual may be used as criteria by insurers. In other words, they may determine the availability and cost of casualty insurance based on the use of UL-approved materials or UL-standardized practices. Contracts, too, may incorporate standards as requirements. Figure 4-4 lists some of the more prominent standard-setting bodies.

80

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

INTERNATIONAL ASTM International

www.astm.org

International Electro-technical Commission

www.iec.ch

International Maritime Organization

www.imo.org

International Organization for Standardization

www.iso.org

UNITED STATES American National Standards Institute

www.ansi.org

Department of Transportation

www.dot.gov

Federal Energy Regulatory Commission

www.ferc.gov

Federal Trade Commission

www.ftc.gov

National Fire Protection Association

www.nfpa.org

National Institute for Standards and Technology

www.nist.gov

National Labor Relations Board

www.nlrb.gov

Nuclear Regulatory Commission

www.nrc.gov

Occupational Safety and Health Administration

www.osha.gov/comp-links.html

Underwriters Laboratories

www.ul.com/info/standard.htm

Figure 4-4 Selected Standard-Setting Bodies

Protection of Assets  Copyright © 2012 by ASIS International

81

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

Professional Certifications and Licensing Standards may also be implemented via professional certification and licensing. In the security arena, ASIS International certifications are perhaps the best-known. The Certified Protection Professional designation, established in the 1970s, recognizes a broad skill set in security management. More recent ASIS certifications include the Physical Security Professional and Professional Certified Investigator designations. The International Foundation for Protection Officers offers several certifications for security officers and supervisors: the Certified Protection Officer, Certified in Security Supervision and Management, and Certified Protection Officer Instructor designations. Several IT security certifications are also available, such as the Certified Information Systems Security Professional (through the International Information Systems Security Certification Consortium) and the Certified Information Security Manager (though the Information Systems Audit and Control Association). Specialized security certifications within particular industries are also becoming common in such sectors as health care, hospitality and lodging, and finance. Finally, certification in crime prevention is available through many state agencies and also through the International CPTED Association. Some jurisdictions require licensing of various types of security practitioners. Most licenses require training, background screening, qualification, and registration. In the United States, licensing is generally the purview of states or localities, but national licensing is under consideration.

ASIS International

www.asisonline.org/certification/index.xml

Information Systems Audit and Control Association

www.isaca.org

International CPTED Association

www.cpted.net/certification.html

International Foundation for Protection Officers

www.ifpo.org

International Information Systems Security Certification Consortium

www.isc2.org

Figure 4-5 Selected Security Certification Web Sites

82

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.3 Forces Shaping Assets Protection

4.3.4

CONVERGENCE OF SECURITY SOLUTIONS In assets protection, convergence generally means the integration of traditional and IT security functions. A broader definition might consider convergence to be the merging of disciplines, techniques, and tools from various fields for the purpose of protecting critical assets. It is widely accepted that “companies’ assets are now increasingly information-based and intangible, and even most physical assets rely heavily on information” (ASIS International, 2005). An approach using only physical or IT security measures is insufficient. Assets protection managers must also employ traditional information security, personnel security, technical security, and public relations and other external communications to protect intangible assets. A true convergence approach would also employ security architecture and design, crime prevention through environmental design, investigations, policies and procedures, and awareness training.

4.3.5

HOMELAND SECURITY AND THE INTERNATIONAL SECURITY ENVIRONMENT The terrorist attacks of September 11, 2001, made it “crystal clear that the risks and threats of global terrorism … were no longer vague or unlikely, but rather a genuine reality” (Sennewald, 2003, p. 19). Sennewald contends that 9/11 elevated the corporate security professional to a higher plateau of respect and recognition within the enterprise. From an assets protection perspective, reactions to the attack have been a mixed development. On the positive side, 9/11 raised awareness of security among decision makers and increased the respect paid to the security profession. It also made resources available for security enhancements and led to increased interaction among security officials, first responders, emergency planners, and the communities they serve. On the negative side, 9/11 caused knee-jerk reactions that resulted in wasteful spending, unnecessary security measures, misdirection of needed funds, and the surfacing of dishonest or unqualified vendors. Assets protection professionals should study those reactions and apply what they learn to comprehensive assets protection strategies. That way, they can leverage the awareness and resources available to improve their organizations’ security posture. Still, there is a danger of overemphasizing the threat of terrorism and the practice of homeland security. Assets protection professionals must address the broader security issues relevant to their particular environment.

Protection of Assets  Copyright © 2012 by ASIS International

83

INTRODUCT TION TO ASSETS S PROTECTION 4.4 Manageement of Assets Protection

4.4

MA ANAGEM MENT OF ASSETS S PROTE CTION In addition a to technical t exp pertise, assetts protection n professionaals need a so olid groundiing in org ganizational managemen nt. Success in the fielld—which m may mean saving livess and pro otecting valuable assets— —depends on n the proper balance of tthree manag gerial dimenssions: tech hnical expertise, manage ement ability y, and the ab bility to deal w with people.

©2005 Innovaative Protectioon Solutions LLLC

Figure 4-6 Three Managerial M Dim mensions

84

Proteection of Assets  Copyright © 22012 by ASIS Interrnational

INTRODUCTION TO ASSETS PROTECTION 4.4 Management of Assets Protection

4.4.1

CONCEPTS IN ORGANIZATIONAL MANAGEMENT The job of managing involves five basic functions: planning

x

organizing

x

directing

x

coordinating

x

controlling

In addition, management should be guided by two principles, called “who is the customer?” and “quality.” These principles should become part of the organization’s culture.

Who Is the Customer? Peter Drucker, an authority on management, suggests that “who is the customer?” is the first and most crucial question in defining business purpose and mission (1974). The assets protection manager must understand the purpose and mission of assets protection at the enterprise before adopting an organizational structure. Most organizations actually serve multiple customers. It is important to identify all of them and to understand their interrelationships. Then the assets protection manager can sell the program not just to executives but to all the customers of assets protection services. Figure 47 lists some of those customers. For a chief security officer or security director, customers might include:

For a security product or service provider, customers might include:

For an independent consultant, customers might include:

Corporate executives

Clients

Clients

Corporate staff/managers

Clients’ clients

Clients’ clients

Corporate employees

Potential clients

Potential clients

Company clients

Parent company or headquarters

Partners and associates

Partners and affiliates

Vendors and suppliers

Vendors and suppliers

Contractors

Partners and consultants

Own employees

Security team members

Original equipment

Investors

Vendors and suppliers

manufacturers

Self

Other divisions of company

Own employees

Other facility users

Other divisions of company

Stockholders

Executive management Stockholders Figure 4-7 Assets Protection Customers

Protection of Assets  Copyright © 2012 by ASIS International

85

INTRODUCTION TO ASSETS PROTECTION 4.4 Management of Assets Protection

Taking a more comprehensive view of who the customers are and how best to meet their needs can result in greater security team effectiveness. The large view also demonstrates the assets protection manager’s commitment to the business mission as a whole, not just to the security mission. That commitment often leads to greater respect for the assets protection function and ultimately greater influence throughout the enterprise.

Quality Some managers may think that quality is something in a plan on the shelf, something that is done once, or something that belongs to the quality assurance experts. That view is wrong. Quality “belongs to everyone, all the time” (Dalton, 2003, p.240). As one quality consultant notes (Duffy, 2006): One of the major definitions of quality is “conformance to customer requirements.” Providing effective professional services or implementing a meaningful assets protection program for the customer within appropriate resource constraints means delivering the required level of quality. The security industry is one that must support multiple customers with a wide variety of requirements.

Although a quality program may begin with tools, measures (metrics), and special processes, the culture of quality should ideally become a part of the organization and be integrated into all business practices. A culture of quality can be developed in any type of security organization. For example, security service providers are increasingly formalizing and standardizing their quality programs.

4.4.2

MANAGEMENT APPLICATIONS IN ASSETS PROTECTION Planning, management, and evaluation are important tools in crime prevention programs (Fennelly, 2004, p. 418). A strategic approach to managing assets protection programs likewise involves all three tools. They apply as follows:

86

x

Planning includes developing strategic goals and objectives, aligning assets protection objectives with the organizational vision, organizing the assets protection function in the way that best meets objectives, and determining how the mission will be accomplished.

x

Management involves conducting the day-to-day operations of the department, communicating with others, and controlling specific tasks as well as the overall functioning of the office.

x

Evaluation involves stepping back from day-to-day activities to objectively assess how well objectives are being met and what factors are contributing to the success or lack thereof. Reporting, documenting, and using information to make adjustments and improvements are all important parts of evaluation.

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.4 Management of Assets Protection

These tools are as applicable in the security services or products arena as they are in the corporate or organizational setting. In a quality assurance/quality control (QA/QC) program in a firm that provides security officers, the tools could work as follows: x

Planning may entail developing the company’s QA/QC program, obtaining executive buy-in, preparing documentation, training supervisors, and establishing procedures.

x

Management might involve implementing the program, conducting inspections, reviewing audit reports, handling complaints and compliments, disciplining and rewarding officers and supervisors, briefing upper management, and interacting with the client on matters pertaining to QA/QC.

x

Evaluation could consist of periodically determining whether the QA/QC program is serving company objectives and meeting client expectations, identifying systemic problems, and recommending process improvements.

In a corporate setting, a security department could use the tools as follows: x

Planning may entail setting strategic objectives consistent with the enterprise’s mission and vision statements, organizing the security function within the enterprise, determining resource requirements, establishing liaison relationships, developing policies and procedures, and identifying staffing needs.

x

Management would involve day-to-day operation of the department, personnel management, logistics, vendor management, security systems operations, coordinating with others internally and externally, and briefing senior executives.

x

Evaluation would consist of periodically comparing performance metrics to the department’s goals and objectives, identifying shortfalls, assessing any changes in the assets protection environment, and recommending process improvements.

None of these functions should be neglected at the expense of the others. They should be repeated in an ongoing cycle that results in up-to-date and appropriate assets protection protocols, procedures, and practices.

4.4.3

SECURITY ORGANIZATION WITHIN THE ENTERPRISE Although each organization is unique, some basic principles apply widely to organizational structure and management. This discussion of the security organization within an enterprise is influenced by well-respected, much recommended security textbooks by Sennewald (2003), Dalton (2003), McCrie (2001), and Fischer & Green (2004). The “span of control” principle suggests that a single person can supervise only a limited number of staff members effectively. The specific number depends on such factors as the nature of the work and type of organization, but as a general rule one manager can

Protection of Assets  Copyright © 2012 by ASIS International

87

INTRODUCTION TO ASSETS PROTECTION 4.4 Management of Assets Protection

effectively supervise up to 10 people. This principle may be in jeopardy. Some observers believe that the introduction of IT infrastructures, use of current telecommunications technology, and flattening of organizational pyramids may enable a person to supervise as many as 100 people. In settings that emphasize self-directed, cross-functional teams and very flat structures, span of control is less relevant. However, traditional, hierarchical organizational structures, where span of control is important, are still common. Unity of command dictates that an individual report to only one supervisor. It is based on the concept that a person cannot effectively serve the interests two or more masters (that is, managers). It is the supervisor’s responsibility to ensure the best performance from the unit he or she manages. Some company structures make unity of command less important, but in most settings employees still need a clear understanding of which policies they need to adhere to (primarily) and who will provide day-to-day direction, quality control, and conflict resolution. Placement of the security department within an organizational structure can greatly affect the assets protection manager’s ability to exert influence, remain informed, and garner resources to support his or her programs and strategies. Assets protection managers, by the nature of their expertise, must have functional authority within the organization and be identified as part of the corporate management team. The rule of thumb is that the senior security or assets protection professional should be placed as high as possible in the structure of an enterprise and report directly to senior or executive management. A common discussion today is whether security should be placed under the chief information officer), IT security should be placed under a chief security officer, or some other arrangement should be made. If the enterprise includes a chief risk officer, assets protection may be placed in his or her division. The following are some other important themes in organizational management: x

Lines of authority, responsibility, and communications should be as clear and direct as possible.

x

Individual and organizational responsibility should come with an appropriate level of authority.

x

Organizational alignments and structures should consider the interrelationships among functions, roles, and responsibilities (with an eye on the overall mission).

x

Communications channels should be structured to allow effective mission accomplishment and interaction.

More information on the chief security officer’s role in organizational management can be found in the Chief Security Officer Guideline, published by ASIS International (2004). It discusses roles and responsibilities, success factors, key competencies, organizational issues, and strategy development.

88

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.5 Behavioral Issues in Assets Protection

4.5

BEHAVIORAL ISSUES IN ASSETS PROTECTION Behavioral science, the study of people and their relationships to each other, is important in assets protection for three key reasons:

4.5.1

x

Many security risks are the result of human threats, and behavioral science can yield insights into human threat sources.

x

Security management requires effective interaction with other people, including collaboration, education, influence, supervision, and the most important, excellent communication skills.

x

An effective security manager must also have trust in his or her staff members and have the ability to delegate to them not only the responsibility but also the authority to act within their functional area.

BEHAVIORAL SCIENCE THEORIES IN MANAGEMENT The following theories in behavioral science are widely accepted as relevant and useful in many management applications.

Maslow’s Hierarchy of Needs Abraham Maslow’s theory, commonly known as the hierarchy of needs, asserts that people’s behavior is driven by basic needs at different levels. It is often depicted as a pyramid, as Figure 4-8 shows.

Selfactualization Esteem Affiliation Security Physiological

Figure 4-8 Maslow’s Hierarchy of Needs

Protection of Assets  Copyright © 2012 by ASIS International

89

INTRODUCTION TO ASSETS PROTECTION 4.5 Behavioral Issues in Assets Protection

The levels of the hierarchy are: x

self-actualization need: self-fulfillment, realizing one’s full potential

x

esteem or recognition needs: respect from others and self

x

affiliation or love needs: affectionate social and family relationships

x

security or safety needs: protection from perceived harm

x

physiological or survival needs: food, drink, shelter

Basic or lower-level needs must be met before a person is motivated by the next higher level of needs. Maslow’s theory is still widely recommended to analyze individual employee motivation strategies and establish tailored rewards, such as pay, recognition, advancement, and time off (Buhler, 2003).

McGregor’s Theory X and Theory Y Douglas McGregor holds that two worker models can be contrasted. Theory X contends that workers are inherently lazy and tend to avoid work. They lack creative ambition, must be goaded, require constant supervision, and are motivated by fear. Theory Y states that workers are naturally motivated and want to work hard and do a good job. It assumes that workers are thoughtful, eager to perform well, and willing to be guided and taught. McGregor stresses that programs based on Theory Y are more successful than those based on Theory X.

Herzberg’s Motivation-Hygiene Theory Frederick Herzberg’s motivation-hygiene theory is based on the premise that the opposite of satisfaction is not dissatisfaction but simply no satisfaction. The theory maintains that two sets of factors determine a worker’s motivation, attitude, and success (Buhler, 2003). The first set is job content (motivators), such as achievement, recognition, responsibility, and satisfaction derived from the work itself. The second set is job context (hygienes), such as the surroundings, physical work conditions, salary, coworkers, and other factors that are external to the work itself. Hygiene factors (such as a fresh coat of paint on the wall) will be able to move an individual from a state of dissatisfaction to no satisfaction, but only motivation factors can move that person from no satisfaction to satisfaction. The lesson is that managers should avoid quick fixes. Manipulating hygiene factors may alleviate dissatisfaction but will not result in a state of satisfaction. Allowing an individual to reach a state of satisfaction requires changes in the work content itself, such as increased autonomy or responsibility (Buhler, 2003).

90

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION 4.5 Behavioral Issues in Assets Protection

4.5.2

APPLICATIONS OF BEHAVIORAL STUDIES IN ASSETS PROTECTION An assets protection program will not succeed unless it cultivates the willing cooperation of those affected by it and meshes its goals with the personal goals of the workforce. Following are some examples of how lessons from behavioral science might be employed in assets protection.

Crime Prevention and Reaction Behavioral science has long been involved in criminology with the goal of developing better crime prevention strategies. Through mutual cooperation, private security can play a major role in the prevention of crime while law enforcement focuses on crime control. Continuing study is needed, as is better communication between behavioral scientists, criminologists, and security and law enforcement practitioners. Many questions in criminology remain unanswered in this area, but we are seeing a major move by law enforcement to have private security more involved in crime prevention.

Incident Management Motivation theories may be useful in developing emergency plans, business continuity plans, and incident response plans. A major factor in any incident is how people will react— those directly involved in the incident, bystanders, indirectly affected persons, security forces, and first responders. Some data can be gathered from exercises and drills through documentation and afteraction reports. Interpreted through human motivation theories, that information may aid in the development of plans and procedures that will help ensure a smooth response to a real incident. Motivation theories should also be considered when developing larger-scale incident management plans. Such theories may help in predicting how people will react when they are ordered to shelter in place at the workplace or school—for example, whether they will accept their separation from their family or instead evacuate immediately, regardless of the directions given.

Security Personnel Management In supervising security officers, heading an executive protection team, staffing a security operations center, serving as a facility security officer, performing architecture and design functions, or administering a global assets protection program, one needs to understand what motivates people and what demotivates them. Motivation theory can contribute to the planning and development of a QA/QC program, a department organizational structure, an advancement plan, assessment or evaluation criteria, awards programs, discipline procedures, communications venues, and even dress codes. Behavioral science plays a role in almost every aspect of personnel management.

Protection of Assets  Copyright © 2012 by ASIS International

91

INTRODUCTION TO ASSETS PROTECTION 4.5 Behavioral Issues in Assets Protection

Employee Training and Awareness Early security training and awareness programs were based on top-down management directives, passive compliance, and an attitude of “we do it this way because the book says we do it this way.” The modern workforce is more sophisticated, highly educated, and independent, and security training and awareness strategies must be designed accordingly. Behavioral theories can guide both content and delivery methods for security training and awareness, which has been recognized as one of the most cost-effective assets protection tools (Webster University, 2006). In addition, security training and awareness efforts should take account of adult learning styles and current instructional design methods. When employees can relate to the information presented and the way it is presented, the training is more effective. Managers need to set direction and establish a professional setting, but through training they need to avoid making operating decisions that should be made by their supervisors and officers. As an example, when a subordinate requests advice about a routine operational problem, the supervisor should avoid giving a specific solution, opting instead to guide the subordinate, through an open exchange of information, toward identifying the solution himself or herself.

Corporate Ethics One of the first questions that comes to mind after a large-scale corporate scandal is “What could have possibly motivated those people to do that?” Behavioral science theories may help answer that question. They can be applied to help prevent, respond to, and recover from major white-collar crime incidents and can also contribute to programs that address smaller-scale, everyday ethical lapses.

Liaison and Leveraging Other Organizations Because assets protection is a multidisciplinary venture, liaison and collaboration with a wide variety of people, organizations, agencies, specialties, and professions is essential. Behavioral theory can help in establishing and maintaining relationships with a network of professional contacts, both inside and outside the assets protection manager’s organization. Collaboration is especially valuable and challenging in a global environment that includes a wide range of cultures, customs, and perspectives (Buhler, 2003): The diversity of today’s workforce has further complicated an already complex phenomenon. The differences among workers are greater than ever before. To be more successful in motivating a diverse workforce requires, then, an understanding of the differences among people and what makes them tick … To become a more effective motivator, then, managers must understand as much as possible about [motivation theory] and then pick and choose what best fits with which individuals. The bigger the bag of motivational tools, the more likely the manager will be able to understand employees’ needs and tailor rewards to better meet them. [This] enables managers to get more done through others.

92

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Management Tool

APPENDIX A INSURANCE AS A RISK MANAGEMENT TOOL

In many organizations, a current trend is the integration of insurance management into a broader assets protection program. Therefore, this appendix describes the types and uses of insurance, primarily in the corporate setting. Further information is available through resources listed at the end. Most risk management tools are either proactive or reactive, but insurance is a combination of the two. From a proactive stance, it is the best-known form of risk transfer and is actually considered an asset of the organization. It is also reactive in that the insurance benefits are not used until after a loss occurs. Insurance is a formal undertaking between two parties—the insurer and the insured—under which the insurer agrees to indemnify or compensate the insured for specified losses from specified perils. Insurance is “a formal social device for reducing risk by transferring the risks of several individual entities to an insurer. The insurer agrees, for a consideration, to assume, to a 1 specified extent, the losses suffered by the insured.” Insurance is no replacement for security, of course. Compared to insurance, protection techniques like risk reduction and risk spreading are preferable for several reasons: x Loss control is a more satisfactory approach than after-the-fact indemnity. x Loss prevention has become highly effective. x Commercial insurers decline to cover some kinds of risks. x The balanced scheme of protection is more cost-effective. In most cases, it is impossible to be fully compensated for a loss, regardless of how much insurance coverage an enterprise has. Modern management is now more interested in preventing losses than in trying to buy insurance to cover every possible risk. In the insurance world, the portfolio theory involves a comprehensive analysis of business risks and pure risks. A risk model might analyze movements in exchange rates, changes in raw material prices, and downtime caused by a catastrophic event. This model would produce an aggregate loss distribution to estimate the likelihood and effect of several events occurring simultaneously. By treating the risks as parts of a single portfolio, separate insurance policies for each risk can be eliminated. The theory is that by managing risks, little or no outside insurance is required.

1

Glossary of Insurance Terms, University of Calgary, Canada, 1998, http://wcmprodlb.ucalgary.ca/haskayneundergrad/rminlinks/glossary.

Protection of Assets  Copyright © 2012 by ASIS International

93

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Assessment Tool

INSURANCE OVERVIEW Insurance is often divided into two general categories: property and liability. Property coverage includes building and equipment damage or loss, as well as items like cash and negotiable instruments of all kinds. Liability coverage encompasses all employee risks and includes workers’ compensation and non-occupational coverage, as well as coverage for losses affecting the general public, such as automobile liability, product liability, landlord liability, contractor liability, and environmental liability. The basis for coverage is the insurance policy, the written contract between the insurer and the insured. Many insurance contracts or policies have been standardized; however, they are not all alike in coverage. For that reason, each policy must be carefully examined to determine the coverage offered. Contracts of insurance are seldom read in detail by the owners until a loss occurs. To determine the protection offered by a policy, the following questions must be asked: x What perils are covered? x What property is covered? x What losses are covered? x What people are covered? x What locations are covered? x What time period is covered? x What hazards are excluded or what conditions suspend coverage?

Defining the Peril 2

Peril has been defined as “the cause of a possible loss.” Typical insurable perils include fire, windstorm, explosion, burglary, negligence, collision, disability, and death. An insurance contract may cover one or more perils. Some policies, called “named perils contracts,” specify the perils that are covered in the contract. Other contracts, called “all risk contracts,” cover all perils except those that are specifically excluded. Perils may also be covered only in part—for example, not all unfriendly fires under a fire policy or not all negligence under a liability policy. A policy may limit coverage by defining which part of the peril is covered or which part is not covered. For example, a fire policy states the hazards not covered. The standard policy form excludes fire losses resulting from action taken by military, naval, or air forces in an actual or immediately impending enemy attack, invasion, insurrection, rebellion, revolution, civil war, or usurped power. It also excludes fire losses resulting from neglect of the insured to use reasonable

2

Glossary of Insurance Terms.

94

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Management Tool

means to protect his or her property, along with losses caused by order of civil authority (except destruction of property to prevent the spread of a fire that did not originate from an excluded peril). It is important to understand the terms burglary and robbery as they are used in insurance policies. Burglary is generally defined as felonious abstraction of insured property by any 3 individual or individuals gaining entry to the premises by force. There must be visible marks on the exterior of the premises at the place of entry, such as evidence of the use of tools, explosives, electricity, or chemicals. Robbery is usually defined as the felonious and forcible taking of property by violence inflicted upon a custodian or messenger, either by putting the person in fear of violence or by an overt act committed against the custodian or messenger who was cognizant of the act. Sneak thievery, pickpocketing, confidence games, and other forms of swindling are not included in robbery coverage. A burglary contract does not cover robbery. Similarly, a robbery policy does not cover burglary. Neither policy covers losses resulting from the felonious taking of property where there are no visible marks of entry and where there has been no violence or threat of violence. A theft or larceny policy is required to obtain coverage for such losses.

Defining the Property Covered A standard insurance policy does not cover every piece of property owned by the insured, but it usually describes the type of property covered. Also, a contract may specify certain property that is excluded. Some reasons for property exclusions in a policy are as follows: x The specific property excluded may be more easily covered under other forms of insurance. x The moral hazard—a condition of the insured’s personal habits that increases the probability of loss—may be prohibitive. x The property may be subjected to hazards that should be specially rated. x The property might be so uncommon to the average insured that the rate for the standard policy should not include it.

3

In law, burglary is forced entry or exit with intention to commit a crime. The abstraction of property is actually a larceny. But insurance policies combine the forceful entry and the taking or abstraction under the single term burglary.

Protection of Assets  Copyright © 2012 by ASIS International

95

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Assessment Tool

Defining the Losses Covered The next step in analyzing coverage is to find out what losses are covered. Generally, losses may be classified as: x direct loss, such as the physical loss of or damage to the object concerned x loss of use, such as the reduction of net income due to loss of use of the damaged or destroyed object x extra-expense losses, such as the costs of defending a liability suit and paying judgment or hospital and medical expenses following a personal accident Most policies cover direct losses only. Some may, in addition, cover a few forms of indirect losses. For example, a standard fire insurance policy usually covers only the actual cash value of the property at the time of the loss. Actual cash value is the cost to replace or restore the property at 4 prices prevailing at the time and place of the loss, less depreciation. It will not offer compensation for additional expenses of rebuilding required by ordinances regulating construction or repair, and it will not cover the loss of use while the property is being replaced. In addition, it will not pay for the loss of income, such as loss of rent, while a building is being rebuilt.

Defining the Period of Coverage Formerly, a loss that occurred during the period the policy was in force would be covered no matter when the occurrence was discovered, even after the policy expired. The term for this is an occurrence loss. Insurance carriers encountered difficulties matching premiums with losses that could still be covered years after occurrence. As a result, a new form of contract was developed. This form, known as the claims-made type, provides coverage only for losses that are reported during the period the policy is in force. If an insured with a claims-made policy leaves one carrier in favor of another, the new carrier will probably not cover losses occurring before its own first contract date, even if the claim is made during the contract period. This tends to lock insureds in with a single carrier. It also raises issues of later endorsements to reduce coverage, the need for an insured to solicit claims against itself in order to pass them to the carrier in a timely way, and the uncertainty of coverage or its cost when seeking to terminate the contract. The solution to this problem is usually called “tail cover”—retrospective coverage for events that occurred during a prior policy period but are raised during the tail period. To change carriers, it is normally necessary to purchase tail cover from the prior carrier.

4

Glossary of Insurance Terms.

96

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Management Tool

Defining the People Covered Some policies cover only the named insured and representatives while others cover additional individuals. The first page of a standard fire policy states clearly that the contract insures only the named insured or insureds and legal representatives. The insured’s executors or heirs under a will and receivers in bankruptcy would also be covered. Many property policies allow a space for indicating the name of the lender who holds a financial interest in the property, and such lenders are considered additional insureds. An endorsement must be added to afford protection to any others. A frequent technique to extend one party’s coverage to protect another is to have the other individual designated as a named insured in the policy. Named insureds, however, are subject to the same policy conditions as the original insured. In some cases, this may not achieve the security objective of the additional named insured.

Defining the Locations Covered Some policies cover one location, while others include several locations. The standard fire insurance contract covers property only while it is located as described in the policy, with one exception—the contract covers property pro rata for five days at each proper place to which any of the property is necessarily removed for protection against the perils insured against in the policy.

Defining the Time of Coverage Policies vary as to the exact time of day they go into effect. Fire insurance policy coverage usually starts at noon, standard time, on the day the policy is dated and at the place the risk is located. The coverage will ordinarily continue in force until noon, standard time, on the day of expiration. Other policies go into effect and expire at 12:01 a.m., standard time.

Conditions that Suspend Coverage (Exclusions) Insurance policies commonly contain provisions that suspend coverage when a risk increases to such a degree that the insurance company is no longer willing to offer protection. It is possible to eliminate the conditions by adding endorsements, which may result in increased premiums. The limiting provisions may be either “while” clauses or “if” clauses. That is, coverage is suspended while certain conditions exist or if defined situations exist. The fraud and concealment clause found in many contracts is a typical “if” clause. It states that coverage is void if, either before or after a loss, any material fact or circumstance concerning the insurance has been willfully concealed or misrepresented. An example of a “while” clause would be a statement that the insurance company will not be liable for loss while the hazard is increased by any method within the control or knowledge of the insured. Another common example would be the vacancy clause, which suspends coverage while a property stands vacant beyond a specified period.

Protection of Assets  Copyright © 2012 by ASIS International

97

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Assessment Tool

In fidelity coverage, it is customary to exclude from coverage any person the insured knows to have committed any fraudulent or dishonest act, in the insured’s service or otherwise. The exclusion usually dates from the time the insured became aware of the fraudulent or dishonest act. The insurance carrier may grant case-by-case exemptions to the exclusion. For example, should a person be hired despite a minor dishonest act revealed in a preemployment investigation, an exemption to the exclusion should be requested.

Endorsements Insurance policies have been standardized by custom, law, or inter-company agreements. Standard policies may be modified by endorsements—sometimes called riders—to increase or decrease the coverage of the standard policy. Standard endorsements are available, but if they are not adequate for the coverage desired, special endorsements may be written and added to the standard policy. When in conflict with the standard policy, the endorsement governs unless it is illegal. Endorsements are added to: x add perils x add property x include more covered individuals x adjust rates x add, increase, reduce, or delete deductibles x add or eliminate exclusions x increase or decrease amounts of coverage x record address changes x correct errors

Crime Coverage Crime insurance is written to protect the insured against loss by burglary, robbery, theft, forgery, embezzlement, and other dishonest acts. Two types of bonds may be used for protection: fidelity and surety. Fidelity coverage is written to protect the employer from the dishonesty of employees. Surety coverage is intended to guarantee the credit or performance of some obligation by an individual. Insurance coverage against crime may be obtained by purchasing a standard crime policy, then adding the necessary endorsements. It is essential to understand the meaning of each criminal term used by the insurance company in order to ensure that adequate protection is obtained. Policies may exclude certain items or may not include certain crimes.

98

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Management Tool

The comprehensive 3D policy is a combination fidelity crime insurance policy designed to offer the widest possible protection. The standard form contains five insuring agreements. The insured may select as many as needed and specify the amount of coverage on each. The following are the basic coverages offered: Coverage I

an employee dishonesty bond

Coverage II

money and securities coverage inside the premises

Coverage III

money and securities coverage outside the premises

Coverage IV

money order and counterfeit paper currency coverage

Coverage V

depositors’ forgery coverage

Twelve additional endorsements are available: x incoming check forgery x burglary coverage on merchandise x paymaster robbery coverage inside and outside premises x broad-form payroll inside and outside premises x broad-form inside premises only x burglary and theft coverage on merchandise x forgery of warehouse receipts x securities of lessees of safe-deposit box coverage x burglary coverage on office equipment x theft coverage on office equipment x paymaster robbery coverage inside premises x credit card forgery Assets protection managers should consider an endorsement for IT equipment and data if they are not adequately covered in the policy. In determining whether coverage is adequate, the following questions should be asked: x Is all equipment completely covered for any loss? x Does the coverage include the loss of recorded data as well as the cost of new hardware? x Does the coverage include reconstruction of data? x Will the coverage pay for temporary operation at an alternate location? x Does business interruption coverage protect against forced shutdown of equipment?

Protection of Assets  Copyright © 2012 by ASIS International

99

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Assessment Tool

Business Interruption Business interruption insurance offers a number of coverage choices. For example, coverage can be written on a named peril or all-risk basis. If a building or machine sustains physical damage, there will usually be at least an interruption of production or sales, resulting in financial loss. Other incidents may not damage the physical facilities but may nevertheless cause a shutdown. For example, a subcontractor might be required to shut down if the plant of the prime contractor is destroyed, or a factory across from a chemical plant might be forced to lose a day’s production because of noxious fumes from the chemical plant. These types of risks can be covered with endorsements known as contingent business interruption loss forms. A business that might not return to normal for some time after reopening following a shutdown could consider another type of coverage: the endorsement extending the period of indemnity. An example of a business requiring such coverage would be a bowling alley. A fire just prior to the opening of a bowling season might cause league business to go elsewhere for the full season. Even if the establishment is able to reopen in two months, it might not recover its normal business until the following year. With standard business interruption insurance, the coverage would stop once the facility was restored to operating condition. With the endorsement extending the period of indemnity, the coverage would be extended for the amount of additional time purchased. Valuation is a factor to consider in planning for business interruption. An actual-loss-sustained method or a valued-loss method may be selected. With actual-loss coverage, the insured must prove the claim according to policy provisions. On the other hand, the valued endorsement usually stipulates the amount payable per day of shutdown and specifies the number of days for which coverage is provided. The amount selected for the daily indemnity must be certified by an accountant as being the approximate amount that will actually be lost. This certification is done before the loss occurs. Another type of business interruption insurance is the business interruption and extra expense endorsement. While the basic business interruption forms include coverage for normal extra expenses, other expenses may be incurred. Such expenses may be incurred to keep a product on the market regardless of cost or, for a bank, to function regardless of expense. When the situation is not a clear-cut case of either loss of earnings or incurring extra expense, a combined endorsement may offer good protection.

Liability Endorsements Liability coverage in recent years has become increasingly important because of cases in which organizations have been held liable for property damage and for injury to victims. Under tort law, injury victims are entitled to collect for losses and mental anguish from anyone they can prove responsible for intentionally or negligently injuring them or damaging their property.

100

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Management Tool

Liability litigation is widespread, and the number of liability cases continues to rise. Products are challenged as unsafe or badly designed, and such actions frequently result in large damage awards. Professional liability suits against engineers, architects, physicians, and lawyers have multiplied, and the cost of liability insurance for some professionals is enough to cause them to abandon their practice. In the security field, too, liability litigation has exploded, resulting in many large damage awards against security personnel, contract security agencies, and employers or client companies. A commercial general liability policy—the standard policy offering liability coverage—is less comprehensive than generally assumed. As a result, to ensure the necessary coverage, several endorsements should be added, such as those below.

Liability of Officers and Directors A liability endorsement to protect officers and directors against legal actions brought by stockholders and others has become increasingly popular because of the publicity given to such suits. Coverage should be carefully examined to ensure that it is adequate. For example, a policy may specify that protection is offered for individuals “while acting within the scope of their duties.” This provision could lead to questions as to duties of individuals and whether they were acting within the scope of those duties. An endorsement providing for coverage while “acting in behalf” of the enterprise would eliminate such a dispute. Such a change can usually be made without any increase in premium.

Employee Practices Liability Insurance (EPLI) This relatively new type of insurance is a specialized coverage for employers who become the targets of work-related lawsuits. EPLI covers a business for employee-related actions, such as the following: x discrimination

x wrongful discipline

x sexual harassment

x deprivation of career opportunity

x wrongful termination

x wrongful infliction of emotional distress

x breach of employment contract x negligent evaluation x failure to employ or promote

x mismanagement of employee benefit plans

EPLI covers defense costs, judgments, and settlements but may not cover punitive damages, fines, or penalties. Workers’ compensation, bodily injury, and property damage, and any liability covered specifically in another policy are generally not covered. EPLI usually covers the corporate entity, employees, former employees, directors, and officers. Some policies also cover volunteers.

Protection of Assets  Copyright © 2012 by ASIS International

101

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Assessment Tool

Product Liability Product liability insurance is sold to manufacturers and dealers of goods. Protection is offered for damage claims arising from the consumption or use of articles manufactured, sold, handled, or distributed by the insured, if the damage occurs after possession of the goods or products has been relinquished to others and if the damage occurs away from the insured’s premises. An exception exists for organizations that serve food on the premises, for which special coverage is necessary. Product liability suits may be based on either the tort theory of negligence or the contract theory of breach of warranty. Since it is easier to prove breach of warranty than negligence, most claims involving products are based on a breach of an express warranty or an implied warranty that the product sold is reasonably fit for the particular purpose for which it was bought. Liability coverage must be examined carefully to ensure that breach of warranty is included. If not, an endorsement should be added for this protection. The recall of products, which is excluded in standard liability coverage, can create an expensive problem. Frequently, manufacturers are required to recall automobiles, television sets, food products, or pharmaceuticals. The manufacturer is normally required to assume responsibility for removing the defective item from the possession of all wholesalers and retailers. Product recall coverage can be obtained by adding an endorsement to the comprehensive liability policy. This coverage is known as product recall or product withdrawal expense. The coverage may be written to cover recall of products only if bodily harm is threatened, or it may cover products that threaten only property damage. The loss of the product itself is not covered.

Insurance Providers Regardless of the type of insurance provider, customers should be able to expect rapid compensation for losses incurred. As in any other business relationship, due diligence must be exercised when selecting an insurance provider. The financial stability and claims settlement record of the provider is critical to timely reimbursement of a loss. Most organizations select an insurance provider and settle into a long-term business relationship without subsequent review of the financial condition of the provider, but ongoing due diligence is necessary. Insurance can be obtained through these means: x dealing directly with an insurance company x dealing with an insurance broker that may represent several companies x buying an insurance company, known as a captive carrier x buying an interest in a mutual insurance organization called a risk retention group The size of the enterprise and its insurance needs typically suggest the type of provider that will be most cost-effective. Small organizations tend to deal directly with the insurance company or use a

102

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Management Tool

broker. Mid-size organizations have the same options but may also join a risk retention group. Large organizations have all four of the options listed above. The four different sources of insurance are discussed below.

Insurance Companies The large number of insurance companies and the wide variety of policies they offer ensures that coverage can be found for virtually any risk. In essence, uninsurable risk is only heretofore uninsured risk. Many organizations merely select an insurance carrier with a good name, accept the coverage that the representative suggests, and pay the policy premiums. Sound management principles demand more. A financially weak carrier tends not to pay claims in a timely manner. If the carrier becomes insolvent, claimants can turn to the state guarantee trust fund for partial recovery. This is a lengthy process, and claimants are limited to a certain dollar amount. In essence, choosing the wrong insurance company can, in itself, be a high risk. The financial stability of the insurance carrier should be reviewed before entering a contractual relationship, and subsequent reviews should be conducted at least annually. The financial stability of insurance carriers is rated by a number of rating services. Each service uses a different formula, and the rating of a specific insurance company may vary among the rating services. Prudent managers consult more than one rating service. A significant difference in the ratings of a company should be a red flag denoting the need for further investigation. Rating services measure the financial condition of the insurance carrier but do not measure the speed of claims payments. Government insurance departments are also valuable sources of information. In the United States, in each state insurance companies are authorized to do business in, they must file annual financial statements with the state insurance department. Other pertinent information includes the number of complaints filed against the company and any disciplinary action taken against the company.

Insurance Brokers Insurance brokers are marketing specialists who represent buyers of property and liability insurance and who deal with either agents or companies in arranging for the coverage required by 5 the customer. Insurance brokers deal with more than one insurance company and can suggest the company best suited to provide a specific type of policy. The expertise and responsiveness of a broker should be verified by contacting other clients. A good broker keeps abreast of the financial stability of the insurance companies with which insurance is placed. The broker who arranges insurance coverage with an insurance company that becomes insolvent may become a defendant in a civil action.

5

Glossary of Insurance Terms.

Protection of Assets  Copyright © 2012 by ASIS International

103

INTRODUCTION TO ASSETS PROTECTION Appendix A: Insurance as a Risk Assessment Tool

Risk Retention Groups Smaller firms and organizations may form risk retention groups (RRGs), which are corporate bodies authorized under the laws of some states as liability insurance companies. Such groups must be owned by entities within the membership of the group that obtain liability insurance from the group. RRGs are generally exempt from the laws of other states. RRGs typically market their liability policies to purchasing groups (PGs), which consist of organizations that have similar liability insurance needs because of the nature of their business. In the security field, PGs have consisted of guard and investigations concerns. The PG can acquire liability insurance for its members from the RRG. Typically, the attraction of such an approach has been the availability of liability coverage and lower premiums. Some RRGs have experienced funding or other difficulties and have either abandoned the field or otherwise caused problems for the PG insureds. Overall, the RRG is a viable alternative to high premiums and the difficulty of obtaining special coverage; however, the particular group and its track record should be studied carefully.

Captive Carriers One of the problems of liability insurance has been the high premium cost when using carriers conventionally licensed within each state where they offer the coverage. One solution is the captive insurer—a separate, wholly or principally owned firm, usually organized offshore, used to write the insurance for the owning company. Sometimes a captive insurer is owned by an association of two or more firms with common insuring interests. When appropriate, a captive insurance carrier can make it easier to insure risks not acceptable to conventional carriers, can help make a more favorable expense ratio, and can open reinsurance resources not otherwise available. However, the captive carrier is generally a technique of larger firms.

INSURANCE RESOURCES Business Insurance magazine and online resources, www.businessinsurance.com Insurance Information Institute, www.iii.org Risk Insurance and Management Society, www.rims.org The smart approach to protecting your business: Managing your risk, The Hartford in association with the U.S. Small Business Administration, www.thehartford.com/corporate/losscontrol/SBA/ TIPS/2009/Product%20Liability%2019295.pdf

104

Protection of Assets  Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION References

REFERENCES ASIS International. (2004). Chief security officer guideline. Alexandria, VA: ASIS International. ASIS International. (2005). Scope and emerging trends: Executive summary. Alexandria, VA: ASIS International. Buhler, P. M. (2003, December). Managing in the new millennium: Understanding the manager’s motivational tool bag. Supervision. Dalton, D. R. (2003). Rethinking corporate security in the post 9/11 era. Burlington, MA: Butterworth-Heinemann. Drucker, P. F. (1974). Management tasks, responsibilities, practices. New York, NY: Harper and Row. Duffy, G. (2006, September 23). Vice President, American Society for Quality, www.asq.org. Unpublished document. th

Fennelly, L. J. (2004). Handbook of loss prevention and crime prevention (4 ed.). Burlington, MA: Elsevier Butterworth-Heinemann. th

Fischer, R. J., & Green, G. (2004). Introduction to security (7 ed.). Burlington, MA: ButterworthHeinemann. Glassman, C. A. (2006, June 8). Complexity in financial reporting and disclosure regulation. Presentation at the Security and Exchange Commission and Financial Reporting Institute Conference, Pasadena, CA. Heffernan, R. J., CPP. (2006, September 25). 2006 trends in proprietary information loss survey results: An overview. Presentation at the ASIS International Seminar & Exhibits, San Diego, CA. McCrie, R. D. (2001). Security operations management. Burlington, MA: Butterworth-Heinemann. Naisbitt, J., Naisbit, N., & Phillips, D. (1999). High tech/high touch. New York, NY: Broadway Books. Naisbitt, N. (2006, June 22). Founder and executive director, The Pinhead Institute, Telluride, CO. Personal interview. National Institute for Standards and Technology, Computer Security Resource Center. (2006). History of computer security. Available: http://csrc.nist.gov/publications/history [2006, July 28]. Securitas. (2006). History. Available: http://www.pinkertons.com [2006, July 28]. th

Sennewald, C. A., CPP. (2003). Effective security management (4 ed.). Burlington, MA: Butterworth-Heinemann. Webster University. (2006). Business assets protection. Course materials for Business and Organizational Security Management Program. Washington, DC: Webster University. Wilson, T. R. (2002). Global threats and challenges. Statement to the U.S. Senate Armed Services Committee by the Director of the Defense Intelligence Agency, March 19, 2002.

Protection of Assets  Copyright © 2012 by ASIS International

105

CHAPTER 5 COST-EFFECTIVENESS AND LOSS REPORTING

5.1

UNDERSTANDING THE PROBLEM Asset protection must be cost-effective. An organization should not spend $1,000 to protect a $10 asset. Except for certain high-value, irreplaceable items, an organization should base its protection strategies on a realistic, cost-effective rationale. As the security industry matures and incorporates business fundamentals into its repertoire of strategies, several business tactics are being ingrained into standard security management practices. These include return-on-investment strategies, metrics management, data capture and analysis, and costbenefit analysis. As part of asset protection, security is best described as the implementation of standards and principles that, when constantly applied, control loss.

5.2

WHAT COST-EFFECTIVENESS MEANS Cost-effectiveness means producing good results for the money spent. To senior management, cost-effectiveness is the primary factor in determining the size or existence of the asset protection program. Anecdotal evidence of the efficiency of an asset protection program is interesting, but in the final analysis the program must be measurable in financial terms.

Protection of Assets  Copyright © 2012 by ASIS International

107

COST-EFFECTIVENESS AND LOSS REPORTING 5.3 Elements of Cost-Effectiveness

To maximize cost-effectiveness, a security manager should do the following: x

Ensure that the operations are conducted in the least expensive, but cost effective way.

x

Maintain the lowest costs consistent with required operational results.

x

Ensure that the amount of money spent generates the highest return.

Cost-effectiveness in asset protection requires balancing expenditures against results and revising the plan as needed. It also requires critical judgment based on a complete understanding of the enterprise operations, a broad knowledge of state-of-the-art security, and the recognition that some elements of the security program may take several years to implement. Often overlooked as asset protection tools, procedural controls are the least expensive countermeasures one can employ. Simply by changing the way things are done, revised procedures can enhance security while improving the bottom line for the enterprise. A historic, continuing problem is the inability to demonstrate that asset protection expenditures lead to tangible, more valuable goals—in other words, to justify the cost of an asset protection program to enterprise management.

5.3

ELEMENTS OF COST-EFFECTIVENESS The question that senior management wants answered is this: Does the asset protection function accomplish anything that can be quantified and that justifies its cost? One way to view the issue is to consider a business with gross annual sales of $250 million and an asset protection operation costing $1 million annually. At that level, asset protection constitutes 0.4 percent of sales. Senior management will want to know why $1 million should be spent on asset protection rather than on something else. The “something else” could even be a short-term investment in financial instruments. At a modest 4.5 percent annual return, $1 million would earn $45,000 in a year. Thus, the $1 million expenditure actually costs the enterprise $1,045,000 in a year. That cost must be weighed against the consequences of not having a security program. Cost-effectiveness also applies within the asset protection operation itself. An expense budget allocates monetary value to a department’s activities. The security manager must consider whether a given resource is the most effective one available at the stated cost. For example, if $30 padlocks are used to secure loaded semitrailers in the company lot, the security manager should attempt to answer these questions:

108

x

Is a padlock the appropriate countermeasure in this situation?

x

If so, is this particular padlock at $30 best suited for the purpose?

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.3 Elements of Cost-Effectiveness

In general, the second question is harder to answer than the first. Senior management will inevitably view all operations from a financial perspective, because the department that plays a direct role in the generation of revenue is a profit center. A security professional lacking this perspective will be unable to justify continued funding of the security program, especially if the enterprise is emphasizing financial austerity. The three main expense categories that security professionals must consider when developing a budget are salaries, operational expenses, and capital expenditures. An essential step in developing a department budget is to review the organization’s overall strategy and goals to determine how the security budget fits in. Is it in line or does it exceed what would be realistic and acceptable to senior management? Necessary protection programs are often substantially cut because, in the intense competition for scarce funds, no persuasive argument is made for them. However, the increased losses that might follow a security cutback could easily and greatly exceed the presumed saving. The following are various financial concepts that can be used to show value for money.

5.3.1

RETURN ON INVESTMENT Return on investment (ROI) is a standard profitability ratio that measures how much net income the business earns for each dollar invested by its owners. Also called return on equity, ROI is used to gauge management’s overall effectiveness in generating profits. Kitteringham and McQuate (2003, p. 121) observe: ROI can be measured in time saved, improved efficiency, reduced manpower, reduced losses, lower liability or insurance payments, or greater customer satisfaction. It all translates into an improved bottom line over time.

The expectation is that security measures should not merely be efficient but should provide a positive return on investment. For example, security awareness programs may be judged as effective when benefits are either commensurate with cost or exceed cost estimates. The return varies in different organizations but may include increased customer satisfaction, happier, more secure employees, increased productivity, reduced employee turnover, cost savings, actual revenue, reduced false alarms, saved lives, or anything else that can be quantified. However, many organizations do not make ROI calculations when judging security spending; they merely adopt a budget based on historical experience or future estimates. According to an Ernst & Young study (2003) of the information security field:

Protection of Assets  Copyright © 2012 by ASIS International

109

COST-EFFECTIVENESS AND LOSS REPORTING 5.3 Elements of Cost-Effectiveness

Return on investment (ROI) is not valued as a measure of information security spending effectiveness. This was evidenced by the nearly 60% of organizations that said they rarely or never calculate ROI for information security spending.

One way to determine ROI is shown in Figure 5-1.

AL + R CSP

= ROI

AL = Avoided loss R = Recoveries made CSP = Cost of security program, including personnel expenses, administrative expenses, and capital costs Figure 5-1 Return on Investment (ROI) Formula Two examples of ROI calculation follow.

Nuisance Fire Alarms Due to a high number of nuisance fire alarms, an organization decided to assess the data collected in the normal course of security department incident report writing. The cost of alarms was divided into hard costs and soft costs. Hard costs included lost productivity for employees evacuating the building and for employees responding to the alarms, as well as the cost of fire department fines. Soft costs included wear and tear on building mechanical systems when alarms activated; the tendency for employees to learn to ignore alarms, thereby placing themselves in jeopardy when legitimate alarms activate; the potential for staff injuries during evacuations; and the frustration of the organization’s staff and fire department personnel due to the high number of alarms. Lost productivity was quantified with an average hourly salary figure from the organization’s human resources department, and fire department fines were easy to tally. Soft costs were merely estimated. The next step was to determine the causes of the alarms. There were three factors: the age of some equipment, a lack of training and familiarity with the fire alarm system, and a lack of communication between staff and contractors working in the building. Once these factors were identified, replacement parts were installed, a training program was initiated, and a formal communication program was implemented. All costs were captured and compared. The annual costs of nuisance alarms in Year 1 were compared to the same costs in Year 2, after nuisance alarms were reduced. Nuisance fire alarms were found to have cost the organization $50,000 in Year 1, before the security program reduced nuisance alarms. In Year 2, following the nuisance alarm reduction initiative, alarm costs dropped to $10,000,

110

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.3 Elements of Cost-Effectiveness

resulting in an avoided loss of $40,000. The annual cost of the nuisance alarm reduction initiative is $10,000. Hence, for an annual investment of $10,000, the organization saves $40,000. In other words, for every $1 invested, the company saved $4.

Two-Way Radios A company was using a trunk cellular two-way radio system. Staff complained of multiple areas within the building where the radios did not work. The result was a waste of staff time as they moved out of the dead spots to use their radios, an increase in staff risk when they were out of radio range, and delayed responses to security, safety, and medical incidents. Additionally, because of the radio system’s trunk cellular nature, the organization was paying hard costs of $25,000 annually for air time. The soft costs were harder to quantify and were left out of the equation. Prospective avoided losses (due to upgrading the radio system) included possible lawsuits and workers’ compensation claims. Avoided losses were estimated at $25,000 per year. The length of the solution may alter the ROI calculation. One method of calculation would be to multiply the savings by the number of years the original radio system would have been in use before being replaced. For example, if the radio system had another 10 years in it, then the annual savings can be multiplied by 10 to obtain the final figure. A replacement system was researched and installed. The capital expenditure purchase and installation of the system (cost of security program) was $60,000. Based on a single year, the formula results in return of $0.41 for every dollar invested. Additionally, all other issues were resolved to the satisfaction of staff and tenants, including delays in responding to incidents where time was of the essence. If 10 years were factored into the formula, then the ROI would be $4.10 for every dollar invested.

5.3.2

SECURITY METRICS The term “security metrics” refers to security-related measurements. Kovacich and Halibozek (2006) describe security metrics as the process of measuring an asset protection program’s costs and benefits as well as its successes and failures. Security budgets and expenditures are being scrutinized as never before, and security metrics can help in justifying those expenditures. The first step in good security planning is performing an analysis of the potential areas of loss, their probability, and their gravity or impact on the corporation. This data, along with security metrics, provides the information needed to present a security budget to senior management.

Protection of Assets  Copyright © 2012 by ASIS International

111

COST-EFFECTIVENESS AND LOSS REPORTING 5.3 Elements of Cost-Effectiveness

Mainstream security management has been slow to adopt a metrics-based approach, but the trend is changing. Through the application of metrics, security managers are better able to show the cost-effectiveness of asset protection. A loss prevention program can collect metrics on arrests made, recoveries per year, recoveries per officer, arrests per shift, arrests per location, and other topics. Metrics in the commercial high-rise industry can be gathered on the number of thefts occurring, costs per square foot, number of fire alarms per year, number of incidents, doors found open, number of undesirable persons, recoveries made, investigations conducted, etc. Shopping mall security management can collect metrics on arrests made, number of people banned from the property, interactions with the public, loss prevention seminars conducted with retailers, patrols conducted, cars stolen from the parking lot, etc. Corporate security can collect metrics on investigations conducted, recoveries made, risk assessments conducted, travel briefings provided to staff, etc. Once baseline data is collected, security managers can experiment with and fine-tune the asset protection program to increase its effectiveness. Data analysis may also suggest whether specific security measures are effective at all. It is up to the individual security manager to determine what should be measured. Those metrics may help the security manager answer the following questions: x

What am I trying to accomplish?

x

How will I know if I am successful?

x

What would convince me that I am not successful?

x

What are my impediments to success?

x

How much is it costing per unit to be successful?

x

Is it worth the cost?

x

How will I be able to collect and display the information in a meaningful format?

x

What is the cost of success?

x

What is the cost of failure?

Despite its importance, the security department must compete with other departments for funding. From an engineering department perspective, if a piece of equipment will fail if not repaired or replaced, the decision to spend money can be made easily. Other departments, such as security and marketing, may find it harder to gain funds and should use ROI figures to convince decision makers.

112

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.4 Boosting Cost-Effectiveness

5.4

BOOSTING COST-EFFECTIVENESS

5.4.1

BUDGET PROCESS For organizations that generate income, it is customary to budget that income over the same fiscal periods in which the costs necessary to produce it are incurred. Typically, a sales forecast will project sales revenue for a quarter or a year. This forecast will then be the baseline from which all expense budgets are built. In commercial operations, policy makers will determine the profit that the enterprise must earn. Subtracting that amount from the estimated revenues leaves the amount available to run the business. That amount is then divided among the various elements of the business using budgeting techniques. When expense budgets total more than the available funds, budget reviews are conducted. Reductions are made by deleting planned expenditures—typically personnel and operating expenses. After operations have commenced, periodic reports of actual results against budgeted results will indicate whether further expense reductions are required. Management strives to maintain the margin between gross sales and expenses, even in the face of reduced sales. Accordingly, the only way an operating function can justify continued funding is to demonstrate that the real costs to the enterprise would be greater if the level of support for the activity were reduced. If the contribution of the operating function cannot be quantified or, when quantified, cannot be shown to result in greater net revenue than would be possible without the function, sound management practices dictate that the function be reduced or eliminated. Preventing crime, closing investigations, and maintaining order are all legitimate and necessary objectives of an asset protection program, but only for the purpose of helping the enterprise achieve its basic goal. For commercial organizations, the goal is to make and distribute products or render services so as to earn the planned profit. For public service or not-for-profit organizations, the basic goal is to render services within the limits of the available funds.

5.4.2

COST REDUCTION Each element of the operation must be carefully examined for cost-effectiveness. The “we’ve always done it this way” syndrome can significantly increase the cost of the operation. By contrast, periodic reassessment of security solutions can lead to savings. For example, if a company had earlier determined that $30 padlocks were the best solution for a particular protection need, the company now should evaluate whether $20 padlocks might provide the required protection. Purchasing 500 padlocks per year at $20 instead of $30 leads to an annual savings of $5,000.

Protection of Assets  Copyright © 2012 by ASIS International

113

COST-EFFECTIVENESS AND LOSS REPORTING 5.4 Boosting Cost-Effectiveness

Security departments can also examine whether it is more cost-effective to use a proprietary security officer force or a contract force. Another consideration might be the cost-effectiveness of maintenance contracts for security systems. The warranty for a new system generally covers the first year of operation. A maintenance contract for each subsequent year costs approximately 13 percent of the original system cost. Thus, an annual maintenance contract for a $100,000 system might be $13,000. An analysis of the maintenance history might reveal that the services would cost significantly less if paid for on a time and materials basis. A countervailing issue is that system suppliers normally give first priority to customers who have maintenance contracts. Thus, the system’s age and criticality should also be factored into the calculation.

5.4.3

COST AVOIDANCE One way to achieve cost-effectiveness is to avoid costs or expenses through the use of asset protection resources. Following is a discussion of major areas in which cost avoidance is possible.

Major Loss Prevention An asset protection program would be cost-justified if it was established that probable real losses would not occur if the proposed asset protection measures were adopted. Under that approach, “cost avoidance” would be the total cost of probable security losses assumed to have been prevented. The real test, of course, would be whether the actual losses were less than the otherwise probable losses and whether the combined cost of the actual losses and the cost of maintaining the asset protection organization were within the risk-assumption boundaries accepted by management when approving the asset protection program.

Other Loss Prevention Asset protection programs prevent other losses, including some that are rarely quantified. A good example is the work of security patrols in observing and correcting maintenance or housekeeping problems, while at the same time preventing hazards such as fires. The following situations will be found in every operation. In those with security forces, the security officer often takes the corrective action on patrol. Figure 5-2 lists several types of issues that security officers may discover on their patrols.

114

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.4 Boosting Cost-Effectiveness

ITEM OR TOPIC

CONDITION

Expensive tools or materials

Not stored securely

Lights

Improperly on or off

Machine

Improperly running or not running

Doors or hatches

Improperly closed or open

Temperatures

Too high or too low

Pressures

Too high or too low

Levels

Too high or too low Figure 5-2 Problems Discoverable on Security Officer Patrols

The least dramatic of these—the light left burning when it should have been extinguished— could be resolved by motion sensors that turn off a light if no motion is detected within a predetermined period. However if the organization does not use this technology, three questions can be asked that will allow assessment of the value of the patrol action in turning the light off:

1.

If the security patrol had not turned off the light, how long would it probably have remained on until discovered by someone else?

2.

What is the expense to the enterprise for a light of that wattage burning for an hour or a shift?

3.

What cost has been avoided by turning off the light? (Item 1 multiplied by Item 2)

The savings for one light that might otherwise have burned needlessly for an hour will be insignificant. But, over the course of a year, preventing hundreds of lights from burning thousands of bulb-hours will result in significant cost savings. The same factors apply to turning off machinery, where reduction of wear and tear is an additional benefit. There could be far more serious consequences than energy expense. If a temperature is too low or too high, a process could fail or a vessel rupture. Taken individually, these housekeeping losses are not major items. However, a large facility features many such items, so the cumulative effect of reducing them may be significant and should be documented.

Protection of Assets  Copyright © 2012 by ASIS International

115

COST-EFFECTIVENESS AND LOSS REPORTING 5.5 Data Capture

Other Strategies Security managers can use several other means of identifying acceptable asset protection strategies. For example:

5.5

x

WAECUP (Waste, Accidents, Error, Crime, Unethical Practices) can be used as a blueprint for developing security objectives.

x

SWOT (Strengths, Weaknesses, Opportunities, and Threats) Analysis is a model for analyzing proposed organizational projects. The concept is to analyze an issue or proposal from each of the four points of view, thereby giving security management a profile of potential issues to deal with. A goal of risk analysis is the recognition of threats as they relate to company operations.

x

The STEP (Social, Technological, Environmental, and Political) Model points out potential sources of threats. The security manager can then conduct an analysis to determine whether such threats are likely and where they could come from.

DATA CAPTURE Collecting information is of paramount importance to security management, and the easier it is to create security reports, the less staff will resist reporting incidents. Options include pen and paper, electronic report writing at a work station, and portable input devices that security officers can use on patrol to report their activities, including housekeeping and maintenance loss avoidance. The screen can be configured to minimize keystrokes, and information can be transmitted by radio frequency as it is gathered or can be uploaded to the main database at the end of the tour. The use of specially designed incident reporting forms also fosters easy data collection. One approach to using such forms is as follows:

116

1.

Design a good report form. Much time can be saved if the data fields are properly designed. The minimum information to be captured should include date, time, location, relevant names, name of officer, type of incident (light on, machine off, etc.), and department affected by and responsible for the issue reported.

2.

Teach security staff how to use it. All members of the asset protection organization should be prepared to use and process these forms. Of course, the primary security task—dealing with the incident, not just reporting it—must also be emphasized.

3.

Promptly collect data and conduct initial analysis. Because report forms provide data necessary for asset protection operations, they should be analyzed immediately by a responsible supervisor. Software in portable data terminals can generate an immediate report if any abnormal events or conditions require a prompt response. Routine analysis should determine whether costs can be quantified and totaled.

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.5 Data Capture

4.

Produce periodic management reports. The real value of cost-effectiveness data gathering comes in making periodic cumulative reports to senior management. In these reports, the number, frequency, distribution by type of incident, and location can be shown, along with the individual and cumulative costs that were avoided. At the end of any budget year (earlier if needed), all instances of cost avoidance through security patrol action in housekeeping/maintenance situations can be totaled and reported in summary form.

Gathering numbers is important, but considerable information can also be gathered from personal interviews. For example, useful information on robbery and shoplifting has been gathered from one-on-one interviews between researchers and prisoners. Surveys, too, can be powerful tools for the security manager—for example, on a specific problem like laptop theft. To validate information, security managers can conduct experiments. One method is to gather statistics before and after implementation of a security measure to gauge whether it was effective. Another method is to implement the new security measure in one company site but not another and compare the results. Finally, direct observation can be used in some less serious, nuisance-level situations to discover unknown aspects of the problem. Figure 53 shows the main methods used in social science research. Security managers can apply those same methods in the workplace.

Protection of Assets  Copyright © 2012 by ASIS International

117

COST-EFFECTIVENESS AND LOSS REPORTING 5.5 Data Capture

RESEARCH METHOD Fieldwork

Survey

STRENGTHS

LIMITATIONS

x Usually generates richer and more in-depth information than other methods.

x Can only be used to study relatively small groups or communities.

x Provides flexibility for the researcher to alter strategies and follow up new leads.

x Findings might apply only to the groups or communities studied; it is not easy to generalize on the basis of a single field study.

x Makes possible the efficient collection of data on large numbers of individuals.

x Material gathered may be superficial; important differences between respondents’ viewpoints may be glossed over.

x Allows precise comparisons to be made between the answers of respondents.

Documentary

Experiments

x Can provide in-depth materials and data on large numbers of subjects.

x Responses may be what people profess to believe rather than what they actually believe. x Depends on existing resources, which may be partial.

x Is often essential when a study is either wholly historical or has a historical dimension.

x Sources, such as official statistics, may be difficult to interpret in terms of how far they represent real tendencies.

x Influence of specific variables can be controlled by the investigator.

x Responses of those studied may be affected by the experimental situation.

x Experiments usually easier for subsequent researchers to repeat. Figure 5-3 Main Methods Used in Social Science Research

118

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.6 Data Analysis and Display

5.6

DATA ANALYSIS AND DISPLAY Several software packages are commercially available in the security market, and a security manager’s company can also write its own software. The key is to ensure that the software aggregates the data for analysis. Analysis of aggregate data should lead the security manager to discover trends, successes, failures, costs, losses, savings, recoveries, what works, and what does not work, along with a host of other information. Display of the aggregate data is just as important as the data itself. A security manager should show information, such as the number of thefts per year, in a pie, bar, line, cone, scatter, or other chart. One can also choose to display all thefts, both successful and unsuccessful, side by side. People interpret information differently, so there is no one correct choice. Some security managers may decide that information displayed in raw numbers will meet their needs. However, there is truth in the saying that a picture is worth a thousand words. Certainly, when presenting information to decision makers with limited time, graphical display makes it easier to convey a security manager’s key points quickly. The following are useful categories of security data analysis.

5.6.1

CLAIMS AVOIDED Monetary claims against an employer include workers’ compensation, disability, accident, and health issues. Many such claims are fraudulent or exaggerated. For example, a worker might claim he was injured on the job and left unable to perform physical work. Medical evaluation may not refute the claim. However, an investigation by the asset protection department, complete with photographs and other evidence, may establish that the claimant is regularly engaging in activities that would not be possible if the claim were legitimate. As a result of the investigation, the claim may be disallowed and payments stopped. This is a measurable cost avoidance provided by security, and its value should be calculated and entered into the cost avoidance database for later reporting. The cost avoidance for denied claims is often extended over a long period.

5.6.2

PROOFS OF LOSS Insurance companies typically require proof of loss before making payments. In cases of casualty coverage—particularly dishonesty or fidelity coverage—apparent losses may be disputed by the carrier. For example, staff at a major electronics facility might find that a large supply of components is missing from a storage container, which appears to have been damaged by the thief as he or she tried to gain entry. It is not clear whether the thief was an employee or a stranger. The distinction is important because the facility’s theft insurance for

Protection of Assets  Copyright © 2012 by ASIS International

119

COST-EFFECTIVENESS AND LOSS REPORTING 5.6 Data Analysis and Display

losses caused by outsiders has a much larger deductible than its insurance for insider theft (fidelity coverage). A security investigation might uncover evidence to persuade the carrier of two points: x

An outsider could not have gained access to the location of the theft during the period when the theft occurred because of access controls then in effect.

x

The missing materials were not simply purchased components but had been worked on by the enterprise. The components therefore had a labor cost element in addition to a purchase cost element at the time of the theft.

If the claim had been made under the external theft coverage, it would have been less than the deductible. But, thanks to the asset protection investigation, the fidelity claim is allowed. Therefore, the net amount of the claim can be added to the security database for later reporting.

5.6.3

RECOVERED PHYSICAL ASSETS The value of a physical asset can be calculated as the purchase price or acquisition cost, the depreciated book value (acquisition cost less accumulated depreciation), or replacement cost. If the asset is lost and security action leads to its recovery, then at least one and perhaps two financial benefits will accrue to the enterprise. First, the net value of the asset will be recovered—a security recovery expense reduction item. Second, if the lost asset would need to have been replaced if not recovered, the cost of the replacement is avoided. Both cost avoidances should be identified and stored in the database.

5.6.4

UNINSURED CLAIMS OR CAUSES OF ACTION A security investigation often results in a formal statement by an individual confessing responsibility or in some other way admitting financial obligation. Examples include confessions by forgers of company checks and admissions by vendors that they delivered less material than claimed. Even more important are inculpatory statements by trade secret thieves. Such statements may lead to actionable claims by the enterprise for financial recovery other than an insurance claim. The net cash value of such claims should be assessed and the items identified and added to the database. They, too, are asset increases or expense reductions that would not exist without the asset protection effort. For litigation and future claims, the amount may be postponed until collection.

120

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.6 Data Analysis and Display

5.6.5

OTHER ACTIONS A review of other revenue losses within the enterprise may suggest security action that can recover the revenue. For example, checks returned from the bank as nonnegotiable are normally handled by the finance department. The sender of the check is notified that the check is nonnegotiable and is advised to remit the funds within 10 days. If the payment is not received, the account is referred to a collection agency, which charges a fee of 30 percent to 50 percent of the funds recovered. If the matter were referred to security rather than to a collection agency, the funds might be recovered more cost-effectively. Payment with a nonnegotiable check and failure to make the check good is a criminal offense in most places. Security will normally be familiar with the process of filing criminal complaints. Because there is no charge to file a criminal complaint, the expense to the enterprise will be that of maintaining the records and the time of the representative who files the case and attends the hearing. A copy of the letter requesting payment, proof of receipt of the letter (postal receipt card), and the check will generally provide a prima facie case. The court can then issue a restitution order. If the face value of the check is $1,000, the collection agency fee would be $300 to $500. If the matter requires three hours of a security representative’s time at a rate of $40 per hour, the cost of recovery would be only $120. This process should be periodically examined for cost-effectiveness. Nonnegotiable checks with a face value of perhaps $500 or less would then be excluded from security action.

Protection of Assets  Copyright © 2012 by ASIS International

121

COST-EFFECTIVENESS AND LOSS REPORTING 5.7 Systematic Incident Reporting

5.7

SYSTEMATIC INCIDENT REPORTING An incident reporting system is needed so that all employees can report incidents and security can track and analyze them. A formal incident reporting system is essential if the full cost-effectiveness of asset protection operations is to be achieved. An incident reporting system does two things that could not otherwise be done: x

provides a history of events occurring to the organization

x

provides a basis for professional efforts at asset recapture, recovery, or incident reduction or termination

The company can decide which incidents are important enough to be reported. Shopping malls, financial organizations, oil companies, commercial high-rise buildings, and warehouses all have unique incident reporting requirements. Over time, security departments may find that the types of incidents being reported become standard and change infrequently. However, changes in legislation on health, safety, or privacy could change the types of incidents that a company wants to track. Once the company has established guidelines regarding which types of incidents must be written up, all such incidents should be reported to a central point. It is also essential that the right details be captured. It is better to know when and where certain items—such as hand tools, small meters, fractional horsepower motors, flashlights, etc.—are disappearing from than merely to know the gross value of the lost items. With the right information, the security department is in a much better position to act to reduce losses. For incident reporting to function, a statement of enterprise policy is needed. The policy should do the following:

122

x

Establish the program.

x

Identify the kinds of incidents to be reported.

x

Assign reporting responsibility to the persons accountable for the various types of incidents. For example, building engineering would be responsible for health and safety incidents.

x

Prescribe the report format.

x

Set a time within which reports are to be submitted.

x

Identify to whom they should be submitted.

x

Indicate the consequences of failure to make timely reports.

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.7 Systematic Incident Reporting

Appendix A presents a model incident reporting form. The form requests the time and circumstances of the incident, the assets involved, and their value. Information on circumstances will go into incident profile and modus operandi files and will help in the development of countermeasures or recovery efforts. The asset description and valuation will go into the security vulnerability and cost-effectiveness files. The total number of reported incidents may be used to establish, in part, the criticality of company exposure. The frequency of incidents will help determine probability. These factors, in turn, are incorporated into the overall estimate of event probability and criticality on which the asset protection program is based. It is efficient to create a blank electronic form so that employees can complete the form electronically and transmit it to the asset protection organization. It may also be convenient for employees to report incidents by telephone to asset protection clerical personnel for entry directly into the incident reporting system. Many asset protection organizations have automated their incident reporting systems by providing a report form (in the form of a Web page) on the company network. Employees can conveniently and securely key in the incident information and immediately route the form to the security department. This process is easier than a manual system that requires mailing and copying each report. These approaches encourage employees to make reports. Appendix B includes a sample policy statement on incident reporting.

5.7.1

CREATING AN INCIDENT DATABASE Security incident reporting provides a database from which to extract information on multiple aspects of an asset loss incident. A well-developed database can be useful to all company departments, not just security. For example, because theft can be attributed partly to employee dissatisfaction, if the database shows that many employees at one location are engaging in theft, there may be a larger management issue. If the database shows that a particular operation is suffering from fraud, it may be that internal controls are inadequate. In many organizations, incidents are reported not to a central location but to a variety of departments, making tracking more difficult. The most common situation is to ignore the incident or expense the actual or suspected losses within the department that incurred the loss. That approach may conceal losses and, over time, may encourage the inclusion of incidents or losses—many of which are preventable—in production or operating standards. Also, if incidents are not reported to a central database, they may be seen as a series of unique events when in reality they may be linked in some way and may be leading up to a major loss event (Toft & Reynolds, 1999).

Protection of Assets  Copyright © 2012 by ASIS International

123

COST-EFFECTIVENESS AND LOSS REPORTING 5.7 Systematic Incident Reporting

If a manufacturing operation budgets a percentage allowance for the unaccounted difference between actual finished goods and what should have been made from the material and labor charged, that allowance becomes a floor. Losses or unaccounted shortages amounting to less than the budget allowance will not be investigated and could well be caused by theft of product or raw materials. If manufacturing output amounts to $10 million per year, a 0.3 percent allowance for shrinkage, variance, or some other write-off account amounts to a loss of $30,000. If the business has a 15 percent profit margin, $200,000 in new sales would be needed to generate the amount written off. For larger companies, the losses and necessary new sales are commensurately greater. For example, 0.3 percent loss from a $100 million manufacturing output would be $300,000. Although those losses may not ruin the enterprise, preventing them would certainly improve performance. An annual write-off of $300,000 would support the following: x

security director with a salary of $75,000 plus 30 percent for benefits (totaling $97,500)

x

two investigators at $45,000 per year plus benefits (totaling $117,000)

x

two clerical personnel for the security group at an estimated total cost of $50,000 per year

It is axiomatic in asset protection that a competent corporate security staff pays for itself many times over. Proper attention to the reduction of shrinkage or variance losses not only provides integrity to the organization but also permits reallocation of resources to intensified asset protection efforts.

5.7.2

FUNCTIONS OF AN INCIDENT REPORT The purpose of an incident report is to provide the security manager with data on which to base security decisions. The incident report should do the following:

124

x

Provide a quick notification of an actual, suspected, or potential event.

x

Allow staff to create comprehensive reports easily.

x

Be standardized.

x

Generate suitable information for building an incident profile/modus operandi file.

x

Enable staff to tally incidents.

x

Help establish accountability for incidents or indicate that no accountability control exists.

x

Provide information for reassessing operating budgets.

x

Help executive management compel operating management to assume responsibility for incidents and prompt reporting.

x

Provide a basis for insurance claims or changes to self-insurance reserves.

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.7 Systematic Incident Reporting

5.7.3

BENEFITS OF INCIDENT REPORTING In raw form, the information in incident reports has limited value. Once the information is processed, however, the security manager can use it to do the following:

5.7.4

x

Identify items targeted for theft—through high loss frequency.

x

Determine which countermeasures were effective or ineffective—by observing which countermeasure was or was not in use when incidents occurred.

x

Classify events along the continuum from high probability/low criticality to low probability/high criticality.

x

Provide an overview of where security personnel are spending their time.

x

Plot event trends—by amounts, frequencies, types of assets, day/time of loss, prime incident locations, people involved, causes of occurrences, etc.

x

Facilitate protection or recovery of assets and apprehension of thieves.

POLICY ON SUBMISSION OF INCIDENT REPORTS The following practices are recommended when submitting loss reports: x

All employees must notify their immediate supervisors of any incidents or known or suspected asset losses. This might be done informally or formally. All employees should be made aware of their personal responsibility for such notification.

x

First-line supervisors should be responsible for completing reports for losses within their areas of responsibility. Supervisors then provide the reports to security personnel.

x

The security manager is responsible for reviewing the report. Corrections or modifications, if any are required, can then be made.

Reports should be distributed to the following locations: x

asset protection or security department—all reports

x

insurance department—reports of losses that are, or may be, insured or chargeable to self-insurance reserves

x

property accounting—reports involving depreciable or amortized assets or items for which property accountability is maintained

x

legal department—for reports involving slips and falls and other legally sensitive issues

x

auditing department—all reports (to determine whether the loss is related to noncompliance with existing procedures or lack of procedures)

x

originator’s files—all reports filed by that originator (but the originator is not required to archive the reports)

Protection of Assets  Copyright © 2012 by ASIS International

125

COST-EFFECTIVENESS AND LOSS REPORTING 5.7 Systematic Incident Reporting

5.7.5

INCIDENT DATABASE The security department should maintain the incident report database. Each report should be converted to a computer file and the permanent database maintained in that format. The database should be designed to sort and retrieve data based on the following data fields: x

individual asset lost, or asset class, ranked by loss frequency

x

value of the lost assets (to show distributions of asset values)

x

time and date of the incident (actual or estimated)

x

location of the incident, such as the city, facility or floor (to identify vulnerable locations)

x

person or department that reported the incident

x

person or department in which the incident occurred

x

countermeasures involved in the incident

x

circumstances of the incident

x

character of the incident (for example, actual, near miss, commercially insured, uninsured, or self-insured)—this item may have to be added after the initial submission of the report, as the character may not be known at that point

6

Information should also be searchable by various if/then parameters, such as whether an asset was recovered, criminal prosecution was initiated, or any other action was taken against the persons responsible.

5.7.6

MANAGEMENT REPORTING FROM THE DATABASE As the incident database grows, so will management interest. The following are different types of reports that security managers should distribute periodically to upper management.

General Management Distribution Report This report is computer-generated and has incident information for the covered period arranged in the following order:

6

1.

ranked frequency by asset or class of asset

2.

ranked frequency by date and time

3.

ranked values by assets involved

4.

ranked values by location of incident

5.

total value of losses for the report period

Extra analysis may be required to determine modus operandi or other event characteristics. Examples of significant modus operandi information would be a particular technique for defeating locks or the presence of unusual materials at the scene of the incident. The security department should develop that information even if another department manages the files.

126

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.7 Systematic Incident Reporting

This type of report could be widely circulated to all members of senior management. It would give them a current picture of the extent and type of actual or probable theft losses.

Corrective Action Report This report is arranged as follows: x

by organizational unit responsible for the incidents

x

by total loss value charged to that unit during the report period

This report would immediately alert units with unacceptable incident records to the need for corrective management action.

Loss Status Report This report is distributed to senior management on a less frequent basis and depicts the following: x

total amount of losses incurred

x

of total losses, the amounts — reflected in actual asset recoveries — of indemnity by way of insurance — chargeable to self-insurance reserves — chargeable to current operations as expenses to offset asset value reductions

If profit center managers do not recognize the benefit of submitting incident and loss reports, they may fail to report such incidents. On the other hand, if losses are tracked to a central reserve account instead of each manager’s account, they may be more likely to report incidents and losses. It is better to identify and classify losses and to take any curative or preventive action than to bury losses in a myriad of accounting ledgers.

Protection of Assets  Copyright © 2012 by ASIS International

127

COST-EFFECTIVENESS AND LOSS REPORTING 5.8 Predictive Modeling by the Security Organization

5.8

PREDICTIVE MODELING BY THE SECURITY ORGANIZATION The ultimate value of incident reporting lies in the opportunities it creates for avoiding future incidents, events, and losses through planning, employee awareness training and security enhancements. Therefore, the following categories of incidents should be tracked: x

most vulnerable assets, such as those susceptible to high-frequency losses

x

time of loss occurrence

x

locations in which losses occur, especially high-frequency loss locations

x

countermeasures that were useful or ineffective

x

losses representing the highest costs

x

types of incidents

x

slips, falls, and other incidents that expose the organization to lawsuits

x

health and safety violations resulting in lost time, reduced productivity, and increased workers’ compensation fees

x

any incident type that costs the organization time, effort, or money

This information will enable the asset protection organization to allocate protective resources cost-effectively. By tracking and analyzing incidents, the security manager can gain insights into countermeasures that may prevent future losses. For example, if incident reports show consistent losses of small, high-value items from a warehouse but no significant losses from other warehouse stocks, special precautions limited to the target items may suffice. The precautions might be as simple as installing a chain-link cage with a reliable lock and interior space alarms. Other typical warehouse security measures—such as intrusion alarms on doors and windows, security officer patrols, and closed-circuit television surveillance—could then be dispensed with on the basis of incident report data. The selection of countermeasures also depends on the return on investment. Each countermeasure can be weighed against its likelihood of preventing losses, cost of implementation, potential recoveries made, and value of avoided losses.

128

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING 5.9 Protection Planning without an Incident Database

5.9

PROTECTION PLANNING WITHOUT AN INCIDENT DATABASE Organizations without incident databases can gain some of the benefits of a database by developing an asset protection plan as follows: x

Form an asset protection committee. A group very familiar with the company’s products, materials, tools, and resources should be formed. It is important for senior management to set the organizational climate for security and loss prevention by requiring this to be a formal process that includes inspections. Typically, members would be senior managers or other experienced representatives from the following departments: — manufacturing — engineering — quality control — security — others—such as insurance, accounting, or marketing—depending on the nature of the business The committee may be managed by the business ethics or internal control department. The committee evaluates losses from a number of perspectives.

x

Determine the criteria for events and incidents. The committee should research the cost of events and incidents as well as the effect of non-monetary losses, such as damage to reputation.

x

Identify vulnerable items. The asset protection committee should consider all the items the organization handles and the activities it engages in. The committee should then determine the potential risks to those items and activities.

x

Develop a system for item tracking. Once the target items have been identified, a flow chart should be prepared depicting the exact movement of each asset through the organization. In manufacturing companies, for example, items may travel through purchasing, incoming inspection, raw materials inventory, assembly, and distribution.

x

Assess vulnerability. When the assets are identified and the flow or process is clear, the asset protection manager can assess the vulnerability of each asset at each stage of the process.

x

Select countermeasures. Based on the vulnerability assessment, the asset protection manager can select the appropriate countermeasures for each area of exposure.

x

Cost-benefit model. Finally, the selected countermeasures can be justified in a costbenefit model using the costs of the target assets, the level of loss probability, and the expected amount of risk reduction.

Protection of Assets  Copyright © 2012 by ASIS International

129

COST-EFFECTIVENESS AND LOSS REPORTING 5.9 Protection Planning with an Incident Database

5.9.1

PILOT VERIFICATIONS OF THE MODEL It is advisable to pilot test the asset protection program. This can be accomplished by selecting some points of exposure and providing countermeasures, while leaving other points of exposure, of equal loss probability, unprotected. Over a controlled test period, actual losses can be tracked in the unprotected areas. For example, careful inventories or other counts can be taken but no loss prevention efforts employed even in the face of actual losses. The losses in the unprotected areas can then be compared to the losses in the protected areas to gauge the effectiveness of the chosen countermeasures. (Of course, if losses during a pilot test are unacceptably high, the test can be narrowed or discontinued and countermeasures applied enterprise-wide immediately.) Based on the pilot data, countermeasures should be adjusted as appropriate.

5.9.2

MODIFICATIONS OF A GROWING DATABASE Building an incident database takes time. As incidents are entered into the system, the incident classifications may need to be modified. Security management should be flexible in establishing and maintaining the system but must make sure to review the data periodically. Often, various types of incidents may be lumped together in an “other” category. If 80 percent of each month’s reports fall into the “other” category, new categories should be developed. To be cost-effective, an asset protection program must consider not only the major incidents and events it is designed to prevent but also the incidental cost avoidances and asset or value recoveries that occur in the course of operations. The reasonableness of proposed security expenditures, compared to the losses that might otherwise occur, will move management to approve the program. Ongoing evidence of losses avoided through security countermeasures is necessary to sustain management support of the security program. Cost-effectiveness reporting demands a reliable database that can be created and maintained through an enterprise-wide loss reporting system. By using return-on-investment and other formulas, security managers should find it easier to make the case for security expenditures.

130

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING Appendix A: Model Incident Reporting Form

APPENDIX A MODEL INCIDENT REPORTING FORM PA RT I

[C OMPANY NA ME]

1. Division

4. Date of report

2. Location

5. Reporter’s name

3. Unit or department

6. Reporter’s signature

PA RT II

ASSET DE SCR IPT ION

7. Nomenclature and description (including dimensions, weight, and color; add photo, if available) 8. Serial or other ID#

11. Ownership a) Company b) Other (identify)

9. Monetary value 10. Basis of valuation a) Purchase price b) Book value c) Replacement cost d) Other (describe)

PA RT III

C IRC UMSTANCE S OF LOSS

12. Date and time loss discovered 13. Incident type 14. Persons involved (suspect, witness, complainant, victim, security personnel) 15. Location of incident

PART IV

16. Date and time incident occurred (best estimate) 17. Hour loss occurred (best estimate) 18. Nature of incident (brief description of what event occurred) 19. History of document

INSTRUCTIONS FOR COMPLETING FORM

[Here would go instructions on the number and routing of copies, the handling of file or suspense copies, the filing period, etc.]

Protection of Assets  Copyright © 2012 by ASIS International

131

COST-EFFECTIVENESS AND LOSS REPORTING Appendix A: Model Incident Reporting Form

NOTES ON INCIDENT REPORTING FORM Item 11. Although this item may sound obvious, it is often overlooked in incident reports. The person completing the form should determine whether the property is really company property or whether it belongs to a customer, the government, or another party. In cost reimbursement contracts, when materials are purchased for use in U.S. government projects, title immediately goes to the government, whereas in fixed-price contracts, title to materials and components remains with the contractor until delivery of the final contracted item. The question is important because a theft in the first example would constitute a theft of U.S. government property, a federal crime with high sanctions, while a theft in the latter case might involve only state law with lower sanctions. If the lost property belonged to a third party, and the company suffering the loss was under a duty of care for such property, then the cost to the company might also include related or consequent losses suffered by the third party. Items 12–18. These items are of the greatest significance to security recovery and prevention efforts. If an incident reporting system is being adopted for the first time, instructions and examples of completed reports must be provided to employees. Item 19. Creating a document history helps in tracking changes made to the document. Often, information is added to reports as more data becomes available and the reports are forwarded to others for review, comment, and follow-up. Knowing that information has been added, acted on, or changed may be particularly important with electronic reports.

132

Protection of Assets  Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING Appendix B: Loss Reporting Policy

APPENDIX B LOSS REPORTING POLICY

The preservation of company assets, both human and material, is the responsibility of every employee of the company. This responsibility includes taking appropriate measures to prevent losses due to willful actions that would result in personal injury, property damage, or theft. Unit managers have the additional responsibility of facilitating the gathering of reports of losses, which will be forwarded to the appropriate security office for tabulation or investigation. This reporting must be timely and accurate. It provides the basis for accurate tracking of securityrelated problems. Tracking facilitates analysis, helps identify weaknesses in current business processes, and provides early notification to minimize future losses and potentially recover assets already lost. Reports of all crime-related losses should be made to the appropriate security office by telephone, if urgent, or by using the Security Loss/Incident Report form. Further guidance as to the format, scope, and areas of responsibility can be obtained through corporate security.

GENERAL The Security Loss/Incident Report shall be submitted for each case in which misdeeds by individuals cause damage, loss of company property, or injury to company employees. It should be prepared by an employee who has direct knowledge of the incident; however, in certain circumstances, it may be completed by administrative personnel who receive spoken information on the incident. It is important that data on all malicious acts against the company be entered into the system. This will permit analysis that may establish patterns and help in solving some cases. Without full and complete reporting, the security force is at a disadvantage in preventing future offenses against the company. Timely reporting is also significant. Telephone reports shall be made to district and area offices as soon as possible after discovery of every security loss/incident. The telephone report shall be followed up by submission of the Security Loss/Incident Report form within 48 hours.

Protection of Assets  Copyright © 2012 by ASIS International

133

COST-EFFECTIVENESS AND LOSS REPORTING References

REFERENCES Ernst & Young. (2003). Global information security survey. New York, NY: Ernst & Young. Kitteringham, G., CPP, & McQuate, C. A., CPP. (2003, September). Many happy returns. Security Management. Kovacich, G. L., & Halibozek, E. P. (2006). Security metrics management. Woburn, MA: ButterworthHeinemann. nd

Toft, B., & Reynolds, S. (1999). Learning from disasters: A management approach, 2 edition. Leicester, England: Perpetuity Press.

134

Protection of Assets  Copyright © 2012 by ASIS International

CHAPTER 6 THEFT AND FRAUD PREVENTION IN THE WORKPLACE

6.1

UNDERSTANDING THE PROBLEM The common-law definition of theft is the dishonest appropriation of property belonging to another with the intention of permanently depriving the owner of rightful possession or use of it. Fraud, on the other hand, is defined as intentional deception perpetrated for the purpose of unlawfully taking another’s property or, more simply, theft by deception. Both offenses are considered criminal and are punished as such. In some instances, as in the case of alleged fraud committed in the United States, victims have at their disposal both criminal and civil remedies. Accordingly, security professionals should carefully consider their options in designing an organization’s theft and fraud prevention program. A program that contemplates only limited remedies offers only limited protection. Theft and fraud are the most frequent and costly forms of dishonesty the security professional will likely encounter. Today’s security practitioner needs to know the factors that lead to theft and fraud, as well as the best methods of preventing it. The relevant facts or elements of most economic crimes are motive, ability, and the opportunity to commit the crime. Although theft and fraud are closely related and similarly motivated, the techniques used to prevent them differ significantly. In particular, theft and fraud by employees may be an organization’s greatest threat, second only to competition. Therefore, this document 7 focuses primarily on workplace theft and fraud.

7

According to Report to the Nation 2004 from the Association of Certified Fraud Examiners, the most cost-effective way to deal with fraud is to prevent it. An organization that has been defrauded is unlikely to recover its losses. The median recovery among victim organizations in the study was only 20 percent of the original loss. Almost 40 percent of victims recovered nothing at all.

Protection of Assets  Copyright © 2012 by ASIS International

137

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.1 Understanding the Problem

The following items offer insights into the extent of theft and fraud: x

The United States Chamber of Commerce estimates that 30 percent of business failures result from employee theft, with over one half of them failing in the first three years of their existence (Ferraro, 2006, p. 370).

x

Occupational fraud is a growing industry in which most perpetrators are first-time offenders (Association of Certified Fraud Examiners, 2004).

x

In 2004, fraud cost each U.S. resident approximately $2,444 (Association of Certified 8 Fraud Examiners, 2004).

x

U.S. organizations lose 6 percent of their annual revenues to fraud. That share of the U.S. gross domestic product would be $600 billion (KPMG, 2003).

x

Small businesses suffer disproportionately larger losses than large businesses. In 2003, the median loss suffered by small businesses was $98,000. The median loss from those frauds committed by owners and executives was $900,000 (KPMG, 2003).

x

More than 2 million shoplifter apprehensions are made every year. They are only a fraction of the estimated 200 million annual shoplifting incidents. The estimated rate of shoplifting translates to approximately 550,000 shoplifting incidents per day, with losses totaling almost $30 million per day (Shoplifters Alternative, 2002).

x

Various studies estimate that employees steal over a billion dollars a week from their employers.

The following are some general observations about the characteristics of employee theft and fraud:

8

x

Some employees will generally steal to the extent the organization will allow.

x

Clear organizational policies, procedures, and practices will significantly increase the chances of detecting vulnerabilities and systemic gaps before losses occur.

x

By reducing temptation and increasing the probability of detection, organizations can prevent much internal theft and fraud.

x

A key to preventing theft and fraud, and to increasing the reporting of suspected incidents, is a continuous, well-developed, and well-delivered fraud awareness program for all employees. Employees must feel confident that senior management takes these issues seriously, will act with professionalism and discretion regarding reports made by employees, and will steadily demonstrate their resolve to handle offenders properly at all levels of the organization. An important prevention tool a company can use to reduce the level of employee theft, fraud, and embezzlement is to maintain a climate of trust, honesty, and cooperation throughout the workforce.

In a sense, fraud is a tax. Employee theft and fraud siphon off resources, making the victim organization less competitive.

138

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.1 Understanding the Problem

Figure 6-1 describes the impact of theft or fraud on a company with $5 billion in revenue and a pretax profit margin of 15 percent. Assuming the organization loses 1 percent of revenue as a result of employee theft or fraud (a very conservative estimate for most industries), it would need to generate an additional $333 million in sales to recover the losses.

Revenue

$5,000,000,000

Losses from theft and fraud (1 percent of revenue)

$50,000,000

Additional sales required ($50 million ÷ .15)

$333,000,000

Figure 6-1 Financial Impact of Theft or Fraud

Thus, the loss should not be measured merely in terms of revenue. More accurately, the loss should be measured by extrapolating the amount of sales and other costs such as downtime and insurance rate changes necessary to cover the loss. In addition, losses avoided may be determined by the difference between the losses estimated without a security program and those with the program. The percentage of probable loss can be estimated for various industries or based on the loss history of the particular organization. This method of describing the effect of theft and fraud on profitability is a powerful tool for demonstrating the need for comprehensive initiatives to identify and limit such losses. In the retail industry, up to 70 percent of losses are perpetrated by employees, and for every dollar lost to shoplifting, employees steal another $15. In the food service industry, employee theft imposes a 4 percent tax on every customer dollar spent (Ferraro, 2006, p. 370). The annual loss to the U.S. banking industry from employee embezzlement is estimated to exceed $1 billion (Hart, 2004). A serious form of embezzlement in the workplace is fraudulent cash disbursements. Employees steal more than food and cash—they steal time. Efficiency consultants have known this for years. Businesses have attempted to improve workplace efficiency since the Industrial Revolution began. From Henry Ford’s first assembly line to the implementation of modern robotics, companies have striven to improve worker efficiency. Time theft is every employer’s nemesis. If each employee of a 200-person organization were to steal 10 minutes a day, the employer would lose 2,000 minutes per day. If the work year consisted of 260 workdays, the employer would have suffered a loss of 520,000 minutes, or

Protection of Assets  Copyright © 2012 by ASIS International

139

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.1 Understanding the Problem

the equivalent of 4.1 man-years. In effect, the workforce of 200 individuals is doing the work of 196. If the annual wage of an employee was $30,000, the cost of each employee stealing just 10 minutes a day translates to about $125,000 a year! Reducing wasted time by just one minute per day per employee would create a savings of $12,500 a year (Ferraro, 2006). The crimes of employee theft and fraud share some other general characteristics:

6.1.1

x

They are usually perpetrated by employees with access.

x

Time, finished goods, supplies, scrap and waste, and intellectual property are the assets most often stolen.

x

Lack of supervision and lack of effective processes are the primary contributors to employee theft and fraud.

x

Secretive relationships, missing documents, indicators of substance abuse, and irregular hours of operation or building entry are clues that employee theft or fraud may be occurring.

COMMON MYTHS Employers of all sizes may succumb to the temptation of believing that theft and fraud prevention is expensive and time-consuming. The following are among the most common myths (often expressed as rationalizations for inaction) among employers: x

Only the needy and greedy steal.

x

Good policies and procedures will catch most wrongdoers.

x

Audits identify most irregularities.

x

Prosecution is an effective deterrent.

Unfortunately, these assumptions are untrue and misleading. They tend to lure employers into using quick fixes and relying on inadequate safeguards. Organizations that do so will unnecessarily place their assets at risk and jeopardize their employees, their reputations, and possibly their very existence.

6.1.2

MOTIVATION TO COMMIT THEFT AND FRAUD Psychologists, sociologists, and criminologists have struggled for years to understand and describe the motivations of dishonest individuals. Studies have sought to identify characteristics and personality traits most often associated with theft or fraud, as well as the social forces and environmental factors that might explain why certain individuals are dishonest and others are not.

140

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.2 Employee Theft

Historically, the focus of most sociological and criminological research has been on street crime, especially violent crime. Much study has been devoted to the psychological composition and personality of murderers, rapists, and bank robbers over the years. More recently, researchers have studied the minds of white-collar offenders and other dishonest employees. After the recent corporate scandals involving Enron, Global Crossing, ImClone, and other companies, the factors leading to executive greed and employee theft have become even more apparent.

6.2

EMPLOYEE THEFT th

Although workplace theft first received scholarly attention in the mid-19 century, academia largely ignored the subject until the early 1980s. John Clark and Richard Hollinger (1982), researchers from the University of Minnesota Department of Sociology, published the results of their extensive three-year study on employee theft. They defined employee theft as “the unauthorized taking, control, or transfer of money and/or property of the formal work organization that is perpetrated by an employee during the course of occupational activity.” Clark and Hollinger attempted to develop a consensus regarding the causes of employee theft and the most effective means of deterring it. They examined employee theft in three private-sector arenas: retailing, manufacturing, and hospitals. In doing so, they studied the literature in criminology, sociology, psychology, anthropology, and industrial security. Their review revealed these separate but interrelated sets of hypotheses commonly used to explain employee theft: external economic pressures, youth and work, opportunity, job dissatisfaction, and social control. Each is examined below: x

External economic pressures. Before the study, the most frequent justification of employee theft was that employees steal from their employers because they have personal problems involving alcohol, gambling, illicit affairs, or similar situations. Clark and Hollinger observed that the connections between economic needs and the manner in which the stolen materials satisfy those needs had not been established and was vague at best.

x

Youth and work. Another commonly expressed theory stated that younger employees are not as honest or hardworking as people from previous generations. Two studies of retail employees caught stealing merchandise had found that a disproportionate number of younger, newly hired employees were involved in theft. However, no clear and convincing evidence existed to support this theory.

x

Opportunity. Security practitioners believed that the opportunity to steal items of value was a primary factor in employee theft. It was generally held that every employee is tempted to steal from his employer at one time or another, based on the opportunity

Protection of Assets  Copyright © 2012 by ASIS International

141

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.2 Employee Theft

to steal. This theory was never empirically studied until Clark and Hollinger’s later research in 1983. x

Job dissatisfaction. The idea that job dissatisfaction causes employee theft had not been included in most studies of workplace theft until Clark and Hollinger conducted their study. The theory suggests that the employer causes theft because management, directly or indirectly, is responsible for employees’ job dissatisfaction.

x

Social control. The social control theory suggests that the broadly shared formal and informal social structure within an organization greatly influences whether theft will occur. Although not empirically tested until Clark and Hollinger’s study, the theory emphasized the role that individual workgroup norms played in deterring workplace theft. In addition, there was evidence in existing studies that relationships between supervisors and employees could deter or encourage employee theft. Both theories are similar to the deterrence doctrine, which assumes that the threat of negative social sanctions or criminal prosecution could affect the amount of theft in the organization. In essence, the premise holds that employees are more likely to steal if they perceive little threat of detection or punishment.

Clark and Hollinger found it difficult to separate theft from other forms of deviance. Their study also examined production deviance, such as unauthorized or extended coffee and lunch breaks, inappropriate use of sick time, punching time cards for other employees, and arrive late or leaving early. Each of those acts, by today’s standards, constitutes theft of time.

6.2.1

PREVALENCE OF EMPLOYEE THEFT In the industries studied, approximately one-third of employees reported stealing from their employer. In most instances, theft was minor and occurred infrequently. Model employees did not report any theft at all. The researchers also found that employee theft exhibits a bimodal distribution; that is, a small number of employees take large amounts of property, while the vast majority of those who steal take only small amounts. The four characteristic principles involved in internal thefts scams include diversion, conversion, disguise, and divergence. The more a company can do to remove one or more of these principles, the less likely an employee will be involved in internal theft. This finding corresponds to other studies of community crimes, which have found that 95 percent of property crimes in a particular community are committed by less than 5 percent of the population. The Clark and Hollinger study also found that theft of physical assets represents only a minor share of the employee deviance problem.

6.2.2

EXTERNAL ECONOMIC PRESSURE AND OPPORTUNITY The study found that few people steal company property to ease economic pressures. (However, recent examinations of the subject have revealed a correlation between economic pres-

142

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.2 Employee Theft

sure and financial crimes committed by executives.) Aside from cashier-related embezzlement and a few other types of theft, the vast majority of large-scale thefts are committed by managers (Association of Certified Fraud Examiners, 2004). These large-scale thefts usually fall under two classifications: embezzlement or defalcation. Embezzlement involves the fraudulent appropriation of property by a person to whom it is entrusted, which can involve material things such as art, property, and product, not just cash. Defalcation more specifically deals with the misappropriation of trust funds or money held in a fiduciary capacity (Bologna & Shaw, 1996).

6.2.3

YOUTH AND THEFT NEXUS Younger employees (most of whom had little tenure with their employers) reported significantly more deviance than older coworkers. Younger employees also held a higher overall level of job dissatisfaction than more senior employees. Clark and Hollinger attributed both findings to the employers’ habit of viewing younger or newer employees as temporary or expendable and withholding many of the rights, fringe benefits, and privileges afforded more tenured employees. Granting special considerations solely based on seniority may create an atmosphere in which the youngest members are the least committed to the organization. Though not addressed in Clark and Hollinger’s work, it is self-evident that employees with less tenure also have less invested in their job and the organization. Although that factor may not translate directly into individual dishonesty, a less-tenured employee will likely be more tolerant of theft.

6.2.4

JOB DISSATISFACTION AND EFFECTS OF SOCIAL CONTROLS Further unpacking the Clark and Hollinger study, the modern security professional will easily conclude the following: x

Most fraud perpetrators are influenced by an opportunity to profit.

x

Opportunity and theft are clearly correlated. For example, retail employees with the greatest exposure to cash and high-value merchandise were the most likely to steal. That propensity was particularly true of employees in occupations of lower social status.

x

However, employees at lower occupational levels do not commit most property theft. Most such theft is committed by employees with the greatest access to the property and least perceived chance of detection.

x

In manufacturing, assembly workers tend to steal less than other employees. However, engineers report much higher levels of theft (especially in electronics manufacturing, where components may mean little to an assembly worker but a great deal to engineers).

Protection of Assets  Copyright © 2012 by ASIS International

143

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.2 Employee Theft

6.2.5

x

In hospitals, the majority of theft is committed by nursing staff rather than others with the same access to various areas in the hospitals.

x

The most consistent predictor of theft in all industries is the employee’s perceived chance of being detected. Theft occurs most often when organizational sanctions or rules against theft are not properly communicated or consistently enforced (see also Ferraro, 2006, pp. 371-372).

x

In addition, employees are greatly influenced by the informal social controls of coworkers, such as peer group gossip, ridicule, and ostracism. Peer group sanctions present a significant opportunity for management to reduce employee theft.

x

Job dissatisfaction and theft are also correlated. Employees displeased with their overall employment experience are most often those who seek redress by engaging in theft and other antisocial behavior at work. Those who sense that their employer and supervisor are concerned about their well-being do not engage in as much theft.

SUMMARY AND RECOMMENDATIONS OF STUDY The study offers three cautionary notes: x

Too few organizations have appropriate mechanisms to accurately track acts of workplace dishonesty. They are thus unable to calculate the overall economic impact of the problem. As a result, organizations tend to generalize about their losses, and statistically sound information is scarce. Security managers study the causes of theft to analyze actual and potential loss-producing incidents.

x

Draconian security methods, such as searching employees at workplace exits, are expensive and hurt employee morale. By contrast, demonstrating a sincere appreciation for the individual’s contributions to the organization instills a greater sense of ownership and belonging. Such sentiments translate into less workplace theft and dishonesty.

x

Policies and work rules must be reasonable and fair. They must also be communicated properly and enforced consistently. Too often, management’s expectations are scarcely mentioned during employee orientation and never again addressed until someone is caught stealing.

Security practitioners should focus on identifying the 5 percent of employees responsible for the great majority (95 percent) of workplace theft. Practices that appear to punish all employees are generally more expensive and likely to damage morale. By contrast, anonymous incident reporting systems (sometimes called hot lines) can be used to deter dishonest employees and empower honest ones. More occupational fraud is revealed by anonymous tips provided by employees than by all formal internal audits combined (Association of Certified Fraud Examiners, 2004).

144

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.3 Fraud and Related Crimes

In sum, loss prevention and asset protection efforts in today’s workplace should be crafted based on the following:

6.3

x

Employees who steal are frequently involved in other counterproductive workplace activities.

x

The greater the opportunity for theft, the greater the chance that it will occur.

x

Employees who are satisfied with their jobs are less likely to steal.

x

The greater the chance of detection, the less likely that employees will steal.

x

A strong management commitment to deter theft reduces losses by employing policies and procedures to reduce the organization’s exposure to litigation and liability.

x

Theft on the job is not necessarily correlated to external factors or influences.

x

Peer pressure and attitude significantly affect individual employee attitudes toward theft (Ferraro, 2006, p. 371).

FRAUD AND RELATED CRIMES Two prominent explanations of white-collar crime are Edwin Sutherland’s differential association theory and Donald Cressey’s non-shareable need theory. Sutherland’s theory states that criminal behavior is most often correlated with an individual’s association with a criminal environment. In other words, people who frequently associate with individuals who have criminal tendencies become criminals as a result of those relationships. His theory posits that criminal behavior is not inherited but learned, and that it is learned through other people by example and verbal communications. Individuals also learn incentives, rationalizations, and attitudes associated with particular crimes. They also learn the psychological machinations needed to commit a crime and justify it—that is, to manage the fear of the social repercussions associated with the crimes. By contrast, Cressy’s theory defines the problem as a violation of a position of financial trust. He theorizes that trusted persons become trust violators when they visualize themselves as having non-shareable financial problems and feel they can resolve the problems by violating their position of trust. His theory is based on extensive interviews of individuals convicted of various trust violations, particularly fraud. Cressy concludes that three elements must be present before a fraud or similar crime can take place: x

the perception of a non-shareable problem

x

an opportunity for a trust violation

x

a series of rationalizations that allow the individual to justify his or her behavior as appropriate for the situation

Protection of Assets  Copyright © 2012 by ASIS International

145

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.3 Fraud and Related Crimes

6.3.1

COMMON ELEMENTS OF FRAUD Others hold similar beliefs about the mind of the fraudster. For example, in his seminal work, Occupational Fraud and Abuse, Joseph Wells states that three factors are present in every fraud (Wells, 1997, p. 11): x

a strong financial pressure

x

an opportunity to commit the fraud

x

a means of justifying the fraud as appropriate

Unlike employee workplace theft, which often occurs spontaneously, fraud is premeditated. Wells professes that if the three elements come together in almost any work-related situation, a fraud will likely occur. He names several sources of financial pressures, such as gambling debts, drug use, living beyond one’s means, and unexpected medical bills. Other motivations include the desire to be, or appear to be, successful. However, the predominant factor is greed. Proving fraud tends to be difficult. The fact-finder must demonstrate the following: x

The perpetrator misrepresented or concealed a material fact.

x

The perpetrator knew the representation was false.

x

The perpetrator intended the victim to rely on the falsity.

x

The victim relied on the misrepresentation.

x

The victim was damaged by his reliance on the misrepresentation.

Fraud Symptoms and Indicators Theft is evidenced by something’s disappearance. By contrast, most instances of fraud and embezzlement leave only symptoms or indicators that it might have occurred. Recognizing these indicators or red flags is important for security practitioners. The opportunity for fraud is generally created through the absence or weakness of internal controls. Knowledge of situational pressures and symptoms of fraud also provides the security professional with insights for preventing frauds. The following are several categories of such warning signs:

Employee Situational Red Flags x x x x x

146

high personal debts (medical, gambling, excessive speculation in the stock market, etc.) poor credit rating or other financial difficulties living beyond one’s means excessive use of alcohol or drugs perceived inequities (being passed over for promotion, receiving low pay, facing pressure to accomplish unrealistic goals, etc.)

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.3 Fraud and Related Crimes

x x x

previous convictions for fraud or related trust violations low moral character compulsive behavior

Employee Opportunity Red Flags x x x x x

position of trust (which can extend significantly through the organization as a result of employee empowerment and organizational flattening) significant knowledge of key operations easy rationalization of contradictory behavior close association with suppliers and contractors over a long period lax or remote supervision

Organization Situational Red Flags x x x x x x x x x x

costs rising faster than revenues (profit squeeze) significantly aged or excess inventories extremely rapid expansion of overall business or particular lines of business constantly operating in a crisis mode unrealistic sales quotas or revenue targets significant cash flow problems history of corruption in the company’s industry stiff competition from other companies outdating of the company’s products or services high rate of turnover among key financial positions

Organization Opportunity Red Flags x x x x x x x x x x x x x x x x x

dominant, hierarchical, and secretive management styles unethical management models exploitation, abuse, and poor management of employees lack of employee training on the relationship between security and business success lax enforcement of internal controls heavy investments or losses line supervisors’ failure to develop an effective loss-prevention environment urgent need for favorable earnings poor accounting records lack of separation of responsibility for ordering and receiving numerous instances of related-party transactions complex organizational structures numerous unexplained or undocumented transactions frequent turnover among key financial personnel or outside auditors or lawyers lack of formal controls and mechanisms for accountability domination of operating and financial decisions by a single person failure to establish, communicate, or enforce a code of business conduct

Protection of Assets  Copyright © 2012 by ASIS International

147

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.4 Scope of the Problem

6.3.2

SARBANES-OXLEY ACT In the United States, the Sarbanes-Oxley Act (formally known as the Public Company Accounting Reform and Investor Protection Act of 2002) became law on July 30, 2002. This landmark legislation was passed in response to accounting scandals at public companies in st the late 1990s and first years of the 21 century. In the Enron case alone, more than $60 billion in shareholder value was lost and more than 5,000 jobs eliminated. The legislation establishes new and enhanced accounting standards and business practices for all U.S. public companies, their boards, and the public accounting firms that serve them. Among other provisions, SOX (as the law is commonly called) requires CEOs to certify the accuracy of their organization’s financial statements and imposes stiff penalties for those who commit fraud and make material misrepresentations to the public with the intent to obtain financial gain through false or misleading statements. The requirement to improve internal controls and provide more transparency has not been without cost. SOX compliance (particularly with Section 404) significantly burdens companies’ officers and boards and imposes both civil and criminal penalties on violators. Whether those burdens are worthwhile remains to be seen, given the limited effect of internal controls on detecting fraud and the importance of open communication and setting the tone at the top (ACFE, 2004).

6.4

SCOPE OF THE PROBLEM Almost anything of value may be stolen, given someone’s desire and opportunity. However, some departments or functions in a company are much more prone to theft or fraud than others. Figure 6-2 shows some of the more common theft and fraud targets and methods.

6.4.1

ESTABLISHING A MODEL PREVENTION PROGRAM To prevent theft and fraud, organizations must move from a reactive to a proactive approach. The following is the process most companies follow, usually by default, when theft losses are identified (Albrecht, 1994, pp. 28-34):

148

x

An incident of theft or fraud is discovered.

x

Investigative resources are identified and an investigation is initiated.

x

Action is taken based on the results of the investigation.

x

The issue is resolved by temporarily tightening controls, replacing terminated employees, etc.

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.4 Scope of the Problem

Once the incident has been resolved, an organization usually slips back into a state of acceptance, and any control procedures or processes that were implemented lose their urgency. Should another problem occur, the organization simply follows the same model and shifts into action to resolve that incident.

FUNCTION

LOSS SCENARIO

Accounting

Theft of cash, altering bank deposits, fictitious accounts payable, unauthorized cancellation or reduction of accounts receivable, use of company checks to pay personal bills, false expenditures, lapping,1 kiting,2 conversion,3 and continually restating income and expense items.

Purchasing

Dummy suppliers, fictitious purchase orders, overstated prices and kickbacks from vendors, bid rigging, personal work completed by contractors for inflated invoices, and payment of duplicate invoices.

Payroll

Ghost employees on the payroll, increasing hours paid but not worked, increasing salaries without proper authorization, and theft of cash.

Warehousing and

Theft of damaged goods, alteration or elimination of records of accountability, theft of inventory, shipment of product to fictitious customers, falsified customer returns, short-shipment of product, falsification of damaged goods reports, and falsification of raw materials receipts.

Distribution

Manufacturing

Exaggerated breakage reports, understated manufacturing reports, diversion of product, falsified quality assurance reports, acceptance of inferior manufacturing materials for kickbacks, running unauthorized manufacturing shifts and diverting product, unauthorized sale of scrap materials, and theft of tools.

Computer Operations

False vendor/supplier/contractor invoices, false refund or credit claims, altered or eliminated transactions, misdirected electronic funds transfers, and ghost employees on the payroll.

Cashier Operations

Theft of cash, diverting or eliminating cash receipts, also known as “skimming,” and unauthorized or forged vouchers for petty cash.

Other Common Losses

Inflated expense reports, submission of redeemed travel tickets for reimbursement, use of higher-cost travel tickets to increase personal frequent traveler awards, and theft of office supplies.

1. Lapping is the pocketing of small amounts from incoming invoice payments and then applying subsequent payment to cover the

missing cash from the previous invoice, and so on. 2. Kiting is any sort of fraud that involves drawing out money from a bank account that does not have sufficient funds to cover the

check. 3. Conversion is a term used for the receiving of money or property and fraudulently withholding or applying it for one’s own use.

Figure 6-2 Common Targets and Methods of Theft and Fraud

Protection of Assets  Copyright © 2012 by ASIS International

149

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.4 Scope of the Problem

A more complete model for dealing with theft and fraud is shown in Figure 6-3. This model is based on strong collaboration among staff and key stakeholders. Such collaboration requires a clear delineation of roles and responsibilities between security, human resources, legal, communications (both internal and external), facilities management, and affected line managers.

Figure 6-3 Comprehensive Model of Theft and Fraud Prevention, Investigation, and Program Testing

150

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.4 Scope of the Problem

The 10 elements of the comprehensive model are explained below.

Element 1: Prevention Programs These programs are designed to teach management and employees about the nature, types, and most vulnerable areas of losses in the organization. Components of prevention education include the following: x

a process for screening all applicants for past trust violations

x

written policies describing prohibited activities and the actions required if violations are observed

x

setting up shipping, receiving, and warehousing as individual departments

x

specific accountability systems for each vulnerable department (presented to the relevant department manager)

x

a code of business conduct that is communicated to employees, vendors, and customers

x

proper accounting practices that record all the financial transactions of the business

x

a clear separation of duties that limits the accessibility to key information that would allow an accounting individual to make changes in master files without someone knowing it

x

periodic employee communications that include case histories (free of names and certain other details) demonstrating company vulnerabilities and management actions against those who commit theft or fraud

x

theft and fraud prevention training for employees (for example, teaching retail clerks that they can reduce shoplifting by greeting each customer and making eye contact)

x

several clearly communicated avenues for employees to report concerns (for example, to line management, security, internal audit, or an anonymous incident reporting system)

x

frequent audits and security reviews of high-value inventory and operations

Element 2: Incident An indicator of the effectiveness of prevention efforts is the quick and accurate reporting of suspected thefts and fraud. Regardless of a program’s effectiveness, incidents will still occur. The key is to ensure that incidents are reported as soon as they are suspected—perhaps with an anonymous incident reporting system.

Element 3: Incident Reporting Employees should be encouraged to report theft and fraud even without a monetary reward. Fostering a culture of integrity and honesty is the best practice. The most ethical organizations (and the most successful) regularly and passionately reward employees with recognition and gratitude.

Protection of Assets  Copyright © 2012 by ASIS International

151

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.4 Scope of the Problem

Element 4: Investigation Investigations are more successful when investigative roles and responsibilities are clearly defined. Whether conducting an internal compliance investigation, to determine if there is a possible violation of company policy, or an actual internal theft incident, the investigator needs to have clear guidelines on what he or she is expected to accomplish. An investigator’s objective is to obtain information and evidence so that it can be presented in a factual final report so senior management can take appropriate action. The main objective of any preliminary investigation is to determine what crime or violation exists. Under most circumstances internal thefts and fraud investigations are conducted by in-house or private contractors and not by law enforcement. During this investigation the investigators should interview complainants, witnesses, and any suspects, determine whether any evidence is available to support the allegation, and prepare a report of the facts to be presented to senior management or in-house counsel. The investigator may also need the assistance of a financial specialist, such as a CPA, to conduct a fraud audit so that the financial transaction process can be reconstructed to determine how the theft occurred.

Element 5: Action This element refers to taking action based on a fair and impartial review of the facts determined by a thorough investigation. Taking immediate action against theft and fraud perpetrators is one of the strongest deterrents to future losses. If employees clearly understand that their actions may put their jobs at risk and lead to criminal prosecution, only the most determined risk-takers will break the rules.

Element 6: Resolution Resolution of the case may include determining the appropriate discipline for guilty employees, estimating the actual loss, reporting the loss to an insurance carrier, and performing other steps to close the investigation and obtain a recovery. Although discipline and prosecution can be effective deterrents, nothing makes a point like the payment of restitution by the perpetrator. In some instances, perpetrators can be made to pay not only restitution but also the costs associated with the investigation. Even if the perpetrator must pay installments over a long period, recovery of the loss and the cost of the investigation is rewarding.

Element 7: Analysis The concern here is how and why the loss occurred—in other words, the dynamics involved from a human and control standpoint. Keeping in mind that the most common motivation for an individual to commit an internal theft is one of economics or profit, the analysis also has to consider the cost-effective steps that can be taken to prevent recurrences. How much money should be spent on prevention versus the potential loss? In major incidents or recurring patterns of losses, human resources, internal audit, finance, and other staff functions can play a significant role in determining how to prevent future losses. Security professionals should also maintain files detailing the theft or fraud method for future awareness training.

152

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE 6.5 Dangers of Undetected Theft and Fraud

Element 8: Publication Organizations can use newsletters or bulletins to inform employees of incidents and their resolution and show how the security organization provides value to the company. However, naming names and publishing the details of incidents that have not been prosecuted may constitute defamation and could be civilly actionable. A company that intends to publicize the results of an investigation should first obtain the advice of an attorney.

Element 9: Implementation of Controls Additional controls may prevent future thefts. For example, a company might add locking devices on high-value inventory or require more senior authorizations for certain levels of purchase orders. Controls must be cost-effective and based on a solid analysis of the loss. Little is gained if new controls simply add costs or bureaucracy.

Element 10: Compliance Testing and Training The final element consists of periodic testing or auditing for compliance with existing controls, such as reviewing expense accounts. Such testing can be achieved through audits (by internal or external auditors), security reviews by the company’s security department, or, as a last resort, the use of undercover operations.

6.5

DANGERS OF UNDETECTED THEFT AND FRAUD Financial losses due to specific incidents are not the only consequence of undetected theft and fraud. Organizations may become complacent to ongoing losses and even build them into their standards or expectations. For example, companies establish an allowable negative variance between the book count and actual count of various items in stock or inventory. Theft and fraud losses are often hidden in the negative variance and are not discovered because they are below the allowable variance. Over time, this negative variance may grow, presenting the opportunity for significant cumulative losses. In addition, when thefts or frauds go undetected, the victim business cannot recover the loss through insurance or by treating the loss as a tax deduction. Losses also affect employee morale, shareholder value, and public confidence in an organization. Few risks have such far-reaching consequences, yet are so preventable. Given employees’ perceived pressures and their ability to rationalize theft and fraud, losses from these crimes will continue to be significant. Organizations that are unprepared or have not implemented a comprehensive theft and fraud prevention program will incur even greater losses. Security professionals should thus give priority to the prevention of theft and fraud in their overall loss prevention strategy.

Protection of Assets  Copyright © 2012 by ASIS International

153

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

APPENDIX A FLOWCHARTS The following flowcharts suggest controls that can be adopted to discourage dishonesty in a variety of functional areas. They are taken from How to Reduce Embezzlement Losses (New York, NY: Royal-Globe Insurance Company) and are used with permission.

GENERAL

A

BANK DEPOSITS

INCOMING FUNDS FROM ALL SOURCES

RECORD OF FUNDS RECEIVED

CASH AND CHECKS

EMPLOYEE MAKING UP BANK DEPOSIT

RECORD OF DEPOSIT

CASH AND CHECKS

BANK

154

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

DUPLICATE DEPOSIT SLIPS

DUPLICATE DEPOSIT SLIP

EMPLOYEE OPENING INCOMING MAIL

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

GENERAL

B

INCOMING MAIL EMPLOYEE OPENING INCOMING MAIL

C

REMITTANCES

CANCELED CHECKS

RECORD OF REMITTANCES

RECORD OF REMITTANCES

EMPLOYEE MAKING UP BANK DEPOSIT

EMPLOYEE RECONCILING BANK STATEMENT

ACCOUNTS RECEIVABLE DEPARTMENT

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

SECURITIES

SAFE DEPOSIT BOX

ACCESS

OFFICERS HAVING ACCESS TO SECURITIES

EMPLOYEE MAKING UP BANK DEPOSIT

PROCEEDS FROM SALE

LIST OF SECURITIES PURCHASED

CHECK SIGNERS

LIST OF SECURITIES PURCHASED

EMPLOYEE MAINTAINING LIST OF SECURITIES OWNED

EMPLOYEE RECONCILING BANK STATEMENT

PHYSICAL VERIFICATION

LIST OF SECURITIES WITHDRAWN

COPY OF APPROVAL OF SALE

OFFICER CHECKING SECURITIES

Protection of Assets  Copyright © 2012 by ASIS International

COPY OF APPROVAL OF SALE

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

155

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INCOMING FUNDS – GENERAL

A

CENTRAL CASHIER AND CREDIT APPROVAL BY OFFICER CREDIT OR DISCOUNT REQUEST

CUSTOMER

CASH

ORIGINAL SALES FORM

ORDER APPROVAL

CENTRAL CASHIER

COPY OF SALES FORM

SALES CLERK

CASH

COPY OF SALES FORM

COPY OF SALES FORM

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

EMPLOYEE MAKING UP BANK DEPOSIT

APPROVING OFFICER

COPY OF CREDIT SALES FORM

ACCOUNTS RECEIVABLE DEPARTMENT

See Incoming Funds Credit for questions leading to completion of credit portion of this diagram

B

CENTRAL CASHIER BUT NO CREDIT APPROVAL BY OFFICER

CUSTOMER

CASH

ORDER

CENTRAL CASHIER

COPY OF SALES FORM

SALES CLERK

CASH

COPY OF SALES FORM

COPY OF SALES FORM

EMPLOYEE MAKING UP BANK DEPOSIT

156

ORIGINAL SALES FORM

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

COPY OF CREDIT SALES FORM

ACCOUNTS RECEIVABLE DEPARTMENT

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INCOMING FUNDS – GENERAL

C

MAIL ORDERS

CUSTOMER

ORDER

EMPLOYEE OPENING INCOMING MAIL CUSTOMERS REQUEST FOR CREDIT

CASH

APPROVING OFFICER

ORDER SHOWING AS CASH OR CREDIT

EMPLOYEE MAKING UP BANK DEPOSIT

RECORD OF ORDER SHOWING AS CASH OR CREDIT

WRITTEN APPROVAL OF CREDIT REQUEST

ACCOUNTS RECEIVABLE DEPARTMENT

SHIPPING DEPARTMENT

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

See Incoming Funds Credit for questions leading to completion of credit portion of this diagram

D

ADMISSIONS

CASH

TICKET SELLER

CUSTOMER TICKET

TICKET

TICKET COLLECTOR

CASH

VOIDED TICKET

EMPLOYEE MAKING UP BANK DEPOSIT

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

Protection of Assets  Copyright © 2012 by ASIS International

157

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INCOMING FUNDS – RETAIL

A

NO CENTRAL CASHIER BUT CREDIT APPROVAL BY OFFICER CUSTOMER

SALES FORM

CREDIT OR DISCOUNT REQUEST

APPROVING OFFICER

CASH WRITTEN APPROVAL

CASHIER OR SALES CLERK COPIES OF TAPES OR SALES SLIPS CASH

EMPLOYEE “BLEEDING” REGISTERS COPIES OF TAPES OR SALES SLIPS

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

EMPLOYEE MAKING UP BANK DEPOSIT

B

COPIES OF CREDIT SALES SLIP

ACCOUNTS RECEIVABLE DEPARTMENT

COPIES OF CREDIT SALES SLIP

ACCOUNTS RECEIVABLE DEPARTMENT

NO CENTRAL CASHIER OR CREDIT APPROVAL BY OFFICER CUSTOMER

SALES FORM

CASH

CASHIER OR SALES CLERK COPIES OF TAPES OR SALES SLIPS CASH

EMPLOYEE “BLEEDING” REGISTERS COPIES OF TAPES OR SALES SLIPS

EMPLOYEE MAKING UP BANK DEPOSIT

158

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INCOMING FUNDS – CREDIT

A

PAYMENT BY MAIL CUSTOMER

CREDIT REQUEST

REMITTANCE OR COMPLAINT

APPROVING OFFICER

EMPLOYEE OPENING INCOMING MAIL

SHIPPING DEPARTMENT OR SALES CLERK

RECORD OF SALE

BILLING

RECORD OF REMITTANCE

ACCOUNTS RECEIVABLE DEPARTMENT

RECONCILIATION

WRITTEN APPROVAL

OFFICER

COMPLAINT

REMITTANCE

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

EMPLOYEE MAKING UP BANK DEPOSIT

RECONCILIATION

B

PAYMENT IN PERSON CUSTOMER

PAYMENT

EMPLOYEE RECEIVING PAYMENT

RECEIPT

ADVICE OF PAYMENT

COPY OF RECEIPT

PAYMENT

EMPLOYEE MAKING UP BANK DEPOSIT

EMPLOYEE COMPLETING RECEIPT

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

RECONCILIATION

ACCOUNTS RECEIVABLE DEPARTMENT

COMPLAINT AND CREDIT APPROVAL SHOULD REQUIRE SAME PROCEDURES DIAGRAMMED IN (A) ABOVE.

Protection of Assets  Copyright © 2012 by ASIS International

159

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

OUTGOING FUNDS – GENERAL

PURCHASING DEPARTMENT

EVIDENCE OF DEBT

CHECK SIGNERS

EVIDENCE OF DEBT ADVICE OF PAYMENT

ADVICE OF PAYMENT

ACCOUNTS PAYABLE DEPARTMENT

COMPLETED CHECK AND EVIDENCE OF DEBT

EMPLOYEE MAILING CHECKS

CHECK

160

EVIDENCE OF DEBT

PAYEE

EMPLOYEE RECONCILING BANK STATEMENT

CHECK

CANCELED CHECK

BANK

CANCELED CHECK

INITIALED EVIDENCE OF DEBT

EMPLOYEE OPENING INCOMING MAIL

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

OUTGOING FUNDS – PAYROLL

A

CASH

TIME CARDS OR OTHER EMPLOYMENT RECORDS

EMPLOYEE PREPARING PAYROLL LIST

LIST FOR APPROVAL

CHECK SIGNERS

CHECK

EMPLOYEE CASHING CHECK

CHECK

BANK CASH

CASH

COPY OF LIST

EMPLOYEE DISTRIBUTING PAYROLL

CANCELED CHECK

CASH

ALL EMPLOYEES EMPLOYEE RECONCILING BANK ACCOUNT STATEMENT

B

CANCELED CHECK

EMPLOYEE OPENING INCOMING MAIL

CHECK

TIME CARDS OR OTHER EMPLOYMENT RECORDS

EMPLOYEE PREPARING PAYROLL LIST

LIST FOR APPROVAL

CHECK SIGNERS CHECKS COPY OF LIST

EMPLOYEE DISTRIBUTING PAYROLL CHECKS

ALL EMPLOYEES

CHECKS

BANK

CANCELED CHECKS

EMPLOYEE RECONCILING BANK STATEMENT

Protection of Assets  Copyright © 2012 by ASIS International

CANCELED CHECKS

EMPLOYEE OPENING INCOMING MAIL

161

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

OUTGOING FUNDS – PETTY CASH

PERSON TO WHOM EXPENDITURE IS MADE

CASH

VOUCHERS OR RECEIPTS

EMPLOYEE AUTHORIZING DISBURSEMENT

AUTHORIZATION

EMPLOYEE DISBURSING PETTY CASH

COPY OF AUTHORIZATION

BANK

CHECK

RECONCILIATION REQUEST FOR OF PETTY CASH REPLENISHMENT WITH RECORDS

EMPLOYEE CHECKING PETTY CASH

CASH CHECK

CANCELED CHECK

REQUEST FOR REPLENISHMENT

CHECK SIGNERS

COPY OF AUTHORIZATION

EMPLOYEE RECONCILING BANK STATEMENT

162

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INVENTORY – PURCHASING

EMPLOYEE MAKING REQUEST

REQUEST

PURCHASING DEPARTMENT

COPY OF PURCHASE ORDER

PURCHASE ORDER

SUPPLIER

COPY OF PURCHASE ORDER (Quantity Omitted) MERCHANDISE NOTIFICATION OF RECEIPT OF MERCHANDISE

ACCOUNTS PAYABLE DEPARTMENT

RECEIVING DEPARTMENT

Protection of Assets  Copyright © 2012 by ASIS International

163

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INVENTORY – RECEIVING A

RECEIPT OF ORDERED MERCHANDISE PURCHASING DEPARTMENT COPY OF PURCHASE ORDER

NOTIFICATION OF RECEIPT OF MERCHANDISE

NOTIFICATION OF RECEIPT OF MERCHANDISE

RECEIVING DEPARTMENT

B

ACCOUNTS PAYABLE DEPARTMENT

REFUNDS CUSTOMER MERCHANDISE

EMPLOYEE AUTHORIZING REFUNDS

CHECK

COPY OF AUTHORIZATION

COPY OF AUTHORIZATION (CREDIT ONLY)

CHECK SIGNERS

MERCHANDISE

ADVICES OF REFUND

ACCOUNTS RECEIVABLE DEPARTMENT

RECEIVING DEPARTMENT

NOTIFICATION OF RECEIPT OF MERCHANDISE RECONCILATION (CREDIT ONLY)

PERPETUAL INVENTORY PERSONNEL

C

EMPLOYEE RECONCILING BANK STATEMENT

WAREHOUSE RECEIPTS - ISSUANCE

EMPLOYEE CONTROLLING UNISSUED WAREHOUSE RECEIPTS

REQUEST FOR WAREHOUSE RECEIPT WAREHOUSE RECEIPT

SIGNED COPY OF WAREHOUSE RECEIPT

PERPETUAL INVENTORY PERSONNEL

164

RECONCILATION (CASH ONLY)

EMPLOYEE ISSUING WAREHOUSE RECEIPTS

WAREHOUSE RECEIPT

REQUEST FOR WAREHOUSE RECEIPT

CUSTOMER

MERCHANDISE

RECEIVING DEPARTMENT

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INVENTORY – STOCK IN STORAGE AND WITHDRAWALS

A

INVENTORY AND WITHDRAWAL PROCEDURES

EMPLOYEE TAKING INVENTORY

COPY OF INVENTORY

PHYSICAL INVENTORY PROCEDURE

REQUEST FOR WITHDRAWAL

INVENTORY STORAGE

B

REQUEST FOR WITHDRAWAL MERCHANDISE

PERPETUAL INVENTORY PERSONNEL

COPY OF REQUEST FOR WITHDRAWAL

ALL DEPARTMENTS

WAREHOUSE RECEIPTS - REDEMPTION

OFFICER

WAREHOUSE RECEIPT

HOLDER OF WAREHOUSE RECEIPT

CANCELED WAREHOUSE RECEIPT

WRITTEN AUTHORIZATION

MERCHANDISE

PERPETUAL INVENTORY PERSONNEL

ADVICE OF RELEASE OF MERCHANDISE

INVENTORY STORAGE

Protection of Assets  Copyright © 2012 by ASIS International

165

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INVENTORY – MANUFACTURED GOODS

EMPLOYEE TAKING INVENTORY

INVENTORY PROCEDURE

DEPARTMENT A

FORWARDED MERCHANDISE

INVENTORY PROCEDURE

DEPARTMENT B

INVENTORY PROCEDURE

FORWARDED MERCHANDISE

DEPARTMENT C

COPIES OF FORMS SHOWING FORWARDED MERCHANDISE

EMPLOYEE HAVING NO ACCESS TO INVENTORY

RECORDS OF WITHDRAWALS, SCRAP MATERIALS AND INVENTORY FOR RECONCILIATION

166

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

INVENTORY – SHIPPING

A

DELIVERIES TO CUSTOMER CUSTOMER

ORDER

RETURNED MERCHANDISE

SALES PERSONNEL

MERCHANDISE

ORDER

SHIPPING DEPARTMENT RECORD OF SHIPMENT

ACCOUNTS RECEIVABLE DEPARTMENT

LIST OF LOADED AND RETURNED MERCHANDISE

PERPETUAL INVENTORY PERSONNEL

RECONCILIATION OF RECORDS

RECORD OF RECORD OF RETURNED RETURNED MERCHANDISE MERCHANDISE

INVENTORY STORAGE AREA

B

DELIVERY MEDIUM

MERCHANDISE

RETURNED MERCHANDISE

DELIVERY RECEIPTS

LIST OF RETURNED MERCHANDISE

EMPLOYEE CHECKING RETURNED MERCHANDISE

RETURNS TO SUPPLIERS SHIPPING DEPARTMENT

RETURNED MERCHANDISE

DELIVERY MEDIUM

RETURNED MERCHANDISE

SUPPLIER

RECORD OF SHIPMENT

ACCOUNTS PAYABLE DEPARTMENT

RECONCILIATION

PERPETUAL INVENTORY PERSONNEL

Protection of Assets  Copyright © 2012 by ASIS International

167

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

OUTSIDE EMPLOYEES

A

SALESMAN

CUSTOMER

CREDIT REQUEST

SALESMAN

ORDER

OFFICER APPROVING CREDIT

PAYMENT

EMPLOYEE OPENING INCOMING MAIL

COPY OF ORDER

COPY OF ORDER (CREDIT)

COPY OF CREDIT APPROVAL

COPY OF ORDER

RECORD OF PAYMENT

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

ACCOUNTS RECEIVABLE DEPARTMENT SHIPPING DEPARTMENT

RECONCILIATION PAYMENT

EMPLOYEE MAKING UP BANK DEPOSIT

B

COLLECTOR

ACCOUNTS RECEIVABLE DEPARTMENT

SPOT CHECK VERIFICATION

COLLECTIONS TO BE MADE

PAYMENT

COLLECTOR RECORD OF COLLECTIONS

COLLECTION REQUEST

EMPLOYEE MAKING UP BANK DEPOSIT

PAYMENT

CUSTOMER RECORD OF COLLECTION

RECONCILATION

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

168

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

C

SALESMAN - COLLECTOR - DELIVERYMAN

OFFICER APPROVING CREDIT

EMPLOYEE CHECKING LOADED AND RETURNED MERCHANDISE

ADVICE OF CREDIT APPROVAL

S-C-D

ACCOUNTS RECEIVABLE DEPARTMENT

LOADED MERCHANDISE RETURNED MERCHANDISE AND SALES FORMS

LIST OF LOADED & RETURNED MERCHANDISE SALES FORMS

ADVICE OF CREDIT APPROVAL

LIST OF LOADED & RETURNED MERCHANDISE

PERPETUAL INVENTORY PERSONNEL

CASH

EMPLOYEE MAKING UP BANK DEPOSITS

ADVICE OF ITEMS DELIVERED ON CREDIT

EMPLOYEE RECONCILING DEPOSIT AND INCOMING FUNDS RECORDS

Protection of Assets  Copyright © 2012 by ASIS International

169

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix A: Flowcharts

RETAIL – MISCELLANEOUS

A

COUPONS

CASHIER

COUPONS

COUPONS

LOCKED BOX

COUPONS RECORD OF VALUE OF COUPONS

RECORD OF VALUE OF COUPONS

ACCOUNTS RECEIVABLE DEPARTMENT

B

RECONCILIATION

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

ADVICE OF COUPONS ON HAND

EMPLOYEE CHECKING COUPONS

ADVICE OF COUPONS ON HAND

EMPLOYEE SENDING COUPONS TO SUPPLIERS

EMPLOYEE COLLECTING COUPONS

COUPONS

SAFE

PHYSICAL COUNT

COUPONS

TRADING STAMPS EMPLOYEE OPENING INCOMING MAIL TRADING STAMPS

RECEIVING DEPARTMENT

TRADING STAMPS

SAFE

PHYSICAL COUNT

EMPLOYEE CHECKING TRADING STAMPS

RECORD OF PHYSICAL COUNT

PERPETUAL INVENTORY PERSONNEL

170

RECONCILIATION

EMPLOYEE RECONCILING DEPOSIT RECORDS AND INCOMING FUNDS RECORDS

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix B: 50 Honest Truths About Employee Dishonesty

APPENDIX B 50 HONEST TRUTHS ABOUT EMPLOYEE DISHONESTY The following was developed by Steven Kirby, CFE, Kirby and Associates, and is used with permission.

THE EMPLOYEE AND YOUR COMPANY 1. Employers can create an atmosphere that fosters honesty—or dishonesty—by the way they conduct business. 2. If you ask an employee to steal for you, don’t be surprised when he steals from you. 3. Theft is the ultimate sign of employee disrespect towards you and your organization. That disrespect is usually predictable, based upon prior behavior. 4. Employees involved in theft have usually been involved in other prior misconduct at the company. 5. Employee theft is far more costly to the organization than just the value of the goods stolen. 6. The employee who steals is more insidious than the outsider because that employee violated your trust. 7. No employee who steals is a “good employee”—no matter how hard he or she otherwise works. 8. Tenure is not an insurance against theft.

PSYCHOLOGY OF EMPLOYEE THEFT 9. Need and opportunity are critical elements for theft to occur. 10. Need can be very superficial and at times difficult to understand. 11. An employee’s ethical makeup will temper the temptation to steal. 12. Virtually every employee who steals has rationalized his or her dishonesty. 13. Most employees wouldn’t steal if they couldn’t rationalize. 14. Employees who steal believe that everyone steals and that most steal more than they do, no matter how much they have actually stolen.

Protection of Assets  Copyright © 2012 by ASIS International

171

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix B: 50 Honest Truths About Employee Dishonesty

15. Employees who steal from you do not consider themselves dishonest. They prefer to think you are somehow responsible. 16. A thief learns to lie before he learns to steal.

TOLERANCE OF THEFT 17. No theft, no matter how minor, should be tolerated or ignored. 18. Theft is like a cancer—if left untreated it will continue to grow and spread. 19. Employees who know of unreported theft are as bad as the thief. 20. Very unfortunately, most employees mistake kindness for weakness. 21. Most employees appreciate a second chance—to steal from you again.

DETECTION AND PREVENTION 22. No one ever gets caught the first time. 23. The employee who is closest to the loss (that is the one with the most access) is usually the one who did it. 24. Be careful of the employee who discovered the loss. 25. When the person’s explanation sounds suspicious, be suspicious. 26. Your so-called sixth sense is usually pretty accurate (it’s actually a consolidation of all your senses), so trust it. 27. Employees who deny guilt, but are willing to make restitution, are guilty. 28. When a number of employees suspect one person, there’s usually a pretty good reason.

CONTROLS OVER THEFT 29. Virtually every theft or fraud could have been prevented by better management. 30. Nothing you own is immune from theft, and no business is theft- or fraud-proof. 31. Most businesses are loath to install controls to prevent theft and fraud; the failure to do so is itself a result of rationalization and denial. 32. For some reason, companies are more eager to detect theft after the fact than to prevent it from happening, even though it is much cheaper to prevent it in the first place.

172

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE Appendix B: 50 Honest Truths About Employee Dishonesty

33. The best way to avoid employee theft is not to hire a thief. 34. The best way not to hire a thief is to investigate a potential employee’s background. 35. If a person has stolen from a previous employer, is it reasonable thinking he won’t steal from you? 36. Constant and eclectic vigilance is required to prevent theft; there is no silver bullet. 37. Isolating the responsibility is a critical theft prevention concept. 38. Never let an employee be his or her own check and balance. 39. Asset protection is in everyone’s job description. 40. Effective security measures are not oppressive or burdensome. They go with the flow of operation. 41. Asset protection is an insurance. The cost should be weighed against the risk.

CRIME AND PUNISHMENT 42. There is no perfect resolution. Each case must be considered independently for the most just and intelligent disposition. 43. You cannot rely on the criminal justice system to protect your assets, investigate theft, or bring the culprit to justice. 44. The deterrent effect of any punishment is far shorter than you can imagine. 45. If you want to understand the physics of a black hole, bring your employee theft or fraud case to the typical big city court. 46. The employee who says he is sorry usually is—sorry to have been caught. 47. The employee who is remorseful today will be spiteful tomorrow. 48. If the only punishment the employee receives is termination, the proceeds of his theft are his golden parachute. 49. If the dishonest employee offers to resign, accept it and avoid the urge to be vindictive. 50. Of the three “shuns” (termination, prosecution, and restitution), restitution, while the most difficult, does the victim the most good.

Protection of Assets  Copyright © 2012 by ASIS International

173

THEFT AND FRAUD PREVENTION IN THE WORKPLACE References/Additional Reading

REFERENCES Albrecht. W. S., McDermott, E. A., & Williams, T. L. (1994, February). How companies can reduce the cost of fraud. The Internal Auditor, pp. 28–34. Association of Certified Fraud Examiners. (2004). Report to the Nation 2004. Available: http:// www.acfe.com/documents/2004RttN.pdf [2006, October 17]. Bologna, J., & Shaw, P. (1996). Corporate crime investigation. Boston: Butterworth-Heinemann. Hollinger, R. C., & Clark, J. P. (1982). Formal and social controls of employee deviance. Sociological Quarterly, 23, 333–343. Ferraro, E. F. (2006). Investigations in the workplace. New York, NY: Auerbach Publications. KPMG International. (2003). KPMG forensic fraud survey 2003. Available: http://www.kpmg.com/ aci/surveys.asp#fraud03 (2006, January 12]. Hart, K. M. (2004). Employee theft. Posted on New Jersey Law Blog. Available: http://www. njlawblog.com/corporate-investigations-white-collar-employee-theft.html [2006, September 12]. Shoplifters Alternative. (2002). 2002 shoplifters survey. Jericho, NY: National Association for Shoplifting Prevention. Wells, J. T. (1997). Occupational fraud and abuse. Austin, TX: Obsidian Publishing.

ADDITIONAL READING Albrecht, W. S., Romney, M. B., Cherrington, D. J., et al. (1982). How to detect and prevent business fraud. Englewood Cliffs, NJ: Prentice-Hall. Albrecht, W. S., Wernz, G., & Williams, T. L. (1995). Fraud: Bringing light to the dark side of business. Burr Ridge, IL: Irwin Professional Publishing Co. Bettencourt, K. C. (1990). Theft and drugs in the workplace. Saratoga, CA: R&E Publishers. rd

Fennelly, L. J. (1996). Handbook of loss prevention and crime prevention (3 ed.). Woburn, MA: Butterworth-Heinemann. Ferraro, E. F. (2000). Undercover investigations in the workplace. Woburn, MA: ButterworthHeinemann. th

Fischer, R. J., & Green, G. (1998). Introduction to security (6 ed.). Woburn, MA: ButterworthHeinemann.

174

Protection of Assets  Copyright © 2012 by ASIS International

THEFT AND FRAUD PREVENTION IN THE WORKPLACE References/Additional Reading

Green, G. S. (1996). Occupational crime. Chicago: Burnham, Inc. Healy, R., & Walsh, T. J. (1981). Principles of security management. New Rochelle, NY: Professional Publications. nd

Rusting, R. R. (1987). Theft in hospitals and nursing homes (2 ed.). Port Washington, NY: Rusting Publications. Snyder, N. H., Broome, O. W., Kehoe, W. J., Mcintyre, J. T., Jr., & Blair, K. E. (1991). Reducing employee theft. New York, NY: Quorum Books.

Protection of Assets  Copyright © 2012 by ASIS International

175

CHAPTER 7 PRIVATE POLICING IN PUBLIC ENVIRONMENTS

7.1

INTRODUCTION This chapter examines private security operations in the public realm. Specifically, that realm includes streets, municipal parks, business districts, residential communities, and other areas frequented by the public without any meaningful access restrictions. The public realm also includes critical infrastructures. The areas discussed are also routinely patrolled by municipal police departments. Private policing in public environments raises a number of important considerations, including political, operational, legal, ethical, and societal implications. A few caveats are in order: x

First, this work in no way advocates the elimination, or even the diminishment, of public policing agencies. Indeed, it illustrates that the expansion of security personnel into the public realm is due to forces outside the control of policing agencies. The growth of private police is not a reflection of poor public policing.

x

Second, the use of private police is designed to supplement already overworked, and often understaffed, law enforcement agencies. The work of public and private police should be viewed as a division of labor.

x

Third, private policing has certain market-based benefits compared to governmentbased policing. The widespread introduction of private police serves the interests of more highly trained law enforcement officers, as well as the community—or the client—they serve.

Protection of Assets  Copyright © 2012 by ASIS International

177

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

A way to conceptualize this arrangement is to view it in light of other professions. Perhaps three decades ago, the introduction of paralegals and paramedics created controversy in their respective professions. The legal bar worried about lowering the value of the licensed attorney. Doctors worried about the quality of medical services their clients would receive from medical paraprofessionals. Today, however, the importance of paraprofessionals in those fields is self-evident. In this sense, private police can be considered “para-police” (McLeod, 2002). As security professionals know, the provision of security and public safety services is not the exclusive domain of government. Indeed, the majority of persons charged with security and public safety services are employed by private firms. Of course, this does not minimize the substantial role that public police officers contribute to public safety. The point is that security and public safety are not exclusive to government. Though commonly accepted within the security profession, the introduction of private police into the public domain may cause some people concern or even alarm. This is understandable, particularly in Western countries. Most contemporary observers view police agencies as “normal,” as if their use was the natural state of law enforcement. It is not. Public policing is a rather new phenomenon. When the first police department was organized by Sir Robert Peel in London in 1829, many people viewed that change with concern or alarm. The introduction of private policing can be viewed as going back to the future, in which private citizens contribute more time and effort to the safety and security of their communities.

7.1.1

HISTORICAL PERSPECTIVES The history of policing can be summarized in terms of one overriding human need: survival. The security of the individual, the family, the community, and the nation state are all tied to this basic need. Indeed, in his famous hierarchy of needs, Abraham Maslow classifies security as a second tier need, just above food, clothing, and shelter (Robbins, 2003; Pastor, 2006). Given the importance of security, it is understandable that people have developed various mechanisms to gain it. For centuries, people in the community acted as “security” within the community. The job of security was not even a job. There was no police department to call. Instead, it was the duty of all able-bodied men to protect their homes and their community (Pastor, 2003). Thus, the people acted in self-defense or in defense of their community. Viewed in this manner, security has historically been the province of the people. This assertion was even reflected in one of Peel’s guiding principles: the people are the police, the police are the people (Oliver, 2004; Pastor, 2006).

178

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

Before the formation of public policing agencies, self-help and self-protection were considered the foundations of law enforcement and public order (Pastor, 2003; Nemeth, 1989; Shearing & Stenning, 1983). Kings were primarily concerned with conducting warfare, not enforcing domestic tranquility. That arrangement changed when the enforcement of the law—or, in broader terms, the justice process—was seen as a cash cow (Pastor, 2003; Reynolds, 1994; Benson, 1990). This realization facilitated the expansion of government’s role into the internal justice process through the expansion of the king’s peace. The king’s peace, in essence, equated to law and order (Pastor, 2006). As the power of the king evolved, many offenses previously regarded as intentional torts (wrongs subject to civil tort law) became crimes against the king’s peace (Pastor, 2003; Johnston, 1992). The change from a tort-centered to a crime-centered system inevitably affected people who were to be compensated for the injury caused by the act (i.e., tort or crime). Often victims desired crimes to be viewed as civil torts so they could collect financial compensation (Pastor, 2003). Conversely, the king had an incentive to declare an act a crime in order to derive a financial benefit. If the act was declared a crime, the king could confiscate the criminal’s property and inflict corporal or capital punishment (Johnston, 1992). With these incentives, over time arson, robbery, murder, and other felonious and violent actions were declared to be crimes (Reynolds, 1994). The ever-increasing expansion of the criminal law was not without justification. Some believed it would reduce retribution by private citizens, as well as provide legitimate sanctions by the government (Pastor, 2003; Nemeth, 1989; Benson, 1990). State sanctioning of criminals removed the need for the victim (or his or her family) to retaliate against the offender. Instead, the state (or king) would avenge the harm done to the victim on behalf of all the people. In return, crime prevention and control was also transferred to the king. Many citizens were happy to transfer this duty because the costs, resources, and efforts previously devoted to crime prevention and control would also transfer to the king (Pastor, 2003; Reynolds, 1994). Notwithstanding this gradual transfer of retributive authority to the throne, the burden of law and order rested on the citizenry for a large part of recorded history. To accomplish crime control, towns were protected by citizens through the use of the “hue and cry” (Pastor, 2003; Nemeth, 1989). Hue and cry was a call to order. When a hue and cry went out, able-bodied men would lend assistance against criminals or criminal acts. This ancient system of crime protection is remarkably similar to the “observe and report” function of private security, absent the pursuit and capture of the criminal (Pastor, 2003). The underlying purpose of observing and reporting is that the security officer should act as a deterrent to crime. If a crime is observed, the security officer should gather information about the criminal and the crime and then immediately report such to the public police. This is deemed as being the eyes and ears of the police (Pastor, 2003).

Protection of Assets  Copyright © 2012 by ASIS International

179

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

Over time, a more defined crime control system was established. This system, known as “watch and ward,” was administered by “shire reeves,” who were appointed by the king (Pastor, 2003; Nemeth, 1989). The shire reeves appointed constables to deal with various legal matters. Both the shire reeve (later shortened to sheriff) and the constable became the forerunners of modern sworn law enforcement officers (Pastor, 2003; Nemeth, 1989). This system furthered the legitimacy of public officers in crime prevention and control with the appointment of individuals directly accountable to the king (Pastor, 2006). The emergence of public police was not without problems and detractors. Some argued that a full-time police force was too expensive. Obviously, the traditional sheriff-watch method was much cheaper since much of this protection involved unpaid private citizens (Warner, 1968; Pastor, 2006). Other concerns came from a deeper level, relating to philosophical or political arguments against government having a monopoly on policing (Pastor, 2003; Johnston, 1992; Miller, 1977). The typical criticism centered on fears of excessive police power (Miller, 1977). To those with this mindset, the cop on the beat represented an “ominous intrusion upon civil liberty” (Miller, 1977). To others, the desire for security overrode esoteric constitutional provisions. The tension was between the need for security and the desire to maintain constitutional protections. This same concern is often echoed today relative to public policing and by some who oppose private policing (Pastor, 2003). Finally, the notion of sovereignty was a powerful argument in favor of municipal policing agencies. Since the medieval period, there has been a gradual tendency to limit the use of power or coercion. It was widely believed that the “eye for an eye” retribution standards caused much violence, if only in response to the initial violent act. Notwithstanding the potential for deterrence, or even the justification of retribution, the notion that government should be the exclusive arbitrator of violence had compelling logic. With this viewpoint, government was in charge of retribution and attempted to limit the use of violence by private individuals. In turn, government was increasingly saddled with the burden of controlling crime and capturing and punishing criminals (Pastor, 2006). As is illustrated by this brief historical perspective, private policing in public environments is not new. It is a variation of an age-old principle: security is the province of the people. In contemporary times, “the people” typically pay others for protection. Citizens pay taxes for municipal policing, and clients pay contracted fees for security services from firms (Pastor, 2006). Both of these methods are contemporary norms. However, a new dynamic is developing. When citizens hire security firms for protection within the public realm, the approach reflects the “watch and ward” system common in historical times. A key question follows from that approach: Is it appropriate for clients, who are citizens of a governmental entity, to pay a private firm for public safety services? Stated another way, if public police cannot or will not provide for one’s personal protection, is it wrong to pay a security firm to do so? No reasonable person should deny this right of self-defense.

180

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

Consequently, private policing is justified on historical and philosophical precepts. It is an appropriate response to current socioeconomic, political, and policing operational factors facing most countries, especially Western societies.

7.1.2

CONCEPTUAL PERSPECTIVES When one considers the provision of public safety and security services, it is useful to think in terms of location and provision. As Figure 7-1 shows, location may be private or public, and provision is either a substitute or a supplement.

P R O V I S I O N

L O C A T I O N

Substitute x

Corporate security

x x x

Corporate campuses College campuses Gated communities

x x

Reminderville, Ohio Sussex, New Jersey

x x x x

Marquette Park Starrett City Grand Central Center City District

Private

Public

Supplement

Copyrighted by James F. Pastor, 2005. Used with permission.

Figure 7-1 Provision In the Private/Substitute cell, the typical provision is that security personnel, either contract or proprietary, provide the majority (if not all) of the security services. This does not mean that public police officers do not or cannot enter into these private facilities and properties. It simply means that public police do not routinely enter or patrol there. For example, public police typically do not stand guard at the entrance to a manufacturing plant. Of course, if a crime occurs, law enforcement personnel are often called to the private property. The cell is not a complete substitute; however, it is largely a substitute, and for some firms it may be an almost exclusive substitute. Consequently, this cell represents the norm in the security industry. In the Public/Substitute cell, the examples are the towns of Reminderville, Ohio, and Sussex, New Jersey, which fired their police officers and hired security personnel in their place. The

Protection of Assets  Copyright © 2012 by ASIS International

181

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

security officers patrolled the town, answered calls for service, took reports, and made arrests. The private security personnel acted as a substitute for the public police. These services were provided within the public domain as if the security officers were the police. These highly unusual and controversial substitute arraignments were terminated after a short period. Too many problematic issues are tied to such arrangements. The last two cells, Private/Supplement and Public/Supplement, are the growth environments for the security industry. In these cells, the focus is on supplementing or enhancing the public safety already provided by policing agencies. For example, college campuses often feature undefined or loosely defined boundaries between themselves and the larger community. Since university or campus police are often vested with police powers, they can conduct themselves and make arrests as do municipal police officers. Although the police powers may be derived from government, if these university or campus police officers are employed by a security firm, then this is an illustration of private policing. An even more common and clear example occurs within gated residential communities and on corporate campuses. In these environments, the typical provision of security services is from private firms. As in the Private/Substitute cell, there is overlap between the service provision of public and private entities. The overlap is much more pronounced in the Private/Supplement cell. There the public police may regularly or semi-regularly patrol the gated community or a college or corporate campus. The involvement of public police in these areas is usually more than in the Private/Substitute areas but substantially less than in public streets, parks, and the like (i.e., in the public realm). The provision of security services by private firms in this cell (Private/Supplement) is already extensive. The Public/Supplement cell, then, is the focus of this chapter. It is there that the greatest opportunities for the security industry exist. This is also where most of the problems and pitfalls reside. The prospect for private policing is likely to grow substantially. Factors driving this growth include the following: x

economic and operational issues

x

crime (fear of crime) and terrorism

x

order maintenance

Each factor increases the need for private policing in public environments. Many countries in Europe, such as England and Sweden, are well into this transformation. For example, Project Griffin, a program of London’s Metropolitan Police Service and the City of London Police, has three components: training, communications, and the deployment of security officers in the event of a major incident. The training is provided to security officers by the

182

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

police. The communication methods include a “bridge call” every week, where the police intelligence bureau updates security managers on current threats, recent crime trends, and upcoming events. Deployment of security officers alongside police will occur in the event of a major incident. To date, about 500 security officers have been trained for this deployment. (More information is available at http://www.met.police.uk/projectgriffin and http://www. cityoflondon.police.uk/CityPolice/Departments/CT/ProjectGriffin.) Another European example was pioneered by the Sweden-based security firm Securitas, which has provided a “time share” service to residential and commercial clients. This concept provides patrol and other security services to numerous clients, who each pay a proportionate share of the costs. In essence, the time share concept is similar to buying a fractional share of a condo unit and gaining the right to use the unit for a proportionate period per calendar year. This service is provided in public places in various European locations, including Trondheim, Norway, where Securitas security officers patrol a business district. The use of private security personnel to provide services within public areas is illustrative of a new policing model, which may be called public safety policing. This model is a blend of public and private entities with a defined delegation of duties or functions. These duties or functions can be considered a division of labor (Bayley & Shearing, 2001). This division of labor should include a structural component that enables the entities to blend the delivery of public safety services through operational and administrative processes.

7.1.3

PUBLIC/PRIVATE PARTNERSHIPS AND STATISTICS For several decades, there has been a growing movement to foster better relations between law enforcement and the security industry. Many of these relationships have been built on individuals moving from one profession (usually law enforcement) to the other profession (usually the security industry). Over time, many meaningful professional relationships developed as individuals interacted with their counterparts in the other industry. Still, many people from both entities sensed that more formalized relations were necessary to cope with growing crime and public safety concerns. The Law Enforcement Liaison Council (LELC) and Private Security Services Council of ASIS International, along with the Private Sector Liaison Committee of the International Association of Chiefs of Police (IACP) and other significant associations, have set the stage for this transformation. Innovations like Operation Cooperation have been instrumental in this development. Operation Cooperation is, in essence, a goal and a program. Its goal is to communicate certain partnership models, where security and police work together to combat crime and deliver public safety services. From a programmatic perspective, a group of law enforcement and

Protection of Assets  Copyright © 2012 by ASIS International

183

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

security organizations together published a document, titled Operation Cooperation, that outlines the history of public/private partnerships and advocates future cooperative work. This professionally developed document describes some of the most effective public-private policing partnerships. These include the Business/Law Enforcement Alliance (BLEA) in California, the Area Police-Private Security Liaison Program (APPL) in New York City (now NYPD Shield), and the Downtown Detroit Security Executive Council (DDSEC) in Michigan (Operation Cooperation, 2000). These models act as a template from which additional partnerships can be developed. The cause of law enforcement–private security partnerships gained additional support more recently when the Office of Community Oriented Policing Services, U.S. Department of Justice, funded production of three valuable resources: a video detailing successful partnerships, Law Enforcement & Private Security: On the Job Together (2008); a major guide called Operation Partnership: Trends and Practices in Law Enforcement and Private Security Collaborations (2009); and a free, one-hour e-learning course on forming such partnerships, Team Up: Action Planner for Police-Security Partnerships (2010). All three resources are available online. The time has come to institutionalize coordination and cooperation between security and police personnel through structural and contractual relationships. The value of partnerships is limited unless more concrete ties are developed between private security and public police. Personal relationships can be fickle, and existing partnerships have not completely broken down the barriers between the two groups of professionals. Attitudes and histories often die hard, but the insidious motivations of terrorists necessitate the acceleration of structural cooperation between security and policing (Simeone, 2006). The details of future relationships have yet to be articulated, but enhanced structural coordination would not be possible without the tireless efforts of the professionals who developed and built foundational partnerships. The transition from a partnership model to a structural model can be illustrated by various statistical trends. For example, as a consequence of the September 11, 2001, terrorist attacks, certain security firms predicted revenue growth in the range of 10 to 12 percent per year (Perez, 2002). In September 2001, there were 104,000 security officers in New York City. By October 2003, the number of security officers had risen to 127,006 (National Policy Summit, 2004). This level of growth is not atypical in the security industry. For example, in England there are now about 333,600 security personnel, compared to only 150,000 in 1996 (Sarre, 2005). In South Africa, private security personnel outnumber public police by a ratio of 5 to 1 (Sarre, 2005). In addition, statistics in continental Europe reveal a substantial presence of security personnel. Recent estimates reveal that there are approximately 530,000 security personnel, Germany having the most (Prenzler, 2005). Similarly, Australia witnessed an

184

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

increase in security personnel from 22,975 in 1986 to 34,854 in 2001, a 52 percent increase, while police experienced only a 19 percent increase during the same period (Prenzler, 2005). The growth of private security can be illustrated by two huge international firms that dominate the security industry. Securitas had revenues of $5.8 billion with a net income of $115.2 million in 2001 (Perez, 2002). Its revenues increased to $6.6 billion in 2005. The firm employs 220,000 people worldwide, with 124,000 in the United States. Since 9/11, it has hired about 10,000 more guards to serve U.S. accounts (Perez, 2002). Similarly, Group 4 Securicor, a Danish firm, had 2001 revenues of $2.81 billion, with a net income of $3.7 million (Perez, 2002). This firm employs 58,000 guards worldwide, with 38,000 in the United States, of which about 3-5 percent are directly attributable to 9/11 (Perez, 2002). In 2005, Securicor had revenues of $4.13 billion dollars, employed 50,500 employees in the United States, and had about 400,000 full- and part-time employees worldwide. Those in the security industry are well acquainted with the Hallcrest reports (see Cunningham et al., 1991). These reports sought to compare the U.S. security industry to public law enforcement quantitatively. The data revealed that security personnel greatly outnumber police officers (Pastor, 2003). More recent census data show that the number of full-time sworn police personnel is estimated at 796,518. In comparison, security industry estimates suggest that more than 2 million people were employed by security firms in 2000 (Zielinski, 1999). Whatever the exact numbers, the difference between the fields is so great that some argue private security is now the primary protective resource in the United States (Bailin, 2000; Cunningham et al., 1991). The ratio of public police officers to reported crimes has seen an even greater change. In the 1960s, there were about 3.3 public police officers for every violent crime reported. By 1993, the numbers had reversed, and there were 3.47 violent crimes reported for every public police officer (Walinsky, 1993). Thus, each public police officer in the 1990s had to deal with more than 10 times as many violent crimes as a police officer in the 1960s (Walinsky, 1993; Pastor, 2003). Walinsky notes that to return to the 1960s ratio of police to violent crimes, about 5 million new public police officers would have to be hired by local governments (1993). That will not occur. Indeed, what did occur during this time frame was an explosive growth of the security industry (Cunningham et al., 1991). Data from the U.S. Department of Justice suggest that the cost of public policing increased from $441 million in 1968 to about $10 billion in 1994. This represents a 2,100 percent increase in the cost of public policing, while the number of violent crimes rose 560 percent from 1960 to 1992 (Walinsky, 1993). As crime rates increased, the monies used to combat crime also dramatically increased. The Justice Department reported approximately 1,383,000 violent crimes in 2003 (475.8 per 100,000 population) and 1,367,000 in 2004 (465.5 per

Protection of Assets  Copyright © 2012 by ASIS International

185

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.1 Introduction

100,000 residents). These data reflect a generalized decrease in crime rates within the U.S. in the past decade. Some authors attribute this reduction of crime rates, at least in part, to the growth of private security (Davis & Dadush, 2000), though the proposition is debatable. A related question is whether any additional spending on public policing would result in a further reduction. Based on this short historical and statistical overview, the answer appears to be negative. The impact of security may even be more substantial than the data suggest. Indeed, the growth of the security industry can be viewed by its involvement in businesses, homes, and communities throughout the country (Pastor, 2003; Zielinski, 1999; Carlson, 1995; Goldberg, 1994). This involvement includes such diverse services as alarm systems, security guard services, and investigative and consulting services. The growth of such services caused one observer to note, “We are witnessing a fundamental shift in the area of public safety. It’s not a loss of confidence in the police, but a desire to have more police” (Tolchin, 1985). Indeed, th today’s security industry is being compared to public policing in the mid-19 century. One security firm owner stated, “This is a significant time for the private security industry. People are just beginning to realize its potential. I see private security much like what public law enforcement was in the 1850s” (Spencer, 1997). This assertion seems even more relevant in the face of terrorism. Consequently, some see private policing as the “wave of the future” (Goldberg, 1994; Benson, 1990). Numerous authors argue that there is a need for more police, or at least more protective services (Dilulio, 1995; Walinsky, 1993; Cunningham et al., 1990; Spitzer & Scull, 1977; Benson, 1990; Clotfelter, 1977; West, 1993; Seamon, 1995). Other authors are more critical of the ability of the public police to provide an appropriate level of protection (Benson, 1990; McLeod, 2002). Either way, another author observed, “People want protection, and what they cannot get from the police, they will get from private security companies” (Kolpacki, 1994). Consider the implications of these statements in the light of terrorism. Police are finding that, in addition to their crime-fighting duties, they now have significant homeland security responsibilities (National Policy Summit, 2004). This assertion was echoed by Judith Lewis, former captain with the Los Angeles County Sheriff’s Department, who observed (Stephens, 2005): The expectations of law enforcement as first responders for homeland security have put an almost unachievable burden on local law enforcement. Local law enforcement is not designed organizationally to support the cooperation needed, and its officers don’t have the training and technology to do the job. … Currently, traditional law enforcement is being left behind.

186

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

7.2

CONTEMPORARY CIRCUMSTANCES As these statements and data reveal, the rise of private policing seems inevitable. But why now? Certainly the terrorist acts of 9/11 changed many things. With the creation of the Department of Homeland Security in the United States, the Afghan and Iraqi wars, and terrorist acts after 9/11 (including bombings in Bali, Spain, and London), the desire for increased security is obvious. However, the security industry was playing a growing role in crime control long before 9/11. Terrorism is not the only trigger for private policing. The following additional factors have all contributed to the growth of private security.

7.2.1

ECONOMIC AND OPERATIONAL ISSUES Cost is a significant distinction between public and private policing. Alternative service providers, such as private security firms, provide labor cost savings. For example, a compensation survey conducted by the Bureau of Labor Statistics found the hourly pay for security personnel ranged from an average of $6.82 in the Tampa/St. Petersburg metro area to $12.82 per hour in Denver (Institute of Management & Administration, 2000). Public police were said to cost 2.79 times as much as private police in 1979 (Benson, 1990). Other data suggest that a police officer costs at least $100,000 per year, counting salary, benefits, and overhead (Reynolds, 1994; Pastor, 2003). The cost of public policing seems to increase steadily. For example, during the period 19671973, the average salary for state and local police increased 56 percent, while the average salary for employees of private security firms increased only 34 percent (Clotfelter, 1977). Further, personnel expenditures are often the largest municipal budgetary line item. Just two groups—police and fire—represent about 55 percent of the total expenditures for the City of Chicago (Miranda, 1993). A study of New York City revealed that over a 25-year period, the number of public police officers rose from 16,000 to 24,000. However, the total annual hours worked by the entire force declined (Savas, 2000; Pastor, 2003). Municipalities spend a large proportion of their budgets on the salaries and benefits of public police officers. It is doubtful whether that pay structure can be sustained. Several authors have argued that certain operational functions drive up the costs of public safety services. For example, in the United States, citizens have been urged to call 911 for decades. This computerized call-taking system has resulted in huge increases in workloads in police departments. Calls for such conditions as barking dogs, street light repairs, noisy neighbors, unruly children, alarm response, and the like have created a difficult unintended consequence for police agencies (Pastor, 2005). The problem has been lessened with the use of 311 (nonemergency police response) and call stacking (prioritizing calls for dispatch based on the level of seriousness). However, these approaches have not resolved the basic dilemma— serving the community with the resources allocated to the department (Pastor, 2005).

Protection of Assets  Copyright © 2012 by ASIS International

187

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

The budgetary and operational dilemma for law enforcement officials may be best illustrated by alarm response. Alarm response refers to police being dispatched to burglar, fire, or panic alarms from commercial, industrial, and residential facilities. Often the problem with alarm response is attributed to the high rate of false alarms, which is as high as 95 percent or more (Benson, 1990; Olick, 1994; Cunningham et al., 1990). That is only part of the problem. In the 1980s, only 2 percent to 5 percent of residences had alarm systems. This figure was estimated at 10 percent in the 1990s and about 20 percent from the year 2000 (Litsikas, 1994; Cunningham et al., 1991). As the market for security alarms increased, the burden of alarm response for police agencies also increased. The impact of this one service hinders the ability of the police to perform their overall mission: to serve and protect society. For example, according to the Seattle Police Department, alarm response accounts for its second largest resource allocation. In just one year (2003), Seattle police officers responded to over 22,000 alarm calls, averaging about 62 alarms a day at a total estimated cost of $1.3 million. Many police agencies are looking for ways to deal with this problem. Private policing may provide the best way to resolve this financial and operational dilemma. For example, in Johannesburg, South Africa, there is a growing market for alarm response conducted by private firms. More than 450 registered companies provide alarm response services, serving about 500,000 clients and employing about 30,000 private officers (Davis & Dadush, 2000). These officers are equipped with 9mm weapons and bulletproof vests but have only normal citizens’ arrest powers. The average response time to the protected facility is five minutes. At least in part, this service provision evolved from the public’s lack of confidence in the responsiveness of the police. Administration of these services seems professional when measured in terms of citizen complaints, use-of-force incidents, and the average response time for alarm calls (Davis & Dadush, 2000). Approximately 80 percent of police resources are used in “social worker, caretaker, babysitter, and errand boy” activities (Benson, 1990; Pastor, 2003; Reynolds, 1994). Stated another way, only 20 percent of police officer work is devoted to crime-related matters (Youngs, 2004). A Police Foundation study also found that instead of watching to prevent crime, motorized police patrols are often merely waiting to respond to calls for assistance (Benson, 1990). The study asserted that about 50 percent of police duty time is spent simply waiting for something to happen (Benson, 1990). While police officials claim this time is devoted to preventive patrols, Benson argues that systematic observations suggest otherwise. Such observations reveal that much of the time is occupied with conversations with other officers, personal errands, and sitting in parked cars on side streets. While some of these activities may be necessary, the compelling conclusion of these studies is that municipalities will not be able to afford the status quo (Pastor, 2003). Partly as a result of this situation, the Toronto Police Department reported that more than 60 percent of all calls to the police are handled

188

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

by alternative response units, which include private police acting as a supplement to public police departments (Palango, 1998; Pastor, 2003). Partly because of the widespread use of community policing, municipal police agencies have reoriented their approach to crime control. This policing model has attempted to change public policing away from its traditionally reactive approach toward proactive crime fighting. That approach, however, presents its own operational difficulties and incentives. Typically, security firms are more oriented toward pleasing their clients—typically by preventing problems, including crime. In contrast, public police have less incentive to prevent crime since they are expected to produce arrest statistics and other quantifiable measures (Benson, 1990). The result is an operational incentive geared toward waiting for crimes to be committed in order to make the arrest. In recent years, the focus on crime prevention and community policing has changed this incentive. However, a proactive crime control strategy is costly to administer and is very labor-intensive (Pastor, 2003). Community policing has created additional tasks that were largely ignored by traditional enforcement-oriented police departments (Moore & Trojanowicz, 1988; Trojanowicz & Carter, 1990). These tasks include beat meetings, crime prevention missions, accountability sessions, and other service and communication tasks. While community policing appears to have had some success in reorienting the police to a more proactive, client-friendly approach, the monies used to support this strategy are now largely exhausted (Pastor, 2006). Notwithstanding the exhaustion of federal community policing monies, a basic problem with fully implementing community policing involves the resources and personnel levels associated with these tasks (Oliver, 2004). That challenge may lead public police to transfer tasks to or supplement their strength with private security personnel. Crime prevention and order maintenance have long been the forte of private security. With these functions in mind, private policing is predicted to play an increasing role in public safety (Pastor, 2006). The form of this new policing model may mirror the community policing approach, which is premised on client service designed to prevent and control crime. In this sense, private police will be used to supplement public police in service and order maintenance functions. This allows public police officers more time for addressing serious crimes, including terrorist violence. Carlson asserts that communities are certain to follow this approach because “they may have to” (1995). For comparison, he observes that hospitals were forced to give more responsibility to nurses due to rising medical costs. He adds: Cities may find that sworn police officers—whom they must train, pay relatively well and sustain pensions—are too expensive for fighting and deterring certain types of low-level crimes. To maintain basic civic order, rent-a-cops may be a better deal.

Protection of Assets  Copyright © 2012 by ASIS International

189

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

Private police officers are not “rent-a-cops” but alternative service providers. Many needed and valuable services can be performed at a lower cost compared to public police officers. Contracting certain service tasks can be equated to the common business practice of outsourcing (Youngs, 2004). These tasks include the following: x

traffic accidents/traffic control

x

parking tickets/abandoned vehicles

x

vehicle lock-outs

x

building checks

x

alarm response

x

animal complaints

x

funeral escorts

x

paperwork/subpoena services

x

“cold call” follow-ups

x

vandalism complaints/reporting

x

theft/burglary/lost-and-found reporting

x

crime scene security

x

prisoner transport/security

In sum, public police are overburdened with many service-oriented functions (Pastor, 2003). Private police can help resolve both functional and economic constraints. Indeed, the threat of terrorism will only exacerbate these constraints—thereby accelerating the need for alternative service providers. For example, about 85 percent of all critical infrastructures in the United States are already protected by private security personnel (Simeone, 2006). Private police services are financed by business or property owners, either through special taxing initiatives or more directly through contracts with property or community associations. With these funding sources, private policing services could be sustained with little or no municipal expenditure. Consequently, the economic benefits derived from privatized service providers can help relieve already strained municipal budgets (Pastor, 2003). Obtaining private security services through a taxing initiative usually involves the creation of a special taxing district. The district may be given broad powers to promote economic development or stability through health, safety, and environmental improvements. The specific source of the monies can be a tax on real property or a sales tax levy. Since the tax is confined to a certain geographic area, the local property or business owners usually maintain control over the authority vested in the district. Participation in this authority usually requires a certain connection to the geographic area, such as being a property owner, working in or owning a business within the district, or owning stock in a corporation within the district (Pastor, 2003).

190

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

7.2.2

ORDER MAINTENANCE Order maintenance techniques, and their relationship to the physical environment, are relevant for several reasons. Widely used in community policing, order maintenance may prove beneficial in reducing crime and incivility or disorder (Pastor, 2003). Many researchers believe that a lack of order can lead to high crime or fear of crime in a given area (Covington & Taylor, 1991; Lewis & Maxfield, 1980; Kelling, 1995). The theory underlying order maintenance contends that crime problems originate in relatively harmless activities. Public drinking, graffiti on buildings, and youths loitering on street corners are common activities in certain areas. If these activities go unchecked, the level of fear and incivility begins to rise. Over time, more serious crimes, such as gang fights or even drive-by shootings, may take place. Disorder tends to reduce the social controls previously present in the area. This results, at least in theory, in increased crime, which contributes to the further deterioration of the physical environment and the economic wellbeing of the community (Pastor, 2003). The development of order maintenance theories can be traced to a line of thinking that initially focused on conditions in cities, particularly in slums. In these areas, conditions such as “physical deterioration, high density, economic insecurity, poor housing, family disintegration, transience, conflicting social norms, and an absence of constructive positive agencies” were deemed contributors to criminal behavior (McLennan, 1970). Over time, researchers started to shift their focus from socioeconomic factors toward the physical characteristics of the community. For example, Cohen and Felson (1979) argued that the completion of a crime requires the convergence in time and space of an offender, a suitable target, and the “absence of guardians capable of preventing the violation.” This focus on environmental factors was found in a number of other studies. Gibbs and Erickson (1976) argued that the daily population flow in large cities “reduces the effectiveness of surveillance activities by increasing the number of strangers that are routinely present in the city, thereby decreasing the extent to which their activities would be regarded with suspicion.” Similarly, Reppetto (1974) concluded that social cohesion and informal surveillance decline when a large number of people live in a given area (Jackson, 1984). Lewis and Maxfield (1980) took this logic to the next level. They focused on specific physical conditions within the environment, seeking to assess the impact on those conditions on crime and the fear of crime. Their research assessed such factors as abandoned buildings, teen loitering, vandalism, and drug use. They believed those factors draw little attention from police partially because police have limited resources to deal with them. The researchers noted that such problems, nonetheless, are important indicators of criminality within any community. The implications of these studies are clear. When faced with disorderly conditions, individuals tend to feel a greater exposure to risk and a loss of control over their environment, and they are

Protection of Assets  Copyright © 2012 by ASIS International

191

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

more aware of the consequences of a criminal attack (Fisher & Nasar, 1995). This thinking further advances the concept of situational crime prevention by assessing the circumstances surrounding the crime. This assessment takes into account the intersection of potential offenders with the opportunity to commit crime. Researchers argue that a particular crime could be prevented through measures designed to reduce the offender’s ability (or even propensity) to commit crimes at specific locations (Pastor, 2003). These conclusions have been echoed by a number of other authors, including Kelling (1995). He asserts that citizens regularly report their biggest safety concerns to be things like “panhandling, obstreperous youths taking over parks and street corners, public drinking, prostitution, and other disorderly behavior.” Each of these factors was identified as a precursor to more serious crime. Moreover, the failure to correct disorderly behavior may be perceived as a sign of indifference. This indifference communicates the message that no one cares—which may, in turn, lead to more serious crime and urban decay (Kelling, 1995). Consequently, the key to crime control is to address both the physical and social conditions that foster crime. Implicit in these findings is the desire to prevent crime or reduce the conditions or factors that foster crime. These conclusions have been embraced by both public police and private security. A key component of these preventive methods is order maintenance, which can be accomplished in a number of ways, including the rehabilitation of physical structures, the removal or demolition of seriously decayed buildings, and the improvement of land or existing buildings by cleaning and painting. Other relatively simple environmental improvements are recommended, such as planting flowers, trees, or shrubs to enhance the “look and feel” of an area (Pastor, 2003). These physical improvements, coupled with efforts to reduce or eliminate certain antisocial behaviors, such as loitering, drinking and drug use, fighting, and other disorderly behaviors, are at the core of an order maintenance approach to crime prevention. The goal is to correct these conditions and behaviors before more serious crimes occur. Viewed in this broad manner, security can encompass such diverse factors as trash collection, planting flowers, and private police patrols. Each service is designed to improve conditions within an area. The advent of terrorism will only magnify this environmental focus. For example, an unattended package or an unidentified vehicle may actually contain a bomb. While these threats are difficult to remedy, this focus on the environment has been echoed by st Kaplan, who views the environment as the security issue of the early 21 century (1994). In public policing, these order maintenance techniques are encompassed in the concept of community policing (Moore & Trojanowicz, 1988; Kelling, 1995; Palango, 1998; M. Robinson, 1997; Seamon, 1995; Kolpacki, 1994; Spencer, 1997; Cox, 1990; Johnston, 1992). In essence, a core goal of community policing is to focus on fear reduction through order maintenance

192

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

techniques (Moore & Trojanowicz, 1988). In this sense, crime and fear reduction through order maintenance are in accordance with the environmental theories articulated above. Community policing also strives to reduce calls for service by addressing the underlying reasons for the calls. In the private sector, the focus has long been on prevention (Chaiken & Chaiken, 1987; Shearing & Stenning, 1983; Cunningham et al., 1990). The similarity of private security and community policing techniques can be narrowed to one core goal: both are intended to use proactive crime prevention that is accountable to the client or the citizen, respectively (Kolpacki, 1994; Pastor, 2003). Private security is particularly well suited to perform order maintenance. At least partly because of that sector’s crime prevention focus, private security personnel have replaced public police in the protection of business facilities, assets, employees, and customers (Pastor, 2003). Private security personnel provided what the public police could not. Specifically, security firms provided services for specific clients, focusing on the protection of certain assets, both physical and human, as their primary or even exclusive purpose. Security personnel attempt to predict reasonably foreseeable crime and develop precautions against it (Gordon & Brill, 1996). A substantial body of law has grown around the environmental aspects of crime. Tort claims on grounds of premises liability or negligent security have provided explosive business for personal injury attorneys (Pastor, 2003). These lawsuits stem from a negligence-based legal theory that questions whether the business or property owner knew or should have known that a criminal would commit a crime within the property (Pastor, 2006). This legal exposure helped create a significant consequence. Property and business owners were motivated to institute security measures within and around their property or business location. The exposure serves as both carrot and stick. The carrot is a safe and secure place to do business and to live or work in. Of course, a safe and secure environment will not hurt the reputation of the business or the viability of the property. The stick is potential liability with substantial jury awards. In addition, media exposure stemming from crime, coupled with the reputational and public relations damage associated with an incident, provides substantial motivation to secure the premises from criminals. Consequently, security began to be seen as an asset and crime control as a duty. The result was a growing use of security personnel and methodologies. Business and property owners started to think and worry about security, becoming more proactive in their approach to a safe and secure environment. For security firms, the legal exposure created opportunities. It brought security closer and closer into the realm of the average citizen. Security personnel began to be used routinely at businesses and large corporations, which began to focus on the protection of employees and clients instead of simply focusing on asset

Protection of Assets  Copyright © 2012 by ASIS International

193

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

protection. In this sense, security became more mainstream. It became part of people’s workplaces, apartment buildings, and hospitals. Private security became “the people.” This relationship of the security industry to mainstream society also increased the scope of services provided by private police (Pastor, 2006). As premises liability and negligent security lawsuits developed, the liability of business and property owners expanded farther and farther from the protected facility. Indeed, it is now common for security patrols for properties and businesses to extend into the streets and other public areas to prevent crime and provide a safe and secure environment. Private police have become another security layer in the public domain. Public police had and still have a much more difficult task incorporating crime prevention into their organizational structure. The challenge arises from their mission to enforce laws uniformly throughout society, as well as the need to preserve democratic and constitutional ideals. Considering the many burdens of public police, it is reasonable to conclude that the role of private security will continue to increase. Many have advocated that private police play a larger role in the prevention of crime in areas traditionally and exclusively patrolled by public police (Chaiken & Chaiken, 1987; Palango, 1998; McLeod, 2002; Benson, 1990). The use of order maintenance techniques will prove to be an important function used by private policing (Pastor, 2003).

7.2.3

CRIME (FEAR OF CRIME) AND TERRORISM The relationship between crime and fear has been systematically studied in numerous studies (Smith & Hill, 1991; Lewis & Maxfield, 1980; Liska et al., 1982; Benson, 1990; Moore & Trojanowicz, 1988; Pastor, 2003). Similarly, other authors assert that crime has led to a generalized increase in fear levels in certain demographic subsections, as well as in the larger society (Farnham, 1992; Litsikas, 1994; Walinsky, 1993; West, 1993). The consistent conclusion was that crime has created concern, often rising to what could be construed as fear, and that fear of crime is exacerbated by signs of criminal activity. Indeed, signs of criminal activity, such as disorder or incivility, have an impact on people’s perceptions of crime (Lewis & Maxfield, 1980; Kelling, 1995). Incivility is equated with disorder; both represent chaotic conditions that result in more serious criminal activity. The levels of fear are greatest where there is a concern about both crime and incivility. If incivility (or disorder) is not perceived to be a problem, then residents may be able to cope with higher rates of crime (Lewis & Maxfield, 1980). This conclusion has important implications. Communities must deal with both the crime rate and the physical and social indicators that lead to the perception of incivility and disorder (Lewis & Maxfield, 1980).

194

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.2 Contemporary Circumstances

Another implication of these theories is that private police will increasingly be used to combat or respond to crime (Benson, 1997; Tolchin, 1985; Cunningham et al., 1990; Spencer, 1997; Meadows, 1991; Walinsky, 1993; McLeod, 2002; Bailin, 2000). These authors and many others have predicted or shown that private security personnel are being hired in response to the incidence of crime. This assertion is echoed by Stephanie Mann, author of Safe Homes, Safe Neighborhoods, who asserted that “people need to take responsibility for their safety. … Citizens are the law and order in a community, not the police” (Litsikas, 1994). This view is based on the impact of normal crime. With the threat of terrorism, it seems particularly appropriate to assert that government cannot implement the necessary remedies to deal with crime and terrorism (including the attendant fears) without the contribution of the private sector (Pastor, 2003).

Protection of Assets  Copyright © 2012 by ASIS International

195

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.3 Principles of Private Policing

7.3

PRINCIPLES OF PRIVATE POLICING Private policing is related to the larger notion of privatization. Advocates of privatization argue that the use of private firms results in lower costs for the same—or better—service than when services are provided by government (Wessel, 1995; Donahue, 1989; Tolchin, 1985; Clotfelter, 1977; Miranda, 1993; Carlson, 1995; Benson, 1990; Morgan, 1992; Clemow, 1992). These authors maintain that private firms are able to pay lower wages and terminate inefficient workers. However, there is substantial evidence that labor costs (including benefits, training, etc.) have a direct relationship to service quality (Benson, 1990; Donahue, 1989; Linowes, 1988; Wessel, 1995). Still, there is ample evidence that private firms can deliver more efficient services at a lower cost. Savings are typically based on the following (Donahue, 1989): x

more flexible use of labor

x

richer array of incentives and penalties

x

more precise allocation of accountability

x

less constraint on process and more focus on results

Proponents of privatization argue that market competition results in more efficient service delivery, especially when many similarly situated firms are ready, willing, and able to provide such services (Morgan, 1992; Donahue, 1989; Benson, 1990). The absence of competition in the public sector allows for complacency, with little incentive to provide better service at the lowest cost possible. Opponents of privatization argue that reduced labor costs are illusory because they are achieved through hiring less qualified and less trained personnel, providing inadequate benefits to employees, using hiring practices that focus on part-time employees, and even using creative accounting methods (Bilik, 1992). The cost of contract bidding and administration must be assessed, as it adds to the bottom line and may even invite corruption (Hebdon, 1995; Donahue, 1989; Chaiken and Chaiken, 1987). Other authors contend that without adequate competition, the ill effects of monopolies will result (Shenk, 1995; Clemow, 1992; Schine et al., 1994; Bilik, 1992; Donahue, 1989; Hebdon, 1995). The use of private service providers does not necessarily result in lower costs or better service quality. However, the benefits of limited privatization far outweigh the negatives. This is especially true in the case of public safety services, where the failure of law enforcement to protect society is potentially measured in thousands or even hundreds of thousands of lives. Given the threat posed by terrorists with weapons of mass destruction, the concerns voiced by privatization opponents seem pale. Still, it is critical to maintain competition among

196

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.3 Principles of Private Policing

private sector vendors; enforce accountability; and develop and maintain standards for the selection, training, and hiring practices of private security firms. As Donahue states, the “evidence is overwhelming that where…negligence or the nature of the service itself undercuts competition, the benefits of privatization shrink or vanish” (1989).

7.3.1

POLICING ROLE AND FUNCTIONAL DISTINCTIONS The clearest distinction between public and private policing is that public police officers are duly sworn by government officials. In contrast, private police are individuals who are employed by private firms or other organizations without governmental affiliation. However, this distinction is not always clear. Some jurisdictions license and regulate private security personnel. Some governmental units even grant special police status to private security personnel, giving them broad arrest powers. Carlson identifies five specific categories of distinction between public and private policing (1995): x

Philosophical. Private police may lack the moral authority that government can give to law enforcement.

x

Legal. Private police are hobbled by the law, with only limited powers of arrest, usually restricted to the commission of crimes within their presence. However, those with special police status have nearly all powers of public police, including authority to make arrests and carry guns.

x

Financial. Private police can perform certain tasks more cheaply.

x

Operational. Private police are more flexible, can be assigned to specific locations, and spend nearly all their tour on the beat. They make fewer arrests, are burdened with little paperwork, and rarely make court appearances.

x

Security/Political. Private police give citizens more control over their own safety by augmenting police efforts, helping to maintain order when police are spread thin. Also, private policing encourages citizens to follow community standards in a way that police officers cannot or do not.

These categories raise many questions. For example, the perception that security personnel do not possess the same legal and moral authority as public police officers may affect how private officers perform their jobs. When a private police officer directs someone to refrain from loitering, the person’s willingness to comply may depend on whether the officer has the authority, either legal or moral, to force compliance (Pastor, 2006). Another issue involves the level of control over the functions of the private police and how responsive the private police are to the needs of the client. It may not even be clear who the

Protection of Assets  Copyright © 2012 by ASIS International

197

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.3 Principles of Private Policing

client is. Is it the property owners who contribute their monies through real estate taxes? Is it the larger community, or even anyone who happens to drive through the neighborhood? In a community policing model, the public police are urged to be more accountable to the citizens they serve. In this sense, the citizens are the clients. Another way to distinguish public and private police is by the roles they take or functions they perform. The distinctive aspects of these policing functions are outlined by Chaiken and Chaiken (1987), as shown in Figure 7-2. Figure 7-2 distinguishes the functions of private and public police dramatically. One of the most profound distinctions regards the input—that is, the person for whom the service is designed or intended. In private policing, the bill payer is usually deemed the client. In public policing, the citizen or society is the client (Shearing & Stenning, 1983).

Private Police?

mPolicing Function?o

Public Police

Client

Input

Citizen

Crime prevention

Role

Crime response

Specific

Targets

General

Profit-oriented enterprise

Delivery system

Government

Loss reduction/asset protection

Output

Enforcement/arrest

Figure 7-2 Functions of Private and Public Police

A corporation performs both a private and public function by hiring security personnel and equipping them with uniforms, badges, and weapons. The generally accepted responsibility or function of security in this context is to enforce certain rules or laws on the company’s property (McKenzie, 1994). Consequently, this seemingly private function provides an external benefit to the larger society, or at least to the citizens who happen to be within the protected facility or area (Pastor, 2003). This input distinction explains much about the service orientation of the two entities. Particularly in the private sector, the need to please the client cannot be underestimated. Private security personnel tend to view behavior in terms of whether it threatens the interests of the client (Shearing & Stenning, 1983). However, what constitutes the interests of the client is not always clear or consistent (Dalton, 1993). That presents a challenge because knowledge of a client’s interests may affect how a security firm performs its duties.

198

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

Another important distinction regards the output of the service. Private security today tends to focus on loss reduction or asset protection. However, the role of private security may be shifting back to its historical roots. If so, private policing could renew some of its enforcement orientation, which has become the almost exclusive realm of public policing agencies (Benson, 1997; Tolchin, 1985; Cunningham et al., 1990; Spencer, 1997; Meadows, 1991; Walinsky, 1993; Bailin, 2000). Perhaps the most important distinction involves the delivery system. For private police, the delivery system is profit-oriented firms or corporations. With public police, it is government. The competition in which companies engage drives better service and value. Conversely, monopolies, such as police departments, tend to be less efficient, even complacent. If a security firm is not performing well or is not providing good value, it can be fired. In public policing, however, citizens cannot directly fire their police department. While they may petition political leaders for redress, doing so is not nearly as effective as exercising a 30-day termination clause, as is common in the security industry. Another issue involves the applicability of constitutional protections, such as prohibitions on unreasonable searches and seizures. Historically, such protections did not apply to private police (Nemeth, 1989; Chaiken & Chaiken, 1987). However, courts are now inclined to extend constitutional protections to cover actions by private security personnel. Typically, their actions must have a connection to government or sworn police officers (Pastor, 2003).

7.4

PRIVATE POLICING ENVIRONMENTS Though unusual, private police patrols on public streets are not unprecedented. This section presents various models of privatization, wherein private police play a role in providing public safety services. As Moore and Trojanowicz assert, police are responsible for managing crime and its effects. No other government agency regards itself as specifically responsible for crime (1988). However, if the police cannot prevent crime, one logical response is to hire private security firms to do so. In this way, private police can be viewed as an additional layer of security for the community. As Carlson explains, private security firms can help restore community life, allowing people to worry less about crime and spend more time building families and neighborhoods (1995). Few people would argue against targeting crime and reducing its impact on society. The scope and details of these arrangements vary widely. In rare cases, private security has replaced public police in a jurisdiction. In most private policing initiatives, some level of

Protection of Assets  Copyright © 2012 by ASIS International

199

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

partnership forms the basis for the arrangement. Such partnerships make sense. The two entities have many similar goals, such as reducing crime and fear through an environmental or order maintenance approach. The commonality of goals may foster cooperation in the spirit of public safety. For example, public police may rely on private police to carry out tasks they prefer not to undertake. In return, public police provide some needed services, such as expeditious response to calls for assistance (Chaiken & Chaiken, 1987). Most public police officials welcome fuller partnership with private security if it frees up their officers for crime fighting (Pastor, 2003). The models presented below describe past or present privatized policing arrangements. Two key factors in these models are the location of services and the provision of services. Locations may be public or private, but sometimes the distinction is unclear. For example, a gated neighborhood with a fenced perimeter has characteristics of both public and private locations. (However, for present purposes such a space is deemed private because of its physical separation from the larger community.) As for provision of services, security personnel may be used to supplement public police, replace public police, or provide a service that lies between those extremes. For example, in some cases a private firm has only ancillary involvement in community safety. In other cases, private security personnel may engage in proactive and tactical enforcement techniques, designed to search out and arrest criminals. However, in most cases, the security firm acts as a supplement to public police. Accurate statistics on the scope of private policing are difficult to obtain. Thus, it is unknown how common the following arrangements are.

7.4.1

PRIVATE ENVIRONMENT: SUPPLEMENT There are many examples of private security acting as a supplement to the public police in private, gated communities. For example, in Los Angeles 35 neighborhoods have asked local governmental permission to separate from the surrounding communities by installing gates and hiring security firms (Farnham, 1992). In suburban Detroit, the 2,300-home East English Village Association hired a private security force to supplement patrols by local police (Farnham, 1992). The reasoning behind this decision is illustrated by a statement from the president of the property association: “We figured if we wanted to keep this neighborhood stable, we couldn’t stick our heads in the sand and say the police should take care of it. We realized there’s only so much they can do” (Farnham, 1992). The Frenchman’s Creek development in Florida hired a miniature tactical team called STOP (Special Tactical and Operations Personnel). The team “roams the grounds every night dressed in camouflage face paint to stay as unobtrusive as possible and give them the edge

200

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

on any intruder” (Cruickshank, 1994). This tactical team stays sharp by conducting exercises with sophisticated equipment, including night vision gear and infrared detectors that distinguish a human body from the surrounding vegetation. It also includes a marine patrol and tickets speeders (Cruickshank, 1994).

7.4.2

PUBLIC ENVIRONMENT: REPLACEMENT In rare (and problematic) instances, public police have been replaced by private security firms. For example, in 1992 Sussex, New Jersey, fired its police officers after a drug scandal (Reynolds, 1994). The town of Reminderville, Ohio, did the same. Police officers in both towns were replaced by private security guards who patrolled the town in blue, police-like uniforms. They were armed with 9mm semiautomatic weapons, radios, batons, and handcuffs. In essence, the security personnel maintained the appearance of public police but provided their services at a lower cost (Geyelin, 1993; Reynolds, 1994). The towns saved money, but the experiments were terminated after pressure from public police organizations and complaints by residents that the security personnel were not adequately enforcing laws (Pastor, 2003; Reynolds, 1994; Geyelin, 1993; Tolchin, 1985). Although the security personnel looked like police officers, they had “no more than citizen’s power of arrest, and … no authority whatsoever to question, detain or search a suspect without risking a lawsuit” (Geyelin, 1993).

7.4.3

PUBLIC ENVIRONMENT: SUPPLEMENT It is more common for private police to supplement, not replace, public police. Many such arrangements exist in business improvement districts (BIDs). Indeed, New York City contains more than 40 BIDs, and more than a thousand BIDs exist across the United States (Davis & Dadush, 2000). An overview of some supplemental arrangements follows.

Grand Central Partnership The Grand Central area in New York City consists of more than 6,000 businesses, comprising more than 51 million square feet (Carlson, 1995). Each property owner is taxed an additional 12.5 cents per square foot. In 1994, this tax raised $6.3 million for the Grand Central Partnership (GCP). The tax revenue is returned to the district management association, which administers the program and employs a security force (Goldberg, 1994). A spokesperson for the association emphasized that the program requires “layers of cooperation” with various city planning commissioners, assessment and tax officers, and the city council (Carlson, 1995; Goldberg, 1994). The revenues and cooperative efforts with city officials provide diverse services, including private street sweepers and trash collectors; garbage cans, street lighting, and flower boxes; multilingual tour guides; homeless shelters; and uniformed security guards.

Protection of Assets  Copyright © 2012 by ASIS International

201

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

Obviously, the scope of the project goes beyond what is traditionally viewed as security and works to change both people’s perceptions and the physical environment. The New York Times had described the area as “chaotic and forbidding, often filthy and sometimes dangerous” (Carlson, 1995), but after two years of operation, the Grand Central Partnership saw crime drop 20 percent. After the fifth year, reported crime was down 53 percent (Carlson, 1995). Explanations for the crime drop are varied. Some maintain that the private police perform tasks in a cost-effective manner and are more flexible than public police (Carlson, 1995; Patterson, 1995). GCP staffers offer other reasons. A retired New York City detective in charge of GCP operations asserted, “Police are involved with other matters[;] they cannot concentrate on the quality of life crime when they have major crimes. We are the eyes and ears of the police department. …[T]hey appreciate our work because we try to solve some problems ourselves, without police intervention” (Carlson, 1995). Another GCP staffer stated, “We don’t do homicides, we don’t do rapes, but we do other quality of life things. … We do the work the police have trouble getting [to] because they are so busy” (Carlson, 1995; Pastor, 2003). These statements reflect an order maintenance approach, which is also demonstrated by the workload handled by the security personnel. In 1994, the security personnel responded to 6,916 incidents. Only 624 of them required police assistance, and only 122 resulted in arrest (Carlson, 1995). The result of this cooperative effort is that police are able to focus on more serious crimes, and security personnel address the bulk of the service and order maintenance duties (Pastor, 2003). Selection criteria for these guards are similar to those for public police (Carlson, 1995). A guard in the GCP must: x

be at least 18 years of age

x

have no recent felony convictions

x

be a reasonably upstanding and sober citizen

x

be a high school graduate

x

pass psychological examination

x

pass a drug screening test

In addition, there is a hiring preference for military service. By contrast, their seven-day training is substantially less rigorous than training for public police. Weekly follow-up training addresses use-of-force issues and security procedures. Discipline within the ranks is strictly enforced. According to Carlson, absenteeism or lateness, sloppy dress, smoking in public, and even minor rule violations are not tolerated (1995). This level of discipline is particularly important because the security personnel wear

202

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

uniforms that resemble New York City police uniforms. They—like the police—also wear radios and bulletproof vests. Despite the favorable statistics, some people—including police officers—are not convinced of the merits of this arrangement. The following statement sums up their reservations: “In the eyes of the police, guards seem to occupy a confusing gray area between public official and private citizen that many cops find disconcerting” (Carlson, 1995). However, other private citizens and property owners care less about such legal niceties and more about their own security. Some even claim that regardless of the cost paid for these services, the protection received is well worth it (Carlson, 1995). One property owner stated, “Before the security guards, there were no cops. Muggers would snatch a purse right in front of the store, and they would be laughing, not even running away. … They can’t do that now. Without guards, it’s like a jungle out there” (Carlson, 1995). The GCP arrangement is built on the logic of order maintenance. The president of the GCP stated, “When a citizen sees prostitutes, graffiti, rough talking panhandlers, and poorly maintained buildings, he concludes that things are out of control and he forgoes use of that street” (Blyskal, 1996).

Metro Tech Area The Metro Tech Area is another New York City BID that provides supplemental private security and sanitation services. This BID also focuses its efforts on an order maintenance approach, seeking to reduce signs of physical and social disorder through street maintenance and regulation of people’s behavior (Davis & Dadush, 2000). A CCTV system with 26 cameras monitored by the New York City Police Department (NYPD) dispatchers enhances the ability of private officers to control crime and disorder (Davis & Dadush, 2000). The BID employs 28 private police officers. Candidate selection is highly competitive, accepting only one of 25 applicants (Davis & Dadush, 2000). Each candidate must be 21 years old, pass drug tests and psychological exams, submit to random drug tests, have a clean felony record, and have no history of drug activity (Davis & Dadush, 2000). The starting salary is $20,500, with an increase after one year, plus merit and promotional opportunities. Each officer receives 96 hours of training at the NYPD academy on such topics as conflict resolution, communication skills, legal topics, court procedures and testimony, investigative techniques, and report writing (Davis & Dadush, 2000). These officers also receive in-service training at roll calls and annual training in cardiopulmonary resuscitation (CPR) and baton use. The officers do not carry firearms but do possess arrest powers. Approximately six arrests are made per year, but only when the officers witness the crime. Incidents handled by these officers usually relate to order maintenance and assistance to citizens (Davis & Dadush, 2000).

Protection of Assets  Copyright © 2012 by ASIS International

203

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

Internal accountability is structured into this arrangement. Every private officer must pass written exams each year. These exams focus on the code of conduct, post orders, and rules. Merit increases are based on professional performance. In addition, the officers are under CCTV surveillance and are subject to internal investigation complaints. Only six abuse allegations have been made in nine years. These complaints are overseen by the BID’s public safety committee and board. Finally, external accountability is accomplished by the court system, the Department of Business Services, the NYPD, and, of course, the BID’s clients (Davis & Dadush, 2000).

Center City District Another supplemental arrangement in a public environment is the Center City District (CCD), a Philadelphia BID formed in 1991 (Seamon, 1995). Before the BID was formed, the downtown business district was crime-ridden. The Central Police District, which serves the downtown area, reported that 37 percent of its workload came from this area (Seamon, 1995). In addition, the area was plagued by a growing number of vacant commercial properties, unregulated vendors, homeless citizens, and trash on the streets and sidewalks. The district covers 80 square blocks, and 2,087 property owners pay a property tax surcharge equal to 5 percent of the current city real estate levy (Seamon, 1995). In 1994, the budget was $6.6 million. The budget is allocated to the following privately contracted services: x

53 percent for street cleaning and trash pickup

x

33 percent for public safety

x

7 percent for administration

x

7 percent for marketing

These allocations reflect a broad conception of security and an order maintenance approach. The partnership also reflects a diverse combination of people and disciplines. A successful privatization program requires city officials, police authorities, and security managers to work together in a way that promotes trust and creates bonds between the public and private sectors. The parties must also clearly understand their respective roles (Seamon, 1995). To reach its goals, the partnership set up its daily operations to foster collaboration. City police officers and the BID’s security officers (called community service representatives) share headquarters and locker facilities, conduct joint roll calls, and are regularly addressed by police detectives on current crime conditions (Seamon, 1995). Philadelphia Police Department statistics reveal that from 1993 to 1994, crime decreased by 6 percent in the CCD area. By way of comparison, during the same period crime rose 1 percent in the Central Police Division.

204

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

The security force consists of 45-50 officers. Their training curriculum ranges from problemsolving techniques, customer service, and hospitality to police procedures, use of force, radio communications, first aid, CPR, and victim assistance (Seamon, 1995). The minimum standards include two years of college, an age of 21 years, and the completion of a background investigation (Seamon, 1995). These are higher standards than those for typical security guards (Pastor, 2003). The security personnel perform unarmed, uniformed service, acting as a supplement to police. They act as public concierges or neighborhood watchers. Their radios are interconnected with those of the police. The security personnel also use a computerized crime mapping system designed to enhance crime prevention.

Downtown St. Louis The St. Louis Metropolitan Police Department and a private security company entered into a supplemental, contracted relationship in which private uniformed security personnel patrol the central city. This private security force is funded through a special tax district that encompasses all of downtown St. Louis and is administered by Downtown St. Louis, Inc., a private, not-for-profit chamber of commerce. Property owners in the district pay a tax surcharge, which is collected by the city and state, then redistributed to the district (Mokwa & Stoehner, 1995). The revenues pay for the following services: x

market attractions

x

special events

x

private security

The tax revenues guarantee business owners their own security protection (Mokwa & Stoehner, 1995). The security force consists of 6-30 patrol officers, depending on the shift or the particular event. The St. Louis Police Department allocates 10 patrol vehicles and 30 foot patrol officers to the downtown area. In addition, some off-duty police officers serve on the security force. Partly because of the interrelationship between the security force and the police, the security personnel have the same powers of arrest as police. Just like the police, security officers wear uniforms and walk their beats—using reasonable force when necessary to stop a crime (Mokwa & Stoehner, 1995; Pastor, 2003). The selection criteria are sophisticated. A security officer must have an outgoing personality, knowledge of the St. Louis metro area, and two years of prior experience in the security industry. In addition, an officer must pass a psychological test and several personal interviews. The training consists of a 16-hour course designed and administered by the St. Louis Police Department. The training stresses police policies and procedures. The security firm also conducts a 16-hour public relations course. When the training is completed, the security officers are licensed by the St. Louis Police Department and are given arrest

Protection of Assets  Copyright © 2012 by ASIS International

205

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

authority by the city’s police board (Mokwa & Stoehner, 1995). With this regulation and proclamation, the private police officers are vested with “special police” powers. This supplemental private/public partnership has been credited with a reduction in crime. The total number of crimes in downtown St. Louis declined almost 10 percent in one year (from 306 in 1993 to 276 in 1994), and auto theft rates dropped 31 percent (Mokwa & Stoehner, 1995).

Greater Green Point Management District The Greater Green Point Management District (GGPMD) encompasses a 12-square-mile section of Houston, Texas. The district has a mix of residential and commercial properties. Between 1980 and 1990, its population grew substantially, as did the crime rate, and physical conditions deteriorated (Robinson, 1996). From 1986 to 1991, crime increased 25 percent and calls for service increased 46 percent. Over the same period, the number of public police officers assigned to the area decreased 22 percent (Robinson, 1996). Local property owners petitioned the state legislature to create the GGPMD. The legislature approved the district in 1991, and a tax levy of 10 cents per $100 of assessed property value was established (Robinson, 1996). The district is administered by a 22-member board of directors appointed by the governor. The board is headed by an executive director, who is in charge of operations. It also includes a security manager, who is in charge of security and public safety. The security manager implemented a comprehensive public safety program based on surveys conducted by the district administrators. The surveys revealed that business owners were in “absolute terror” due to the growing crime problem (Robinson, 1996). Police response time ranged from 14 to 15 minutes for emergency calls and almost two hours for nonemergency calls (Robinson, 1996). This situation called for more responsive services. For approximately $400,000 per year, GGPMD funded the hiring of additional police officers and supplemented them with private security personnel. Further, the district opened a new police substation in space donated by a large shopping mall (Robinson, 1996). Both police and security personnel were stationed there. The crime rate dropped 25 percent in the year following the implementation of the initiatives. In addition, the occupancy rate of business units in the district rose to become one of the highest in Houston (Robinson, 1996). In short, the arrangement was deemed to have contributed to the betterment of the city’s overall environment.

Durham, North Carolina In Durham, following a series of shootings on public buses, the city contracted with Wackenhut Security to provide private patrols of its buses. These private police officers were

206

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

vested with the same arrest powers as public police officers. They are well-trained, armed, and wear uniforms that are similar but not identical to those of the local public police. After the introduction of private patrols, crime decreased, bus ridership increased, and people’s satisfaction with the bus system improved (Bureau of Justice Assistance, 2005).

Dallas Downtown Improvement District In 2004, business owners in Dallas hired 31 private police officers to patrol the downtown business district. These patrols cost about $1.5 million a year, with each officer earning $12.50 per hour (Brown, 2004). These patrols take an order maintenance approach. Their goal is to reduce crime and to increase the perception that the area is safe. Significantly, these officers are considered “public safety officers,” a term that is consistent with the public safety policing model. The private police officers wear blue police-like uniforms, carry pepper spray, use radios, and exhibit a friendly, courteous manner (Brown, 2004). The patrols take place on foot and on bicycles. Training of these officers lasts three weeks or about 120 hours. A deputy chief of the Dallas Police Department noted that this force will work as extra eyes and ears of the police (Brown, 2004). It is interesting to note that Brown, writing in a police magazine, discussed these private patrols in a negative manner. She stated that “inexplicably” the Dallas police brass seem to be in favor of “losing department jobs to the private sector.” She characterized this arrangement as “the front” in the “privatization war.” While it is unfortunate to describe this public safety initiative with such critical language, the merits of these public/ private arrangements are sure to survive the arrows of critics.

Starrett City The Starrett City housing development in Brooklyn is a classic model of the benefits of th privatization. The development is located in the 75 police precinct, which consistently has one of the highest murder rates in New York City (Carlson, 1995; Walsh et al., 1992). Some 90 percent of its residents receive government rent subsidies (Carlson, 1995). The management company that administers the development hired private police officers. By the late 1980s, 60 private police officers were employed, of whom approximately 40 were armed. Each private police officer carries the “special police” designation and has full arrest powers. These private police personnel handle about 10,000 service calls annually (Carlson, 1995). The average salary is $31,000, which represents about 70 percent of the average salary of a police officer (Pastor, 2003). Carlson observes that 20 years after hiring these security officers, Starrett City is as safe as any affluent neighborhood. In 1994, this community of 20,000 people reported only 24 car thefts, 12 burglaries, 6 aggravated assaults, and no rapes (Walsh, et al., 1992). In the same

Protection of Assets  Copyright © 2012 by ASIS International

207

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

year, Carlson notes, the complex reported only 67 robberies. This compares favorably to the 2,548 robberies reported in the neighborhood just outside its boundaries in 1995. Further, overall crime rates in New York City were substantially higher than those in Starrett City. New York averaged 84 felonies reported per 1,000 residents, while Starrett City reported just th 7 felonies per 1,000. Similarly, in the 75 precinct, a residence outside Starrett City was 38 times more likely to be burglarized than one within Starrett City (Walsh et al., 1992). Significantly, no physical boundaries or barriers separate Starrett City from other residents in the precinct. The only real physical distinction is the private security personnel. The difference between the neighborhoods is so stark that a Starrett City security supervisor described the complex as “an oasis in a vast wilderness” (Carlson, 1995; Pastor, 2003). In a survey conducted by Pennsylvania State University, almost 90 percent of the residents said they felt “somewhat or very safe” living in the complex. Only 40 percent felt similarly secure outside its boundaries (Carlson, 1995). The survey also found that 90 percent of the residents believed the complex would not be safe without its private security personnel. Significantly, over 50 percent said they would leave the area if the private police were not employed (Walsh et al., 1992). Another indication of the commitment to private security is that 78 percent of residents said that, if assaulted, they would call security before calling the police (Walsh et al., 1992). Indeed, the complex receives only part-time coverage from two police officers even though the complex accounts for about 16 percent of the population in the precinct (Walsh et al., 1992). Without private policing, Starrett City would not be a secure residential environment (Pastor, 2003).

San Francisco Patrol Special Police A unique private policing arrangement, the San Francisco Patrol Special Police dates back to the Gold Rush days. It provides San Francisco neighborhoods with supplementary police patrols. Formed in 1847 by merchants to combat crime, the Patrol Special Police was incorporated into the city’s charter in 1935. The Patrol Special Police is a separately chartered law enforcement group that works under the supervision of the San Francisco Police Department (SFPD). Patrol Special Officers are governed by rules and procedures set by the San Francisco Police Commission. The commission is empowered to appoint patrol special police officers and may suspend or dismiss them after a fair and impartial hearing on charges duly filed with the commission. Each patrol special police officer must be at least 21 years of age at the time of appointment, pass an extensive police background investigation, complete training at the San Francisco Police Academy, and meet physical qualifications. These requirements are consistent with those of the California Commission on Peace Officer Standards and Training. In addition, these officers receive annual training from the SFPD and qualify with firearms at the police

208

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

department’s range. They wear uniforms approved by the police commission, carry firearms, and use two-way SFPD radios. Each of these factors provides an excellent example of structural interaction with the SFPD, including accountability measures designed to ensure proper, consistent service. Patrol special police officers are considered the owners of certain beats or territories that may be established or rescinded by the commission. These beats are considered property that may be bought, sold, leased, bequeathed by will, or otherwise conveyed to a person of good moral character, approved by the police commission. These private police officers are committed to community policing with an emphasis on problem solving and community outreach. These goals are achieved through various tasks, including walking the beat and getting to know people on an individual basis, attending community meetings, and working closely with the police department and other city agencies. This emphasis on community policing clearly reflects the need to serve clients and perform an order maintenance function.

United Kingdom Clapham, England, hired Guardforce Security Services to patrol the town with vehicles equipped with video surveillance cameras (BBC News, 2004). In addition, the Kent County Council allocated more than £1.4 million to the creation of its own private police force (Short, 2001). The county will hire 12 neighborhood wardens, who will wear distinctive dark red jackets with sheriff-style badges. The wardens are intended to be the eyes and ears of the police. They will be trained by officers from the Kent Police Department (Short, 2001).

Toronto, Canada The use of private police in the Toronto metropolitan area is best illustrated by the services of Intelligarde. This security firm bills itself as “the law enforcement company.” According to its Web site, the company is driven by the “belief that society and the individual have a fundamental need for social order—a need unsatisfied by contemporary public policing.” In response to this need, the firm’s personnel and programs are designed to “re-establish social order where it is breaking down and then support social order on an ongoing basis” (www.intelligarde.org). This assertion reflects an underlying order maintenance approach. Intelligarde provides a wide variety of security services, including private police patrols in numerous public environments. Its marketing materials boast “the largest mobile fleet of marked and unmarked patrol vehicles in the Greater Toronto Area and also in Ottawa.” Clients are provided verification of the time and location of patrols through the use of global positioning system monitoring. Also provided are canine and mounted patrols, vehicle patrols for alarm response, spot checks of specific locations, and sweeps of disorderly areas.

Protection of Assets  Copyright © 2012 by ASIS International

209

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

The officers also perform arrests to enforce various laws relating to incivility. This enforcement orientation resulted in about 40,000 arrests over 25 years of work (Walmington, 2005). The willingness to make arrests is considered critical to the role of these private police officers. The firm’s owner observes that enforcement and “social work” are both required. He adds that the patrols must “be able to do the enforcement piece—but enforcement and community development work together. One doesn’t work without the other.” The officers’ work requires “the denial of opportunity to the people who are intent on committing criminal acts—the shooters, drug dealers and gang bangers. … In other words, you take away the playing field.” This requires officers on-site who know the legitimate residents and check out all the others coming onto the property. The firm’s owner uses the term “blended policing” to describe “public safety officers” (that is, private police) working “hand in glove” with the police (Walmington, 2005).

Marquette Park In what may be the most comprehensive study of private policing to date, Pastor (2003) conducted a multifaceted research study of the Marquette Park Special Service District on th the southwest side of Chicago. The boundaries of the special service area are from 67 Street th to 74 Street and Kedzie Avenue to Bell Street. Included within the area is approximately half of Marquette Park, which is part of Chicago’s vast park district system. The name of the special service district—and the neighborhood—reflects the name of the park. The neighborhood consists of single-family residences, two- and three-story apartment buildings, and strips of businesses. The largest concentration of apartment buildings is on the east side of the neighborhood. These apartment buildings are often poorly maintained or neglected. Most of the single-family houses are better kept, yet some show signs of disrepair. The majority of the deteriorated homes are found on the east side of the community (Pastor, 2003). The streets are similar to those of a typical Chicago neighborhood, with trees on the parkways between the street and the sidewalk. Businesses are located on the main arteries that intersect the community. Many serve as hangouts for young people in the area. Citizens expressed concerned that some youths appeared to be gang members, and many business owners were fearful of their presence. Others seemed to cater to them, either for business or possibly for protection. Indeed, the presence of loiterers, particularly gang members, was a key concern of the community—and of the private patrol program (Pastor, 2003). th

The special service district is part of the 8 Police District, which is segmented into 16 beats and is one of the largest districts—in area and population—in Chicago. The special service district is a separate taxing entity established in 1995. The decision to hire private security patrols was done, at least partly, to stabilize the community. Long-term residents were moving from the area. This flight from a community with generational ties dating back to the early

210

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

1900s created the desire to stop, or at least slow, the demographic changes. Before the formation of the special service area, community groups petitioned for a ballot referendum. At issue was whether property owners would vote to increase their real estate taxes for the purpose of hiring private security patrols. These private patrols would supplement the police department, seeking to reduce crime and minimize conditions that foster crime (Pastor, 2003). There are certain requirements for the creation of special services districts. First, voters within the area must pass a referendum to create the district as a legal entity. After the referendum passes, it is referred to the city council. The formal establishment of the district must be enacted pursuant to a resolution. This council resolution provides the legal authority for the Cook County Collector to levy and collect real estate taxes from property owners within the district. In this district, the service tax may not exceed .41 percent of the assessed value of taxable property (Pastor, 2003). Once a special service district is established, the alderman in the affected ward selects individuals for the governing commission. They must be residents or business owners in the community. Once appointed, each commission member serves a two-year term. There are seven voting members within the governing commission. Each politically appointed commission member is deemed a voting member. The commission also contains three nonvoting members, including the commander of the police district and two officials who represent the Chicago Department of Planning and Development. These nonvoting members are supposed to provide guidance to the voting members of the commission. The commission is charged with overseeing the special service district, including preparing a budget, conducting periodic community meetings, and arranging administrative matters to operate the private police patrols. The day-to-day affairs of the district are handled by the “sole service provider.” This community-based organization acts as the intermediary between the community and the governing commission and deals directly with the security firm. It addresses crime patterns and incidents and performs other operational and administrative tasks, such as obtaining legal counsel and insurance carriers. The sole service provider is also charged with hiring and contracting with the security firm. This occurs after the governing commission makes the selection based on a vote of board members. The hiring of a particular security firm is accomplished through two separate contracts. One contract is between the City of Chicago and the sole service provider, and the second contract is between the sole service provider and the security firm. Contract documents are drafted by the Chicago Department of Law. Oversight of the entire process is accomplished by the city’s Department of Planning and Development (Pastor, 2003). The budget to operate and administer the security patrols is approximately $200,000. These monies come from the tax levy on real property within the special services district. The cost

Protection of Assets  Copyright © 2012 by ASIS International

211

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.4 Private Policing Environments

for the average property owner is about $50 to $60 per year. Approximately $140,000 to $150,000 goes to the security provider, another $5,000 is spent on insurance, and about $20,000 is used to pay for legal and other professional services. The remainder goes to office expenses and administrative costs (Pastor, 2003). The private police officers carry handguns and other police equipment. They use handcuffs, flashlights, radios, and bulletproof vests. Each officer wears “civilian dress” clothing, which looks almost identical to the attire worn by Chicago Police Department tactical officers. The vehicles are also similar to those of the public police (Pastor, 2003). However, the officers are not granted the “special police” designation. A couple of the officers are off-duty police, but most have only private citizen arrest powers. The study assessed three questions related to the privatized police services. The first question was, “How do the private police officers perform their job?” Through ride-alongs, interviews, and document analysis, the study found that the majority of their functional work product was order maintenance (51.5 percent). Thirty-two percent of their work involved observation and reporting, and 16.5 percent involved law enforcement (Pastor, 2003). The second research question was, “Are these private police public actors?” The answer affects whether constitutional provisions would apply to the actions of private police. The study concluded that the private police were indeed public actors, so constitutional provisions were applicable to their actions. The third research question was related to whether the private police officers violated the constitution in the performance of their duties. The study concluded that some private police officers indeed violated the Fourth Amendment protection against unreasonable searches and seizures. However, with inadequate training, a lack of policy guidelines, and little accountability, the officers were doing the best job they could under demanding and dangerous circumstances. The examples in this section illustrate the effectiveness of privatization and the need for cooperative efforts between private and public police. They demonstrate that such cooperative efforts have been successful in combating crime and enhancing the environment within the patrol arrangement. The mission of crime prevention within the security industry, coupled with the ability of the police to arrest offenders, provides a dynamic combination of skills and resources. The present focus on community policing may prefigure a widespread establishment of privatized public safety services. Nonetheless, a difficult and uncertain transition lies ahead. Functional, constitutional, and public policy considerations remain problematic (Pastor, 2003).

212

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.5 The Future of Private Policing

7.5

THE FUTURE OF PRIVATE POLICING

7.5.1

NEW POLICING MODEL A new model of policing is emerging, but before it can be described, two core questions must be answered: x

Can municipal police departments perform as first responders for homeland security and at the same time operate with a community service orientation?

x

What future role will alternative service providers have in the delivery of public safety services?

The answer to the first question would appear to be no. First, it seems that terrorism will be a fact of life for years to come. If so, police agencies will not only have to deal with the carnage associated with terroristic violence but may also be targets of the violence. Indeed, contemporary times reveal horrendous violence against Iraqi police and civil defense forces. Being both a first responder and a target will create an environment that is extraordinarily complex, in both operational and human terms. The second part of this question is that community policing, which has been the widely accepted policing model, is about to end. While this statement may be subject to criticism from police, academics, and politicians, federal funding of community policing programs is largely exhausted. Without additional monies, this policing model will slowly be deemphasized into extinction. If the money for community policing is now directed to homeland security, then police agencies will redirect their missions accordingly. However, private police may prove to be excellent providers of community policing services because of their responsiveness to their clients. The answer to the second question is that, with the future police focus on terrorism and violent crime (including street gangs, which are likely to graduate to terrorism), the need for alternative service providers becomes paramount. Alternative service providers will be the paraprofessionals of police departments. These alternative service providers include private police, civilian employees of police agencies, and auxiliary (volunteer) officers. While it is likely that all three types of alternative service providers will coexist, the most likely and beneficial option is private police officers.

Protection of Assets  Copyright © 2012 by ASIS International

213

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.5 The Future of Private Policing

7.5.2

STRUCTURAL/OPERATIONAL COMPONENTS Figure 7-3 illustrates this public safety policing model:

Copyright by James F. Pastor, 2005. Used with permission.

Figure 7-3 Public Safety Policing Model While this figure excludes certain police functions (such as investigative and administrative units), it captures the essence of the three key aspects of street policing. Tactical operations would include heavy weapons/SWAT teams, gang and drug tactical teams, and saturation units. This aspect of policing is likely to be much more militarized than at present. It will focus on tactical techniques accomplished by highly trained public police officers. The technological functions will also be greatly expanded. Many technologies commonly used in security will be emphasized in police agencies, including networked cameras and access control systems, predictive crime mapping software, and integrated identification systems. These technologies will improve the “eyes and the ears” of policing agencies to better respond to and even predict criminal or terrorist behavior. The key to this approach is surveillance for crime prevention, apprehension, and enforcement. Order maintenance operations will be the key component for alternative service providers. The key will be to control the environment, focusing on both physical aspects and social incivilities. The primary tasks of these service providers will be to provide routine service functions, such as report writing, alarm response, traffic control, and “street corner security.” Each of these tasks relates to either order maintenance or “observe and report” functions. In these ways, alternative service providers will also enhance the “eyes and ears” of policing agencies. The majority, if not the vast majority, of order maintenance functions will be conducted by private police employed by security firms. This work product, however, must be based on contractual provisions or be directly tied to the structure of the policing agency within the jurisdiction. An excellent example of contracted arrangements is Wackenhut’s

214

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.5 The Future of Private Policing

agreement with the Durham Transit Authority to provide security on transit buses. A more comprehensive structural arrangement is illustrated by the San Francisco Patrol Special Police. This arrangement provides excellent accountability methods and is directly connected through various structural components to the San Francisco Police Department. These examples provide useful models for consideration by those who seek to implement public safety services within public environments.

7.5.3

LEGAL/LICENSING STANDARDS The legal limitations on private police regarding arrest powers and the use of force have been demonstrated. It is recommended that private police officers be vested with some governmental authority. Currently, there are three basic alternatives, as Figure 7-4 shows:

X

X

X

Private Citizen

Special Police

Peace Officer

Figure 7-4 Continuum of Governmental Authority The figure depicts a continuum. On one extreme are private citizen arrest powers. On the other extreme are peace (police) officer arrest powers. In the middle are special police powers, which combine the private citizen role with the arrest powers of a peace officer (public police officer). Peace officer arrest powers are only available to the special police officer when he or she is on duty. This limitation should not be considered problematic as it does not affect the work such officers are paid to perform (Pastor, 2006). Certain benefits follow from being “blessed” by government, such as a moral and legal authority that most citizens respect. The pronouncements and actions of an officer with governmental authority are much more likely to be complied with. The common response that “I don’t have to listen to you; you are not the police” would be largely negated with this connection to governmental authority. Without this designation, a private police officer is simply one private citizen telling another private citizen what to do. This approach would give municipal police departments a larger force without the financial and operational challenges of employing more police officers. In addition, this special police designation may carry with it the protection of qualified immunity. Qualified immunity acts as a liability shield to protect the officer (and his or her employer) from civil lawsuits. Although this shield is not available for reckless or malicious conduct, it protects the reasonable and prudent officer who makes a mistake in judgment or behavior. Further, it

Protection of Assets  Copyright © 2012 by ASIS International

215

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.5 The Future of Private Policing

reduces the legal exposure of the security firm and the insurance costs associated with the service provision (Pastor, 2006). Licensing standards directly relate to the issue of legal authority. To perform the work of the public police, private police officers should be trained and selected in a manner commensurate with their functional work product. In furtherance of this goal, ASIS International has promulgated the Private Security Officer Selection and Training Guideline, which states that “security officers … must also be able to work closely and effectively with public safety personnel” (ASIS International, 2004). The guideline is by far the most comprehensive approach to addressing the training and selection of security officers. It recommends state regulation regarding background investigations, training, continuing education, insurance, licensing, and oversight bodies. In addition, it suggests selection criteria for new hires, including criminal history, education, citizenship, fingerprinting, photographs, drug screening, and other personal information related to the applicant. Each of these factors will go a long way toward establishing more professionalism in the security industry generally and in those private police officers who operate within the public realm. Since the actions of private police officers are likely to be much more visible in the public realm, the need to meet or exceed these criteria is of critical importance (Pastor, 2006). Still, the training and selection standards need not be equivalent to those for public police officers, who typically receive 600 to 800 hours of training. Instead, the best practice would be to develop a training curriculum that focuses on the particular role or function to be performed. The different levels and types of training would then be regulated through governmental licensure. The proposed training and licensing continuum could be illustrated as follows:

PUBLIC

Traffic Control

Patrol Officer

Tactical Officer

Detective

SWAT HBT

PRIVATE

Desk/Greeter

Building Patrols

Street Patrols

Investigator

Nuclear Utility Infra-Strt.

License:

A

B

C

D

E

Copyright by James F. Pastor, 2005.

Figure 7-5 Functionality/Criticality Continuum

216

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.5 The Future of Private Policing

In this model, the key is to assess both the function and criticality of the job. As the complexity of the work increases, or as the critical nature of the task increases, the level of training and licensing should also increase. A comparison can be found in vehicle licensing standards. For passenger vehicles, the typical training and licensing requirements are basic. As the type of vehicle becomes more difficult to operate (e.g., a tractor-trailer), or as the nature of the cargo becomes more important to protect (e.g., passengers in a bus or dangerous chemicals in a tank car), the need for better trained and more highly skilled drivers also increases (Pastor, 2006). The key is to train and license security officers in a manner that adequately prepares them for the expected work product. For example, the tasks of a desk greeter differ substantially from the tasks of a security officer at a nuclear power plant. Each should be trained and licensed at a different level. The licensing should range from class A to D or E, depending on the particular legislative approach. Similarly, training hours should range from 20 or 40 at minimum to 200 to 600 for street patrols and critical infrastructure security (Pastor, 2006). Finally, the issue of accountability of private police should be addressed. Private police must be—and must be perceived as—accountable to the community, the law, and the larger society. Real and specific mechanisms must be in place. One of the most telling conclusions from Pastor’s research is that privatized policing arrangements must develop formal accountability standards and methods (Pastor, 2003). There are several avenues for enhancing accountability. First, specific operating procedures must be developed to address the realities of the job. Without such guidance, there is simply too much discretionary decision making in the fluid environment of the street. Indeed, discretion without judgment formed through proper guidance and experience is a recipe for disaster. Second, a community-based board should be established to oversee the operations of private policing firms. Just as community policing is designed to get the community involved in the day-to-day operations of the police, this oversight board can work with administrators of the security firm to direct and guide approaches to community problems. Unlike community policing, however, a contracted relationship provides for a more authentic client-based service because the security firm can be fired. A police agency does not face this ultimate sanction. Too much of the current community policing model is based on the rhetoric of community decision making, without much actual decision-making authority. Local police administrators should also work with this oversight board, helping to coordinate the activities of both the public and private police officers. The last critical element of accountability is to have some well-defined process for addressing citizen complaints. This should be done by a separate board vested with subpoena powers, the ability to conduct hearings, and the legal authority to levy warnings, fines, and other employ-

Protection of Assets  Copyright © 2012 by ASIS International

217

PRIVATE POLICING IN PUBLIC ENVIRONMENTS 7.5 The Future of Private Policing

ment and contractual remedies (Pastor, 2006). Such authority could be granted to various existing government agencies, such as a department of professional regulation or a civilian oversight board that monitors police misconduct. However the board is constituted, it must be able to deal with the types of complaints common to police departments (Pastor, 2006). In conclusion, the coming years are likely to bring many challenges. All nations will be faced with varying levels of political unrest, financial constraints, and the threat of violence and terrorism. These factors cannot be completely avoided. The challenges ahead present a massive potential market for security firms. Just as the new asymmetric form of warfare is changing the way the military confronts and combats terrorism, so too police agencies must reinvent their way of policing. This transformation will leave a gap in how public safety services are delivered. Security firms are uniquely prepared to bridge this gap and deliver order maintenance and related services. The former president of the Illinois Association of Chiefs of Police notes that in the current climate what was once considered a professional relationship between the public and private sectors has now become a professional necessity (Braglia, 2004). This professional necessity presents the largest increase in business opportunities for security firms since the 1850s, when security personnel policed the American Wild West. This opportunity, however, is a double-edged sword, replete with pitfalls for the unwary (Pastor, 2006). The desire for professionalism in private policing must center on an even more basic purpose: the safety of individuals and communities and the stability of their way of life. The threat of terrorism is designed not only to kill people and damage property, but also to destroy the social fabric. Those in the security industry, especially those protecting public environments, trophy or symbolic buildings, and critical infrastructure, will be in the front lines of this asymmetric conflict. Advancing standards and principles of professionalism is the best defense (Pastor, 2006).

218

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS References/Additional Reading

REFERENCES ASIS International. (2010). Private security officer selection and training guideline. Available: http:// www.asisonline.org [2011, December 8]. Bailin, P. (2000, November). Gazing into security’s future. Security Management. Bayley, D. H., & Shearing, C. D. (2001). The new structure of policing. Washington, DC: National Institute of Justice. BBC News. (2004). Private ‘police’ confuse public. Available: http://www.bbc.co.uk/1/hi/uk/3664365. stm [2006, May 23]. Benson, B. L. (1990). The enterprise of law: Justice without state. San Francisco, CA: Pacific Research Institute for Public Policy. Benson, B. L. (1997). Privatization in criminal justice. Washington: National Institute of Justice. Bilik, A. (1992). Privatization: Defacing the community. Labor Law Journal, pp. 338-343. Blyskal, J. (1996, March 16). Thugbusters. New York. Braglia, F. T. (2004, Winter). Public-private law enforcement: A win-win partnership, Command. Brown, C. (2004, December). Outsourcing police jobs: Cops replaced by civilians to cut costs. American Police Beat. Bureau of Justice Assistance. (2005). Engaging the private sector to promote homeland security: Law enforcement–private security partnerships. Carlson, T. (1995). Safety Inc.: Private cops are there when you need them. Policy Review, 73, Summer. Chaiken, M., & Chaiken, J. (1987, June). Public policing—privately provided. Washington: National Institute of Justice. Clemow, B. (1992). Privatization and the public good. Labor Law Journal, Vol. 43, pp. 344–349. Clotfelter, C. T. (1977). Public services, private substitutes and the demand for protection against crime. The American Economic Review, 67(5). Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends. American Sociological Review, 44, 588–607. Covington, J., & Taylor, R. B. (1991). Fear of crime in urban residential neighborhoods. The Sociological Quarterly, 32(2), 231–249.

Protection of Assets  Copyright © 2012 by ASIS International

219

PRIVATE POLICING IN PUBLIC ENVIRONMENTS References/Additional Reading

st

Cox, S. M. (1990). Policing into the 21 century. Police Studies, 13(4), 168-177. Cruickshank, K. (1994, November). Frenchman’s Creek provides the ultimate in security. Manager’s Report, No. 8. Cunningham, W. C., Strauchs, J. J., & Van Meter, C. W. (1990). Private Security Trends 1970- 2000: The Hallcrest Report II. Boston: Butterworth-Heinemann. Dalton, D. R. (1993, January). Contract labor: The true story. Security Management. Davis, R. C., & Dadush, S. (2000). The public accountability of private police: Lessons from New York, Johannesburg, and Mexico City. Vera Institute of Justice. Available: http://www.vera. org/download?file=225/privatepolice.pdf [2006, December 8]. DiIulio, J. J. (1995). Ten facts about crime. Washington, DC: National Institute of Justice. Donahue, J. D. (1989). The privatization decision. New York: Basic Books. Farnham, A. (1992, December 28). U.S. suburbs are under siege. Fortune. Fisher, B., & Nasar, J. L. (1995). Fear spots in relation to microlevel physical cues: Exploring the overlooked. Journal of Research in Crime & Delinquency, 32(2), 214–239. Geyelin, M. (1993, June 1). Hired guards assume more police duties as privatization of public safety spreads. The Wall Street Journal. Gibbs, J. P., & Erickson, M. L. (1976). Crime rates of American cities in an ecological context. American Journal of Sociology, 82, 605–620. Goldberg, C. (1994, December). New roles for private patrols. Security Management. Gordon, C., & Brill, W. (1996, April). The expanding role of crime prevention through environmental design in premises liability. Washington, DC: National Institute of Justice. Hebdon, R. (1995). Contracting out in New York State: The story the Lauder Report chose not to tell. Labor Studies Journal, 20(1), 3–24. Institute of Management & Administration. (2001, May). Security Director’s Report. Jackson, P. I. (1984). Opportunity and crime: A function of city size. Sociology & Social Research, 68(2), 173–193. Johnston, L. (1992). The rebirth of private policing. London: Routledge. Kaplan, Robert (1994, February). The coming anarchy. The Atlantic Monthly.

220

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS References/Additional Reading

Kelling, G. (1995, May/June). Reduce serious crime by restoring order. The American Enterprise. Kolpacki, T. A. (1994, November). Neighborhood watch: Public/private liaison. Security Management. Lewis, D. A., & Maxfield, M. G. (1980, July). Fear in the neighborhoods: An investigation of the impact of crime. Journal of Research in Crime & Delinquency, pp. 160–189. Linowes, D. F. (1988). Report of the President’s Commission on Privatization—Privatization: Toward More Effective Government. Washington: U.S. Government Printing Office. Liska, A. E., Lawrence, J. J., & Sanchirico, A. (1982). Fear of crime as a social fact. Social Forces, 60(3), 760–770. Litsikas, M. (1994, September). Security system installations up in 1994. Security Distributing & Marketing. Meadows, R. J. (1991). Premises liability and negligent security: Issues and implications. Journal of Contemporary Criminal Justice, 7(3), 112–125. McKenzie, E. (1994). Privatopia: Homeowner associations and the rise of residential private government. New Haven, CT: Yale University Press. McLennan, B. N., ed. (1970). Crime in urban society. London: Cambridge University Press. McLeod, R. (2002). Para-police. Toronto: Boheme Press. Miller, W. R. (1977). Cops and bobbies: Police authority in New York and London, 1830–1870. Chicago, IL: University of Chicago Press. Miranda, R. A. (1993). Better city government at half the price. In Chicago’s Future in a Time of Change, Richard Simpson, ed. Champaign, IL: Stipes. Mokwa, J., & Stoehner T. W. (1995, September). Private security arches over St. Louis. Security Management. Moore, M. H., & Trojanowicz, R. C. (1988, November). Corporate strategies for policing. National Institute of Justice Perspectives on Policing, No. 6. Morgan, D. R. (1992). The pitfalls of privatization: Contracting without competition. American Review of Public Administration, 22(4), 251-268. National policy summit: Building private security/public policing partnerships to prevent and respond to terrorism and public disorder. (2004). Washington, DC: U.S. Department of Justice. Nemeth, C. P. (1989) Private security and the law. Cincinnati, OH: Anderson.

Protection of Assets  Copyright © 2012 by ASIS International

221

PRIVATE POLICING IN PUBLIC ENVIRONMENTS References/Additional Reading

Olick, M. (1994, December). Private response: The no response solution. Security News. Oliver, W. M. (2004). Community-oriented policing: A systematic approach to policing. Upper Saddle River, NJ: Prentice Hall. Operation Cooperation: Guidelines for partnerships between law enforcement and private security organizations. (2000). Washington: Bureau of Justice Assistance. Palango, P. (1998, January 12). On the mean streets: As the police cut back, private cops are moving in. MacLeans. Pastor, J. F. (2003). The privatization of police in America: An analysis & case study. Jefferson, NC: McFarland. Pastor, J. F. (2005, November). Public safety policing. Law Enforcement Executive Forum, Vol. 5, No. 6, pp. 13–27. Pastor, J. F. (2006). Security law & methods. Burlington, MA: Butterworth-Heinemann. Patterson, J. (1995, January). Forging creative alliances. Security Management. Perez, E. (2002, April 9). Demand for security still promises profit. The Wall Street Journal. Prenzler, T. (2005). Mapping the Australian security industry. Security Journal, 18(4), 51–64. Reppetto, T. (1974). Residential crime. Cambridge: Ballinger. Reynolds, M. O. (1994). Using the private sector to deter crime. National Center for Policy Analysis Policy Report No. 181. Available: http://www.ncpa.org/pub/st181 [2006, December 8]. Robbins, S. P. (2003). Organizational behavior. Upper Saddle River, NJ: Prentice Hall. Robinson, F. W. (1996, February). From blight to bliss. Security Management. Robinson, M. (1997, April 30). Why the good news on crime. Investor’s Business Daily. Sarre, R. (2005). Researching private policing: Challenges and agendas for researchers. Security Journal, 18(3), 57–70. Savas, E. S. (2000). Privatization and public-private partnerships. London: Chatham House. Schine, E., Dunham, R. S., & Farrell, C. (1994, December 12). America’s new watchword: If it moves, privatize it. Business Week. Seamon, T. M. (1995, September). Private forces for public good. Security Management.

222

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS References/Additional Reading

Shearing, C. D., & Stenning, P. C. (1983). Private security: Implications for control. Social Problems, 30(5), 493–506. Shenk, J. W. (1995, May). The perils of privatization. The Washington Monthly. Short, V. (2001). Kent County Council creates its own private police force. Available: http:// www.wsws.org [2006, May 23]. Simeone, M. J. (2006, May). The power of public-private partnerships: P3 networks in policing. The Police Chief. Smith, L., & Hill, G. D. (1991). Victimization and fear of crime. Criminal Justice and Behavior, 18(2), 217–240. Spencer, S. (1997). Private security. Phoenix Mosaic Group. Available: http://web.archive.org/ web/20010303062708/http://www.onpatrol.com/cs.privsec.html [2006, December 8]. Spitzer, S., & Scull, A. T. (1977). Privatization and capitalist development: The case of the private police. Social Problems, 25(1): 18–28. Stephens, G. (2005, March/April). Policing the future: Law enforcement’s new challenges. The Futurist, Vol. 39. Tolchin, M. (1985, November 29). Private guards get new role in public law enforcement. The New York Times. Walinsky, A. (1993, July). The crisis of public order. The Atlantic Monthly. Walmington, J. (2005). Good guys must seize and control turf. The Toronto Sun, December 31, 2005. Available: http://www.torontosun.com [2006, June 25]. Walsh, W. F., Donovan, E. J., & McNicholas, J. F. (1992). The Starrett Protective Service: Private policing in an urban community. In Gary W. Bowman et al. (eds.), Privatizing the United States Justice System. Jefferson, NC: McFarland. Warner, S. B., Jr. (1968). The private city. Philadelphia, PA: University of Pennsylvania Press. Wessel, R. H. (1995, October). Privatization in the United States. Business Economics. West, M. L. (1993, March). Get a piece of the privatization pie. Security Management. Youngs, A. (2004, January). The future of public/private partnerships. FBI Law Enforcement Bulletin. Zielinski, M. (1999). Armed and dangerous: Private police on the march. CovertAction Quarterly. Available http://mediafilter.org/caq/caq54p.police.html [2006, December 8].

Protection of Assets  Copyright © 2012 by ASIS International

223

PRIVATE POLICING IN PUBLIC ENVIRONMENTS References/Additional Reading

ADDITIONAL READING Benson, B. L. (1996). Are there tradeoffs between costs and quality in the privatization of criminal justice? Journal of Security Administration, 19(2), 19–50. Blakely, E. J., & Snyder, M. G. (1997). Gating America. Available: http://www.asu.edu/caed/ proceedings97/Blakely [2004, October 28]. Clutterbuck, R. (1975). The police and urban terrorism. The Police Journal. Crenshaw, M., ed. (1983). Terrorism, legitimacy and power: The consequence of political violence. Middleton, CT: Wesleyan University Press. Cunningham, W. C., & Taylor, T. H. (1994). The growing role of private security. National Institute of Justice. Davis, J. R. (1982). Street gangs: Youth, biker and prison groups. Dubuque, IA: Kendall-Hunt. DuCanto, J. N. (1999). Establishment of police and private security liaison. Manuscript presented th at 45 Annual Seminar of the American Society for Industrial Security International, Las Vegas, Nevada. Ezeldin, A. G. (1987). Terrorism and political violence. Chicago, IL: University of Illinois at Chicago Press. Feliton, J. R., & Owen, D. B. (1994, September). Guarding against liability. Security Management. Graham, T., & Gurr, T., eds. (1971). History of violence in America. Princeton, NJ: Princeton University Press. Greisman, H .C. (1979). Terrorism and the closure of society: A social impact projection. Technological Forecasting and Social Change, Vol. 14. Law Enforcement and Industrial Security Cooperation Act of 1996. (1996). H.R. 2996, 104 Congress.

th

Kolderie, T. (1986). The two different concepts of privatization. Public Administrative Review, 10(2), 285–290. Landman, K. (2003). National survey of gated communities in South Africa. Available: http:// www.gatedcomsa.com [2006, June 20]. McGoey, C. E. (1999). Gated communities: Access control issues. Available: http://www.crime doctor.com/gated.htm [2006, June 20].

224

Protection of Assets  Copyright © 2012 by ASIS International

PRIVATE POLICING IN PUBLIC ENVIRONMENTS References/Additional Reading

Nalla, M. & Newman, G. R. (1991). Public versus private control: A reassessment. Journal of Criminal Justice, 19, 414–436. Pastor, J. F. (2005). Terrorism & public safety policing. Crime &Justice International, 21(85), 4–8. Robbins, S. P. (2003). Organizational behavior. Upper Saddle River, NJ: Prentice Hall. Trojanowicz, R. C., & Carter, D. L. (1990, January). The changing face of America. FBI Law Enforcement Bulletin. U.S. Department of Justice (2004). Crime in the United States. Available: http://www.fbi.gov/ about-us/cjis/ucr/crime-in-the-u.s./2004 [2006, June 23]. Wardlaw, G. (1982). Political terrorism: Theory, tactics and counter-measures. Cambridge: Cambridge University Press. Waugh, W. L. (1982). International terrorism. Salisbury, NC: Documentary Publications. Wolf, J. B. (1981). Fear of fear: Survey of terrorist operations and controls in open societies. New York, NY: Plenum. WSOC-TV. (2006). Private police patrols begin in Charlotte. Available: http://www.wsoctv.com/ news/7561311/detail.html [2006, May 23]. Young, R. (1977). Revolutionary terrorism, crime and morality. Social Theory and Practice, Vol. 4.

WEB SITES http://www.cityoflondon.police.uk/CityPolice/Departments/CT/ProjectGriffin/ http://www.met.police.uk/projectgriffin/ http://www.intelligarde.org http://www.sfpatrolspecpolice.com

Protection of Assets  Copyright © 2012 by ASIS International

225

CHAPTER 8 CONSULTANTS AS A PROTECTION RESOURCE

8.1

THE VALUE OF CONSULTANTS Security executives, just like other corporate executives, encounter times when they need professional expert advice or guidance. At the same time, companies without a formal security function may need to call on outside help to aid in a specific security-related task. In either scenario, executives seek out external expertise for many reasons, such as the lack of time or in-house specialized knowledge. They also may desire an independent, objective assessment, fresh ideas, or the flexibility to hire personnel as needed. Security consultants, niche professionals within the greater security industry, are the principal resource for such assistance. On occasion, knowledgeable individuals within a company may be called in to help, but typically, professional security consultants are the resource security or corporate executives turn to for guidance. Independent security consultants are often viewed as an invaluable resource since they do not promote or sell a product but rather assess actual needs and recommend a mix of security solutions to reduce threats. For companies faced with liability concerns, an objective, third-party study of critical issues is often preferred over an in-house analysis. Security consultants provide the company with that objectivity, which is a distinct advantage when dealing with common security issues such as liability and due diligence. Some companies also stagnate from a lack of ideas and turn to consultants who can provide much-needed out-of-the-box thinking. Others look to

Protection of Assets  Copyright © 2012 by ASIS International

227

CONSULTANTS AS A PROTECTION RESOURCE 8.1 The Value of Consultants

outside resources because they are not as susceptible to corporate politics or bureaucratic red tape. Finally, contracting with outside resources is often less expensive than hiring additional staff as no capital outlay or payroll overhead is necessary, especially if the work is periodic and therefore does not warrant the creation of a full-time position. Though consultants are commonly accepted within today’s organizations, executives may encounter some resistance from middle management and line employees, who may perceive that their jobs are in jeopardy. Though this perception is mostly unfounded, it is an issue that the consultant and management must address. Resistance to the use of a security consultant usually reflects one or more of the following concerns: x

Asking for outside help suggests that the security staff is incompetent.

x

A negative report from an outsider reflects unfavorably on the security program and the organization.

x

The organization and its policies and procedures could be compromised by an outsider who would become intimately familiar with the enterprise.

Despite these objections, modern management practices used by executives in every organizational function show that many benefits are derived by maximizing the use of outside consultants. Similarly, security executives can augment their resources by bringing in temporary talent to solve a host of problems and challenges while reducing costs and enhancing the status of the security department and its employees.

228

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.2 Types of Security Consultants

8.2

TYPES OF SECURITY CONSULTANTS Security consultants can be classified into three major categories: security management consultants, technical security consultants, and security forensic consultants. Additionally, a security consultant or security advisory committee may be an internal resource to assist company or security executives in identifying and solving security problems before they warrant outside involvement.

8.2.1

SECURITY MANAGEMENT CONSULTANTS This category of consultants represents the largest group within this niche profession. Invariably, security management consultants specialize in a certain discipline, which comprises the foundation of their expertise (and reputation). Management consultants assist the client in managing the protection strategies for the business. The list of specialties is only limited by those institutions and commercial endeavors in society today, such as healthcare, manufacturing, transportation, banking and finance, and retail. Understanding a consultant’s specialty is an important qualifier, however. For example, suppose a retail firm opts to bring in a security consultant to assess its distribution system. Based on this specific need, the retailer would want to search for security consultants with expertise in retail security, loss prevention, or supply chain management. Similarly, a theme park may seek the services of a security consultant to review and possibly rewrite the security department’s policies and procedures manual. A consultant experienced in theme park security and policy development would clearly be the logical expert to undertake this assignment. The targeted focus of these two examples underscores a very important aspect of security consulting called the scope of work. That topic is addressed later in this chapter. Security consultants with specialties other than retail or amusement parks might also be effective in addressing the needs posed in the previous examples. Experts in warehouse operations, over-the-road trucking operations, delivery services, or shipping and receiving all might qualify for the retail assignment, and a retail security or loss prevention consultant might be fully capable of dealing with the theme park’s needs. In fact, many security management consultants are generalists within the security discipline. For example, a consultant who has a strong background in banking and finance will almost certainly have a general knowledge of related specialties such as investigations, physical and electronic security, and preemployment screening. While some of these may appear to be technical specialties, management consultants will not cross into technical specifics. They may be able to provide the functional concepts of a security system, but they will not be specialists in the detailed design of the system.

Protection of Assets  Copyright © 2012 by ASIS International

229

CONSULTANTS AS A PROTECTION RESOURCE 8.2 Types of Security Consultants

8.2.2

TECHNICAL SECURITY CONSULTANTS Consultants in this category have special technical expertise. They generally focus on certain types of security applications, such as the following: x

physical security and system integration

x

IT security

x

personnel security

x

convergence

x

legal issues and other regulations

x

engineering

x

liability and due diligence

x

security personnel and protective force management

Technical security consultants specialize in translating the concepts and functionality provided by the security management consultant into detailed blueprints and equipment specifications. This capability requires years of technical training and experience. Some technical security consultants also provide management services, such as writing security procedures and policies, but they might also subcontract those services to a security management consultant. Security executives often call upon technical security consultants to assist with new construction or renovation projects. These consultants can work with the architects and design engineers to ensure that the needed security systems, such as access control, video surveillance, and alarm monitoring, are integrated into the initial designs. Drawing on his or her technical understanding of blueprints and design documents, the technical consultant can uncover security concerns in the plans before they are finalized. Finally, this consultant can recommend security hardware and software that is compatible with other building systems and takes advantage of the overall planning concepts. Addressing these issues in the design stages keeps security in the forefront of planning, which ensures that the security agenda receives adequate attention. Using a technical consultant in this way saves money because it eliminates having to retrofit security into a structure once it’s built.

8.2.3

FORENSIC SECURITY CONSULTANTS Forensic consulting deals with investigation, identification and collection of evidence, identification of vulnerabilities, mitigation strategies and litigation. A forensic security consultant may be referred to as an expert witness, an outdated term that is quite broad and implies expertise on any issue. The forensic security consultant works exclusively on security-related issues.

230

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.2 Types of Security Consultants

Both security management consultants and technical security consultants may undertake forensic assignments in civil lawsuits that involve a security-related matter. An example might be defending a claim of excessive use of force by the security employee of a nightclub when an intoxicated patron was physically ejected and, in the process, sustained serious injuries. Alternatively, a consultant might be called on to testify in a false arrest lawsuit where a shopper was detained for shoplifting, but the evidence proved no crime or theft had occurred. The judicial system relies on experts who, in these examples, would be allowed to testify as to whether the use of force by the security employee was reasonable or excessive and whether there was probable cause for the shoplifting detention. Some corporate risk managers have relied on security consultants with forensic experience to evaluate incidents to determine if the claim of negligence is warranted or if insurance demands hold merit. Some major security departments, working with their insurance carrier, insist that certain forensic security consultants be retained in their defense based on prior cases in which the consultant aided in successful litigation. (These topics and related subjects are discussed at length in the Protection of Assets volume on legal issues.)

8.2.4

SECURITY ADVISORY COMMITTEE Security advisory committees are an internal resource that can be formed to assist corporate executives and chief security officers in their efforts to ensure that current security measures are adequate. Should changes be warranted, the committee can help ascertain whether the problem can be corrected through internal resources or should be referred to an external consultant. An example of a policy statement that authorizes such a committee follows: The purpose of the security advisory committee is to critically examine the security program to ensure that all company assets are being protected, to maintain general oversight over the program, and to assist the corporation in meeting corporate and government requirements.

The committee, chaired by a project coordinator, reviews the corporate security program at least quarterly to determine if any additional protective measures are needed and advises on any changes to policies or procedures. The group can review new program suggestions in light of their effect on the company as a whole, on specific organizational units, and on employees. Criticism or suggestions from supervisors or employees can be fielded by committee members, and recommendations for corrective action can be considered. Committee members should represent key corporate functions. Also, they should have attained stature and creditability within the organization and have sufficient information about the company’s operation to enable them to offer useful opinions about actions that should be taken by internal security staff or by outside consultants.

Protection of Assets  Copyright © 2012 by ASIS International

231

CONSULTANTS AS A PROTECTION RESOURCE 8.3 How to Use a Consultant

8.3

HOW TO USE A CONSULTANT Consultants can provide many services, as outlined in the lighthearted “Alphabetical Soup of Consulting” (Sennewald, 2004, p. 8) shown in Appendix A. The decision to retain security consulting services is typically driven by a specific problem, need, challenge, or goal. For example, a grocery store chain facing numerous violent crimes at one of its stores may hire a consulting firm to determine the best ways to reduce the opportunities for crime to occur at a specific store or across the enterprise. If the scope of work is limited to a specific store, the company’s management may ask the consultant to determine the level of crime at that particular property and then make recommendations for security changes. In reality, however, the consultant will typically conduct a more thorough crime analysis, which can be defined as follows (Vellani & Nahoun, 2001, p. 2): Crime analysis is the logical examination of crimes which have penetrated preventive measures, including the frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants, as well as the application of revised security standards and preventive measures that, if adhered to and monitored, can be the panacea for a given crime dilemma.

Through the analysis, the consultant will first determine what crimes have occurred in the store and its parking lot. The consultant then evaluates the specific security measures in place where the crimes occurred and makes note of any additional measures that should be in place to block future opportunities for crime. In making recommendations, the independent security consultant seeks to develop an effective mix of security solutions. That mix may include a combination of architectural design and crime prevention methods known as crime prevention through environmental design (CPTED), changing the environmental design, updating policies and procedures, adding security personnel, and upgrading the physical security requirements. Clients should be concerned if a non-independent consultant promotes only one product or a limited range of security measures. Effective security programs typically include a well-thought-out array of security measures. Nearly every security executive has had a program, request, or recommendation rejected by his or her management. For example, a recommended series of barriers in a protection plan, known as security-in-depth, may be proposed. Competition for resources is a fact of organizational life, and there may be alternate claims on the resources required to implement the barriers. An independent consultant can review the proposal and provide objective advice as to whether the proposed barriers are an efficient and cost-effective method of reducing a security exposure. Also, a consultant should be able to identify whether the barriers will create additional hazards or issues and, if so, how these can be addressed In the previous example,

232

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.4 How to Find a Security Consultant

the outsider can see what those who worked at the store every day could not see, another example of the effective use of a consultant who can look at an issue with a fresh set of eyes. Management is usually amenable to a consultant’s ideas, since he or she draws on experience from other companies and can speak to industry norms. At times, consultants are even asked to arrange meetings among clients from several companies to discuss industry best practices. The consultant should remain above company politics, however. Delving into company politics is an unnecessary distraction that only complicates the issues and costs the company time and money.

8.4

HOW TO FIND A SECURITY CONSULTANT Most security executives today know one or more security consultants, and these connections are a logical starting point for locating a consultant suited to a specific assignment. However, the more professional the consultant, the more restrictive he or she will be in accepting a particular assignment. Most consultants specialize and may not see themselves as suited for every need. Clients should be cautious of a consultant claiming to be able to address all aspects of security. One of the best sources for finding a consultant is a referral from a colleague, preferably in a similar business. Companies without security connections should look into industry associations that have consultants as members. In the security industry, many independent consultants belong to the International Association of Professional Security Consultants and ASIS International. Consulting associations with members in a variety of fields are another alternative. The Institute of Management Consultants is one such organization. Other sources to consider are industry-specific associations such as the Building Owners and Managers Association, the Institute for Real Estate Management, and the International Association of Chiefs of Police or any of their local equivalent organizations. A search of the Internet will reveal many more security associations worldwide, including the International Professional Security Association, Professional Information Security Association, and Information Systems Security Association.

Protection of Assets  Copyright © 2012 by ASIS International

233

CONSULTANTS AS A PROTECTION RESOURCE 8.5 Selecting a Security Consultant

8.5

SELECTING A SECURITY CONSULTANT Selecting a security consultant that meets a company’s needs requires thoughtful consideration of various candidates’ credentials and personal interviews. As a guide, and after defining the scope of work, the following five steps can be used when selecting a consultant:

Step 1:

Identify candidates.

Step 2:

Invite candidates to submit an application.

Step 3:

Evaluate the applications.

Step 4:

Interview the top two candidates.

Step 5:

Negotiate an agreement and finalize the selection.

To identify candidates, the first step, company representatives should talk to peers and colleagues to elicit suggests of consultants they know. Additional names may be gleaned from industry associations. Placing an advertisement in related publications may also bring in candidates. In the second step, the company should develop a custom application that asks for basic information from each candidate that can be used for comparison. A sample application is shown in Appendix B. As an alternative, the company can ask the candidates to submit letters outlining their services, and the sample in Appendix B can be used as a checklist. Candidates should be asked to attach a copy of their curriculum vitae (CV) to the application or letter. In jurisdictions where security consultants are required to be licensed or registered, appropriate proof must be provided. A sample CV is shown in Appendix C. The application and the CV provide a uniform way to compare the credentials of each candidate. Also, having to provide both an application and a CV may discourage someone with weak qualifications from applying. Thus, the documents themselves may disqualify poor candidates. During step three, the quality of the documents and the candidates’ credentials are compared. Another source of useful information can come from prior clients, and several should be contacted from a list provided by the applicants. As top candidates emerge, a background investigation should be performed by contacting references and using a structured interview process to evaluate responses. The two top candidates should be interviewed personally by at least two representatives of the company, the fourth step in the hiring process. To help the discussion, the candidate

234

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.5 Selecting a Security Consultant

should be asked to bring redacted work samples to the interview for review. The same or very similar questions should be put to each candidate so the interviews are comparable. Questions should probe the candidate’s security philosophy to ensure that it is a close fit with the company’s policies. If possible and when the scope of work includes physical security measures, the candidate should be given a brief tour of the facility prior to the interview to become familiar with the facility. If the candidate does not live locally, the company should negotiate the cost of bringing the candidate to the company, or an employee should travel to the consultant’s location for a personal interview. Teleconferencing is an interview option, but a poor one. In the final step, negotiations begin with the top candidate. Subjects to be negotiated are the scope of work, the product to be delivered, the methodology, the timing, and related expenses. If negotiations with the first candidate prove unsatisfactory, the company should move quickly to the next choice. Once negotiations are successfully concluded, the company should be prepared to present the consultant with a contract. An example of a professional consulting services agreement is shown in Appendix D. The documents shown in Appendix E and Appendix F cover supplementary agreements that define the consultant’s responsibility for handling company proprietary information or government classified documents and conflicts of interest. These points should be discussed with the consultant and all forms should be signed before work commences.

Protection of Assets  Copyright © 2012 by ASIS International

235

CONSULTANTS AS A PROTECTION RESOURCE 8.6 Consulting Fees and Expenses

8.6

CONSULTING FEES AND EXPENSES There are no bargains in the consulting profession. Other professionals, such as physicians and lawyers, follow the same fee strategy. The doctor with the best skills or the attorney with the best reputation and practice will receive the highest fees from patients or clients. Likewise, the security consulting profession has its own fee structure based on levels of expertise. As with other professional disciplines, time and quality must be considered when analyzing a range of consulting fees. A low fee might actually prove to be more costly in the long run because a less skillful consultant might take longer to complete the assignment satisfactorily. Also, the security industry has a long and rocky history of keen competition based on the awarding of contracts to the lowest bidder. To increase their competitive advantage, some security product and service companies will offer consulting services at a very low rate. Clearly, the objectivity of the resulting recommendations must be questioned if the consultant believes the solution might lead to the purchase of that company’s services or equipment. If the fee proposed by a potential consultant seems to be a bargain, the client should remember the Latin phrase caveat emptor: let the buyer beware! The basis for higher billing by some medium-sized or large consulting firms, as opposed to the independent sole proprietor or small consulting firm, often reflects a higher overhead. The costs billed by individual consultants as well as by larger firms include direct charges, such as time and travel, and overhead costs, such as office rental, clerical help, proposal expense, publications, and professional taxes and licenses. As a result, a consultant’s daily rate does not equate to an annual income since consultants may not work every day of the year but their expenses continue. Consultants, like other professional service providers, typically use software to track the time and expenses related to each client’s project. In some cases, consultants keep a project journal while others monitor activity through simple spreadsheets. Consultants may also use specific billing software such as QuickBooks. No matter how the consultant tracks and bills his or her time, the client should review payment options and choose the one that fits the company’s accounting scheme as well as the type of consulting assignment. Five options should be considered: hourly fees, daily fees, fixed fees, not-to-exceed fees, and retainers. The company should also set parameters on how miscellaneous and regular expenses should be billed and approved.

236

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.6 Consulting Fees and Expenses

Hourly Fees Paying a consultant an hourly fee is unusual in security management consulting, but it does happen. This arrangement is most applicable when the assignment is expected to last less than a day, but the exact amount of time needed is unclear. In this scenario, the client and consultant could agree to “let the meter run” for the actual time spent. An example might be a case where management is considering moving an employee to a new assignment, and the consultant is retained to meet and interview the employee at a convenient time. If the company expects the interview will only take 2.5 hours, the consultant could agree to be paid for just that amount of time. Forensic consulting is often billed by the hour, however. If a corporate legal or risk management office brings in a security consultant for advice on how to avoid litigation, evaluate a case, or arrange a settlement, the time is calculated by the hour and any fraction thereof.

Daily Fees The daily fee is calculated by multiplying the consultant’s hourly rate by eight. In reality, this arrangement often benefits the client because an eight-hour day can easily be extended for any number of legitimate reasons, unless the contract clearly defines the number of hours in the consultant’s day. Security consultants know that the time needed to meet the agreed goal and submit a final report might exceed the typical day. Depending on the number of days in the agreement, the consultant might propose a certain number at a fixed daily rate and a slightly reduced rate for every day thereafter. Clearly, the daily fee can be flexible based on the nature of the task and the services required.

Fixed Fees A flat or fixed fee is the total amount to be paid by the client to the consultant for the completion of a consulting assignment. More often than not the fixed fee includes all expenses, so only one amount is negotiated. The consultant’s office time and expense calculations, which could be based on his or her hourly rate plus an hourly rate for the office staff, is translated into an estimate of what is needed to deliver the end product. This arrangement is generally agreed to when the number of days required to accomplish the work can be estimated accurately and controlled by the consultant. Usually a fixed fee will only be acceptable to a consultant if the work to be done is limited to a study that is not complex. The advantage to the client is that the company can easily compare competitive bids and budget the exact amount that will be needed to complete the required work. Fixed fee arrangements are usually not appropriate if the work involves implementing a recommended program because the consultant often has to rely on other employees from the client’s company to perform or arrange for the actual work. The danger in this case is that the consultant could lose control of the time that could be spent but must absorb any

Protection of Assets  Copyright © 2012 by ASIS International

237

CONSULTANTS AS A PROTECTION RESOURCE 8.6 Consulting Fees and Expenses

overtime. The scope of work in these situations must be very carefully defined to protect both the client and the consultant.

Not-To-Exceed Fees A not-to-exceed pay arrangement, similar to the fixed fee, is the consultant’s guarantee that the total cost or time will be limited to the parameters agreed to in the contract. In this instance, the consultant agrees that any costs connected with unforeseen events or delays will not be passed on to the client, unless the client agrees to pay them. The difference between not-to-exceed and fixed fees is this arrangement allows for a lesser fee than originally estimated. For example, the consultant might state that he or she expects to complete a task in five days but that the time spent is not to exceed seven days. If the task is completed in five or six days, then the client just pays for that amount of time. If the task should take eight days, the client still only pays for seven.

Retainers A company that wishes to use a consultant on a regular basis might prefer to pay a retainer. In this arrangement, the consultant agrees to work a specified number of days each year for that client, and the client is guaranteed access to the consultant when needed. In a retainer agreement, consultants typically provide their services at a substantially discounted rate. For example, the agreement might state that the consultant will provide or be available to the client for two days each month at a fixed rate per day, or 24 days a year at a set annual price. In this case, the client is assured of receiving services for the minimum number of days covered by the retainer. The consultant, on the other hand, is guaranteed an income. Retainers can be quite negotiable. The client might use all of the agreed-upon days in the first half of the year or only use the consultant less than half the days in the contract. The consultant keeps the retainer even if the minimum days provided are not used by the client. However, some consultants dislike committing to a retainer because it can cause scheduling problems. For example, the consultant might be in the middle of a project for one client when an urgent problem surfaces at another company that has already paid a retainer to that consultant. To avoid this difficulty, it is recommended that retainer agreements identify specific days to be applied to the client in specific months. If a schedule cannot be arranged, then the consultant can agree to commence working for the client on the first available day after notice is received. Other options in a retainer agreement could cover the days used by the client in excess of those in the contract. In one example, the client would continue to pay the discounted rate for any extra days. In another case, those excess days would revert back to the consultant’s normal fee.

238

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.6 Consulting Fees and Expenses

Miscellaneous Arrangements Other fee arrangements can be beneficial to both the client and the consultant. For example, the consultant could agree to accept some equity in the client’s business for part or all of the consulting fee. Alternatively, the fee could be set as a percentage of the savings realized as a consequence of the consultant’s work, although this option is not common in security management consulting. If such innovative fee concepts are proposed, both parties should seek adequate legal counsel while drafting an agreement to ensure that the interests of both are adequately defined. A clear, binding agreement is the cornerstone for avoiding costly litigation or work disruption.

Expenses The cost of outside consultants must allow for reasonable expenses to cover project-related activities such as transportation, living costs, telephone, secretarial services, and reproduction. Consulting expenses can sometimes be reduced if the consultant is allowed to use amenities and services available at a client’s facility. Such items as clerical assistance, office space, and reproduction services might be provided on-site. Consultant support is discussed in more detail later in this chapter. Expenses are usually reimbursed at actual costs, which should be substantiated by expense reports submitted by the consultant. A reimbursement arrangement might also be based on a per diem for living expenses plus actual costs for transportation and other expenses. Both the consultant and the client must clearly understand how expenses will be paid and what expenses are reimbursable. Any limitations on amounts to be spent should be defined. For example, if the daily allowance for hotel accommodations and meals is a set amount, the consultant should be informed of that limit during the selection process. A common rule of thumb is that the consultant should receive the same travel allowances as those given to members of the client’s senior management. Although commonly accepted business practice limits air travel costs to coach accommodations unless first class or business class accommodations are specifically approved, the client should not assume that everyone understands or agrees with this policy. International travel almost always involves at least two days of travel time (to and from the destination) and sometimes more. Special arrangements should be made for compensation in these situations. The bottom line in expense negotiations is that the details must be discussed and agreed upon at the outset of the relationship. Most professional security consultants will have their own forms and methods of providing clients with necessary and appropriate records of time and expenses. To ensure that potential clients are aware of the requirements, the forms and policies in Appendices G through J show expense reports and guidelines that apply to consulting situations.

Protection of Assets  Copyright © 2012 by ASIS International

239

CONSULTANTS AS A PROTECTION RESOURCE 8.7 Working with Consultants

8.7

WORKING WITH CONSULTANTS Once the contract is signed but before the consultant actually begins to work, senior and functional managers as well as those employees who may be affected by the consultant’s activities should be made aware of management’s decision to retain the services of a security consultant. The announcement, preferably from the chief executive officer, should underscore the expectation of employee cooperation and assistance, which will facilitate the successful completion of the consulting project. A consulting project coordinator, often a member of the security advisory committee, should be assigned to work with the consultant and monitor progress. That person can provide adequate information about the organization and provide assistance. Clear specifications for the project should be outlined in a scope of work, which should include a work plan, progress reports, and a final report.

8.7.1

COORDINATING THE PROJECT To facilitate and coordinate the project, some companies designate a sole representative to serve as project coordinator, typically the chief security officer (CSO) or vice president (VP) of security. He or she works closely with the consultant during the project without any other management involvement. Other clients create a temporary security project committee, often a spin-off from the security advisory committee, to facilitate the project. The committee should be chaired by the project coordinator, again the CSO or VP of security. If the project coordinator is temporarily unavailable, a designated alternate should fill in and respond to the consultant in a timely way so that the work is not delayed. The project manager should strive to include someone from within the organization who can act as the project sponsor. A good candidate for this role is the individual who may have originally suggested the concept that led to the consulting project. Both the consultant and the project manager will find this person a valuable resource and ally throughout the course of the project. The mission of the project coordinator and the committee is to be a liaison between the consultant and the company, and that task is critical. Committee members should represent the sectors of the company involved in the work. They should be completely familiar with the organization and the project and have sufficient credibility and clout in the company to effectively meet the needs of the consultant, such as collecting data or scheduling interviews.

240

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.7 Working with Consultants

8.7.2

ORGANIZATIONAL ORIENTATION The project coordinator should arrange an orientation for the consultant, at which he or she can be briefed on the backgrounds and responsibilities of key personnel in the organization before meeting them personally. The consultant should also be made aware of any role each individual might play in the completion of the assignment. The orientation should include an organizational chart and background data about the company, including the operating environment, key assets and functions, internal and external relationships relevant to the project, specific legislative or regulatory controls, a history of the enterprise, the philosophy of top management, and the company’s competitive position. If the client is a public company, copies of the latest annual report to shareholders, as well as relevant governmentrequired disclosure filings, should be provided. The more information the consultant has, the better he or she will be at meeting the client’s expectations. To that end, the results of previous projects of a similar nature undertaken by the company should be discussed with the consultant. Also, any unique or unusual situations that might be encountered within the organization should be brought to light. All companies have their own cultural idiosyncrasies. If the consultant is not made aware of potential problems, some action, seemingly minor to the consultant, could trigger an incident and negatively affect the project and everyone associated with it. On the other hand, consultants are expected to be objective and independent observers with the freedom—in fact the obligation—to state the facts, even if they point out idiosyncrasies that could affect the outcome or success of the consultant’s work. When a client seeks a consultant for work in a different country, the consultant is expected to have a knowledge of the culture and customs of the country, working conditions, local legislative requirements, visa requirements and conditions, etc.

8.7.3

LEVELS OF ASSISTANCE A consultant’s time costs money, and the project coordinator should arrange to see that all the necessary assistance and support is provided in a timely way. Advice or assistance may be required from related departments, such as legal, industrial relations, public relations, and finance. Technical help may also be solicited from qualified in-house talent. Company personnel may need to prepare letters, memorandums, and reports generated as a result of the project. Reports or other data specified in the contract are usually prepared by the consultant. Consultants are often given access to sensitive information. Therefore, nondisclosure agreements are necessary to protect the company. More information on nondisclosure agreements can be found in the Protection of Assets volume on legal issues.

Protection of Assets  Copyright © 2012 by ASIS International

241

CONSULTANTS AS A PROTECTION RESOURCE 8.7 Working with Consultants

A method for the proper handling of sensitive information developed or collected during the progress of the work should also be devised. Such data could even be embarrassing to the organization or its employees if it became known either inside or outside the organization. Sensitive information could also include the conclusions or recommendations of the consultant. Such information should be safeguarded by a limited number of individuals and only be handled by personnel known to be trustworthy. Most importantly, written consulting reports are subject to discovery by an adverse party in a lawsuit. Consideration should be given to identifying the proper custodian and location for reports that might be sought through subpoena. Visits to other companies, other clients of the consultant, or other corporate locations may be required. Such visits can often be expedited if the project coordinator assumes the responsibility for making arrangements, such as procuring security clearances, airline or company airplane schedules and tickets, rental cars, and hotel reservations. The consultant’s methodology is critical to the success of the project. The methodology should be sound and widely accepted within the industry. It would be impossible to outline every method that could be used to complete the myriad projects taken on by security consultants. Nonetheless, potential clients can review industry guidelines for various types of projects. Commonly accepted and widely used methodologies in the security industry are ASIS International’s General Security Risk Assessment Guideline, the International Association of Professional Security Consultants’ Forensic Methodology Best Practice and ISO Standard 31000, Risk Management.

8.7.4

SCOPE OF WORK From the very beginning, candidates for consulting assignments should understand the scope and objective of the project. This information should be part of the initial request for quote and also be included in a written contract. However, it should not be assumed that these few paragraphs will be enough for the consultant to begin work and perform adequately. Before the actual consulting assessment begins, the client and consultant should review the project’s objectives, goals, scope of work, and deliverables. The project coordinator should participate in the review along with project committee members and any others who may be affected by the work to be done. The “scope of work” refers to the central objective of the consulting task, or the clear focus of the effort. Suppose the scope of work is to “reassess the company’s distribution system to identify procedural deficiencies that could or do contribute to cargo losses.” In the performance of the work, every physical inspection, interview, and document examined should be

242

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.7 Working with Consultants

guided by and limited to that objective. The initial project review, then, should address the strategies that will achieve the objective. This review also updates those who did not participate in the selection process and gives everyone an opportunity to ask questions and clarify points. The consultant is now a member of the team and should ask and answer questions that might not have been appropriate in the earlier discussions. A common occurrence in consulting projects is referred to as “scope creep,” meaning the scope of work grows after the contracts have been signed and the work has begun. This phenomenon may be raised by either party and for myriad reasons, often out of necessity. Caution flags should be raised, however, when the consultant is being paid an hourly rate and the project could grow to exceed budget limitations. While expanding the scope of work is often necessary, it should only be done with both parties agreeing to it in writing as an addendum to the contract.

8.7.5

WORK PLANS Once the scope of work has been agreed upon, a work plan should be developed with the project coordinator. Tasks and priorities can be determined, assignments made, and completion schedules established. Deadlines should be converted to milestone charts, if appropriate, so the project can be reviewed periodically. The frequency of work product reviews can also be specified and scheduled during this planning stage. Information that the project coordinator and others will need to furnish to the consultant can also be defined, and a schedule established for its delivery. Especially in lengthy projects, the project coordinator and the consultant should hold frequent progress meetings to ensure that the project is on schedule. Ultimately, the consultant is responsible for ensuring that the project stays on the right course while traversing any unanticipated hurdles posed by corporate politics or culture. Measurement of the project’s progress, sometimes referred to as an earned value analysis, should be conducted by the consultant and project coordinator during these meetings to ensure that the project objectives described in the scope of work are being met. Those responsible for gathering information or performing support tasks should understand that deadlines are important. If they are not met, the efforts of the consultant may be hampered or work on the project may come to a halt. The project coordinator should assume responsibility for ensuring that deadlines are met and that the project is on schedule at all times.

Protection of Assets  Copyright © 2012 by ASIS International

243

CONSULTANTS AS A PROTECTION RESOURCE 8.7 Working with Consultants

8.7.6

PROGRESS REPORTS The progress of the consultant’s work can be monitored by scheduling periodic meetings and requiring written reports, which can be specified in the work plan with the caveat “if deemed necessary.” Great discretion must be exercised in the frequency and length of meetings. Progress meetings should be attended by all personnel working on the project as well as by interested management representatives. The coordinator, as the key company representative, might personally record, publish, and distribute the results of the meeting or might assign another team member to take minutes. The minutes should outline decisions made during the meeting, detail the progress of the work, and specify any work assignments and deadlines. The frequency of project review meetings and written reports will, of course, depend to a great extent on the size and complexity of the project. Scheduling review meetings too often will interfere with work to be done, but if they are not scheduled often enough, control of the project could be jeopardized. If the exchange during the meetings is adequate, the group may choose to forego interim reports. They may also be skipped if the project is short, about 10 to 15 days, and if the review meeting reports are satisfactory.

8.7.7

FINAL REPORTS A final written report should be delivered for all consulting projects including a technical consulting assignment, although the project’s end result should be a functioning system. But it is absolutely essential in a security management consulting project where the end product consists of recommendations and advice, which must be implemented in the future. A final report should begin with an executive summary, then address the results achieved, and conclude with the recommendations. A simple approach to the report content is to make the sequence consistent with the scope of work. The results section should identify whether all the established goals were met, whether any items included in the work plan were not accomplished, and the reasons why an item was not completed. The recommendations should define any additional work that needs to be done together with suggestions on how to accomplish it. Sometimes a final briefing for top management is specified in the statement of work or requested at the project’s conclusion. The salient features of the written report can be incorporated into such a briefing, which should be done by the consultant. The project coordinator and others from the company should be on hand to give advice and assist in the briefing since they will be most familiar with the requirements of top management.

244

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE 8.7 Working with Consultants

If the report itemizes recommendations, each should be numbered for future reference, as follows: Recommendation #23: Use of part-time police officers to protect cash offices should be discontinued. Security for cash offices should be in the form of operating procedures and state-of-the-art physical barriers, including a two-door “man trap” with remote electronic access control.

The acceptance and subsequent implementation of that recommendation could be called Project #23. If additional work is to be implemented as a result of the consultant’s efforts, the final written report should include enough detail so that personnel in the client organization can complete the tasks by following the guidelines included in the report. After reviewing the report, however, the client may decide that additional assistance from the consultant will be required to implement the recommendations. In that case, an additional contract or a contract amendment should be prepared for the consultant’s signature, and a new scope of work to implement the recommendation should be defined. For example, suppose a security consultant has completed a vulnerability study for an organization and recommends a comprehensive protection program. Once the final report is presented, the organization’s management realizes that they will need to hire one or more experienced security professionals to implement and manage the recommended program. The consultant might then enter into a contract with the company to search for and prequalify a security executive to implement and manage the recommended program. The usual fee for this kind of service is 25 percent to 30 percent of the new security executive’s salary for the first year, plus expenses incurred during the search.

Protection of Assets  Copyright © 2012 by ASIS International

245

CONSULTANTS AS A PROTECTION RESOURCE 8.8 The Future of Consulting

8.8

THE FUTURE OF CONSULTING st

As new business and societal events of the 21 century unfold, the use of consultants by security and other corporate executives will most likely trend upward. For example, when companies downsize, they frequently lose in-house specialists but add them when needed by hiring consultants. As a result, many consultants are zeroing in on a specialty, which they then can provide to many clients. An example might be crime analysis. In the past, companies may have had security employees who focused on this task. Today, however, those employees have been promoted or have moved on to perform more generalized security functions. When companies encounter a case where crime analysis is needed, they turn to consultants who specialize in this niche. Another trend can be seen in the way consulting fees are established. Rather than bill at hourly rates, many consultants are moving toward project-based pricing. Based on the scope of work, experienced consultants can accurately assess the time needed to complete a project. This arrangement is of great benefit to companies that use consultants since they have a closed-end cost that can be used for accurate budgeting. Both of the trends mentioned have led to a third: consulting alliances. Consultants with specialties have seen the need to provide a range of services to a client when completing a project, and they have teamed with other consultants to broaden their professional offerings. For example, a security management consultant who recommends upgrading a company’s access control system may form an alliance with a technical security consultant who can actually specify, bid, and oversee the installation of the recommended system. Similarly, a forensic security consultant may testify in a case brought against a client because of a security deficiency, and then bring in an allied security management consultant to recommend how to rectify the deficiency. In all cases, understanding how to work effectively with a security consultant is the key to a successful outcome, for both the consultant and the client.

246

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix A: Alphabetical Soup of Consulting

APPENDIX A ALPHABETICAL SOUP OF CONSULTING (Sennewald, 2004) Advise management on what’s current … that is, “state of the art.” Build bridges between security and other departments. Clarify and rewrite security policies, procedures, etc. Define organizational goals and mission statements. Expedite security projects. Forecast protection needs in the future. Guide management in the selection of personnel, equipment, and services. Help hire qualified security personnel, especially at the executive level. Identify problems. Judge past and present performance. Kindle new enthusiasm or interest. Launch new programs by conducting orientation meetings. Modify security operations when and where appropriate. Negotiate on behalf of management for optimum contracts. Objectively evaluate security programs, present and future. Present new ideas and strategies. Qualify senior security candidates for management’s consideration. Review security budgets. Supplement the security management staff on a temporary basis. Train security employees. Uncover unproductive policies, practices, and programs. Validate existing or planned activities. Warn management of risks and unnecessary exposure. Yield unbiased and honest opinions. Zealously provide the highest order of professional assistance and guidance.

Protection of Assets  Copyright © 2012 by ASIS International

247

CONSULTANTS AS A PROTECTION RESOURCE Appendix B: Application for Consulting Assignment

APPENDIX B APPLICATION FOR CONSULTING ASSIGNMENT

Power Munitions, Inc. Name of consultant ______________________________________________________________________ Name of consultant’s firm ________________________________________________________________ Address of consultant’s firm _______________________________________________________________ Consultant’s phone ______________________ E-mail address __________________________________ Consultant’s Web site ____________________________________________________________________ Consultant’s primary expertise ____________________________________________________________ Last position prior to becoming a consultant ________________________________________________ Last employer ___________________________________________________________________________ Date consultant left last employer__________________________________________________________ Date consultant commenced practicing as a consultant ______________________________________ Total years practicing as a consultant _______________________________________________________ Years of education ___________ University/college __________________________________________ Professional/academic designations _______________________________________________________ Professional affiliations and memberships __________________________________________________ Length of such memberships _____________________________________________________________ Awards or recognition for achievement in the security industry ________________________________ If published, identify works _______________________________________________________________ ________________________________________________________________________________________ Basic consulting fee ______________________________________________________________________

248

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix B: Application for Consulting Assignment

Reference #1: Name of client _____________________________________________________________ Name of contact person _____________________________________________________ Phone number of contact person _____________________________________________ E-mail address of contact person _____________________________________________ Primary thrust of that consulting project ______________________________________ Length of that consulting project _____________________________________________

Reference #2: Name of client _____________________________________________________________ Name of contact person _____________________________________________________ Phone number of contact person _____________________________________________ E-mail address of contact person _____________________________________________ Primary thrust of that consulting project ______________________________________ Length of that consulting project _____________________________________________

Attach copies of professional indemnity (or equivalent) insurance certificates. Attach copies of liability insurance certificates (or equivalent).

Protection of Assets  Copyright © 2012 by ASIS International

249

CONSULTANTS AS A PROTECTION RESOURCE Appendix C: Curriculum Vitae

APPENDIX C CURRICULUM VITAE

CHARLES A. SMITH, CPP EMPLOYMENT HISTORY x

Air Policeman, USAF, 3 ⁄2 years

x

Deputy Sheriff, Los Angeles County, 6 years

x

Chief of Security, Claremont Colleges, 2 years

x

Director of Security, The Broadway Department Stores (52 major stores in 4 states), 18 years

1

TEACHING HISTORY x

Lecturer, Chaffey and Orange Coast Colleges, 1 year

x

Assistant Professor, California State University at Los Angeles, 13 years

EDUCATION x

B.S. Degree, Police Science & Administration, California State University at Los Angeles

LITERARY CONTRIBUTIONS

250

x

Effective Security Management, Security World Publishing, 1978; 2 Ed., 1985; 3 Ed., 1998; th 4 Ed., 2003

x

The Process of Investigation, Butterworth Publishing, 1981; 2 Ed., 2001

x

Security Consulting, Butterworth Publishing, 1989 2 Ed., 1995; 3 Ed., 2004

x

Shoplifting, (co-author) Butterworth-Heinemann Publishing, 1992; 2 Ed., 2003

x

Shoplifters vs. Retailers, The Rights of Both, New Century Press, 2000

x

Author of numerous articles and chapter contributions to a number of security industry books as well as to Protection of Assets

nd

rd

nd

nd

rd

nd

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix C: Curriculum Vitae

PROFESSIONAL AFFILIATIONS AND ACCOMPLISHMENTS x

Founder and first president, International Association of Professional Security Consultants (IAPSC)

x

Holder of the professional designation Certified Management Consultant, CMC

x

Holder of the professional designation Certified Protection Professional, CPP

x

Member, ASIS International

x

Member, Institute of Management Consultants

x

Past president and member, International Foundation for Protection Officers (Canada)

x

1979 recipient of Security World Magazine’s Merit Award

x

U.S. Security Industry Representative to Stockholm and Copenhagen in 1981 and to Hong Kong, Taipei, and Tokyo in 1983, by appointment of the U.S. Department of Commerce

x

1995 recipient of the IAPSC Distinguished Service Accolade

CURRENT POSITIONS (1979 TO THE PRESENT) x

Consultant to corporate management

x

Consultant to the legal profession

x

Security industry seminar lecturer

Charles A. Smith, CPP • 450 Riverlake Run • Eastward, CA 92000 • (760) 757-7575

Protection of Assets  Copyright © 2012 by ASIS International

251

CONSULTANTS AS A PROTECTION RESOURCE Appendix D: Professional Consulting Services Agreement

APPENDIX D PROFESSIONAL CONSULTING SERVICES AGREEMENT THIS AGREEMENT, made as of ____________________________________ between an individual, _______________________________________ hereinafter referred to as the “Consultant,” and Client, hereafter “Company,”

WITNESSETH: WHEREAS Company and Consultant desire to enter into an agreement for the performance by Consultant of professional services in connection with activities of Company. NOW, THEREFORE, in consideration of the premises and of the mutual promises herein, the parties hereto agree as follows:

1. RETAINER-TERM. This agreement is made with Consultant as an independent contractor and not as an employee of Company. The Company hereby retains Consultant and Consultant agrees to perform professional services for the Company commencing the date set forth above and concluding _____________________ (date). 2. STATEMENT OF WORK. The work described in the attachment hereto entitled “Scope of Work” and incorporated herein shall be performed by Consultant as requested from time to time by Company, at such place or places as shall be mutually agreeable. 3. PAYMENT. (a) Company shall pay Consultant at the rate of ____________ for each ______________________________ spent on the work hereunder during the terms of this agreement. Unless and until revised by a written amendment to this Agreement, Company shall not be obligated to Consultant and Consultant shall not be entitled to payment from Company for more than ____________ days/hours. Time spent in travel hereunder during normal working hours or otherwise, if requested by Company, shall be paid for at the above rate. (b) Company shall pay or reimburse Consultant for travel and other appropriate expenses incurred in the performance of work hereunder in accordance with the attachment hereto entitled: “Consultant Expense.” 4. PATENT RIGHTS. Consultant will disclose promptly to Company all ideas, inventions, discoveries and improvements, hereafter referred to as “Subject Inventions,” whether or not patentable, relating to the work hereunder which are conceived or first reduced to practice by Consultant in the performance of the work under this agreement and based upon nonpublic information of the Company disclosed to or acquired by Consultant during this consulting assignment. Consultant agrees to keep a written record of his technical activities and that all such records and such Subject Inventions shall become the sole property of Company. During or subsequent to the period of this agreement, Consultant will execute and deliver to Company all such documents and take such other action as may be reasonably required by Company to assist it in obtaining patents and vesting in the Company or its designee title to said Subject Inventions.

252

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix D: Professional Consulting Services Agreement

5. COPYRIGHTS. Consultant agrees that all writings produced by Consultant under this agreement shall be the sole property of Company and Company shall have exclusive right to an assignment of copyright in such writings in any country or countries; however, Company will make its best efforts to grant a non-exclusive right to Consultant to publish such writings when circumstances, including security regulations, will permit. 6. PROFESSIONAL STANDARDS. Consultant agrees that the work performed hereunder will represent best efforts and will be of the highest professional standards and quality. 7. SECURITY. Company agrees to apprise Consultant of any information or items made available hereunder to Consultant which are Classified or Restricted Data, and Consultant agrees to comply with the security requirements imposed with respect thereto by the United States Government or the Company. If it becomes necessary for Consultant to store classified material at a place of business, other than the Company, a facility clearance will be required. In this event, Consultant agrees to enter into a security agreement with the Department of Defense and to maintain a system of security controls in accordance with the requirements set forth in “Department of Defense Industrial Security Manual for Safeguarding Classified Security Information.” Consultant further agrees that any classified material furnished to him by the Company will be immediately returned to the Company upon termination of either the security agreement or this Professional Services Agreement. 8. RISK OF LOSS. Consultant assumes all risk of personal injury, and all risk of damage to or loss of personal property furnished by him. If Consultant employs others to perform work under this Agreement on premises of the Company, Consultant agrees to furnish proof acceptable to the Company of Commercial General Liability insurance in an amount not less than $ [______]. 9. PRIVILEGED OR PROPRIETARY INFORMATION. Except as maybe required in the performance of the work, Consultant agrees not to divulge any non-public, Company information acquired by him as a Consultant to the Company from any source, including the Company, its customers and associates or other contractors, without the prior written consent of the Company. 10. TERMINATION. Either party may terminate this agreement in whole or in part at any time by giving written notice to the other.

IN WITNESS WHEREOF, the parties hereto have executed this agreement as of the day and year first above written.

By Company

By Consultant

Date

Date

Protection of Assets  Copyright © 2012 by ASIS International

253

CONSULTANTS AS A PROTECTION RESOURCE Appendix E: Consulting Security Agreement–Joint Certification

APPENDIX E CONSULTING SECURITY AGREEMENT—JOINT CERTIFICATION

[Name] [City/State/Zip Code]

of

[Street Address] Consultant, and the Company (hereinafter

called “Contractor”), hereby certify and agree as follows:

(1)

Classified information shall not be removed physically from the premises of the Company.

(2)

Performance of the contract shall be accomplished on the premises of the Company.

(3)

The Consultant and certifying employees shall not disclose classified information to unauthorized persons.

CONSULTANT

Date

By: ____________________________________

Date: __________________________________

254

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix F: Conflict of Interest Statement

APPENDIX F CONFLICT OF INTEREST STATEMENT

The undersigned warrants that, to the best of the undersigned consultant’s knowledge and belief, and except otherwise disclosed, there are no relevant facts which could give rise to an organizational conflict of interest and that the undersigned consultant has disclosed all relevant information. The undersigned agrees that if an organizational conflict of interest is discovered, an immediate and full disclosure in writing shall be made to the Contracting Officer which shall include a description of the action which the undersigned has taken or proposes to take to avoid or mitigate such conflicts.

Consultant

Date

Protection of Assets  Copyright © 2012 by ASIS International

255

CONSULTANTS AS A PROTECTION RESOURCE Appendix G: Professional Services Log

APPENDIX G PROFESSIONAL SERVICES LOG

Consultant Contract Number Contract Period Number of days

Requestor/Monitor

Instructions:

1. Record information on same day work is performed. 2. Compare completed form(s) with Statement of Professional Services submitted by consultant for accuracy and completeness. 3. Fully explain all off-site work charge and car rental approvals. Consultant’s invoice should correspond with the approval(s). 4. If more space is needed, use reverse side.

Date

Time

Job Order

Identify Project or Task and Provide a Brief Description and Evaluation of Work Performed (Reference documents prepared by Consultant)

Signature of Requestor/Monitor: __________________________________________________________

(Retain this log for a minimum of 3 years)

256

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix H: Statement of Professional Services

APPENDIX H STATEMENT OF PROFESSIONAL SERVICES Consultant

Week Ending

20

Address City/State/Zip Code Instructions: To facilitate prompt payment for consultant services and expenses, it is requested that the following procedure be adopted.

1. Completely fill out the form below. (A separate form should be submitted for each trip, except for consultants who live in the local area.) 2. Attach all vouchers, receipts, tickets, etc. 3. This statement must be signed by the consultant. 4. Retain a copy for your files and send the original to your Corporation monitor.

SERVICES: Project Designation

ENTER DATES JOB

CONTRACTS MON. TUE. WED. THUR. FRI.

Total Hours/Days

SAT. SUN.

TOTALS

$

TRANSPORTATION EXPENSES: (Attach all receipts) From

Date

To

Date

Cost

Transportation Cost $

Protection of Assets  Copyright © 2012 by ASIS International

257

CONSULTANTS AS A PROTECTION RESOURCE Appendix H: Statement of Professional Services

OTHER EXPENSES: ITEM (Enter dates)

Totals

Meal

$ _____

Lodging

$ _____

Auto Rental (1)(2)

$ _____

Taxi or Local Bus (2)

$ _____

Telephone (2)

$ _____

Personal Car Mileage (3)

$ _____

Parking (1)

$ _____

Other (2)(4)

$ _____ Amount Due $

(1) Attach all receipts (2) Attach receipt if more than $5.00 (3) Mileage will be paid at current rate (4) Please Explain: ______________________________________________________________________

Consultant Signature

Date

Approved by

Date

Audited by

Date

COPY DISTRIBUTION: Accounting, Consultant’s Monitor

258

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix I: Policy on Consultant’s Expenses

APPENDIX I POLICY ON CONSULTANT’S EXPENSES All Consultants traveling on Company business must substantiate expenses incurred while in travel status. To fulfill the Company’s travel policy reporting requirements, the Consultant must submit a properly documented and approved travel expense report within 30 days after completion of each trip. The original receipts, paid bills, or similar documentary evidence are required for all expenditures except meals. However, receipts need not be submitted for expenses for which they would not ordinarily be given; such as taxi or bus fares under $10.00 (one way). The Consultant must keep an expense diary to substantiate the claim for reimbursement, and should retain it permanently as a personal record unless requested to submit it with the travel expense report. The requirements imposed by the Company with respect to substantiation of the above expenses conform to the documentation requirements of IRS regulations. Substantiation in accordance with Company policy is therefore considered to fulfill IRS requirements.

Travel Expenses Consultant shall be reimbursed for actual and necessary personal expenses incurred during travel authorized by the Company for lodging, subsistence, incidental expenses, and tourist-class transportation costs or mileage at the current rate per mile when use of Consultant’s automobile is authorized in lieu of air travel. Transportation costs, other than in the local area, shall not exceed the cost of tourist accommodations unless schedules and availability of space do not permit this class of service, or unless otherwise agreed. Consultants who live within commuting distance of the organizational entity contracting for services are not reimbursed for meals, or mileage. Company authorized travel between work locations is reimbursable. (Commuting distance is interpreted as being in the immediate vicinity or within 50-mile radius of the assigned work location.) When Consultant is retained from outside the local area and a rental car is authorized upon arrival at the work location area, the Company will be responsible for rental car charges necessary and incidental to the work; mileage charges attributable to personal use are to be borne by the Consultant.

Telephone and Other Telecommunications Expenses The Company shall reimburse Consultant for reasonable and necessary telephone and other telecommunications expenses.

Protection of Assets  Copyright © 2012 by ASIS International

259

CONSULTANTS AS A PROTECTION RESOURCE Appendix I: Policy on Consultant’s Expenses

Other Expenses The Company shall reimburse Consultant for all other reasonable and necessary expenses incurred by Consultant in the performance of work hereunder, provided that written approval of the Company is obtained and Consultant certifies that such expenses were necessary and incidental to the work. Without limiting the foregoing, such expenses by way of example shall include costs of using computers and rental of test equipment.

Substantiation of Expenses IRS Regulations require substantiation by, both adequate records and sufficient documentary evidence of the expenses to which they apply. They require that the following elements be substantiated: (a) Amount (b) Time (c) Place (d) Business purpose (e) Business relationship

260

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix J: Consultant Travel Policy

APPENDIX J CONSULTANT TRAVEL POLICY The Company Travel Policy and Practice applies primarily to employees. Nonetheless, the policy extends to consultants traveling on behalf of the Company. Consultants are expected to adhere to the provisions of the documents for purposes of establishing reasonableness and necessity for travel and related costs. Following are excerpts from referenced Travel Policy and Practice, which relate and offer guidance to consultants traveling on behalf of the Company.

Mode of Travel Individuals traveling on Company business are scheduled by the most direct transportation available. Air travel by jet will normally be limited to less-than-first class accommodations. Travel arrangements are made by the consultant and reported after completion of the travel on the Statement of Professional Services. No cash advances or tickets may be provided by the Company.

a. All taxi fares in excess of $10.00 (one way) must be supported with a receipt attached to the Statement of Professional Services. b. Use of premium or luxury accommodations for Company travel, such as first class jet, requires specific documentation, and will be limited to the following: (1) Situations where schedules and availability of space do not permit less-than-first class service. (2) Where overnight departures are scheduled between 9:00 p.m. and 6:00 a.m. (local [area] time) and flight time is four hours or longer. (3) Where the traveler has a physical disability requiring first class accommodations; such travel may be approved on the basis of a doctor’s certificate or the specific approval of the appropriate management. (4) First class accommodations may be authorized when in the judgment of line supervision, useful and necessary work can be accomplished while en route only in first class accommodations. Such travel requires the approval of the appropriate management.

Protection of Assets  Copyright © 2012 by ASIS International

261

CONSULTANTS AS A PROTECTION RESOURCE Appendix J: Consultant Travel Policy

Use of Personal Vehicles Consultant retained in the local area in which Consultant’s residence or office is maintained, and in which the consulting work will be accomplished, is not entitled to meals or to mileage reimbursement for travel between home or office and Company-assigned work location. Company authorized travel between work locations is reimbursable. Commuting distance is interpreted as being within fifty miles of the Company’s facility. Use of personal motor vehicles on Company business may be authorized for domestic travel, and is reimbursed at the current rate per mile but will not exceed the total cost of available less-thanfirst class air fare. Travel time allowed is limited to normal air travel flight time. Any personal vehicle travel time in excess of that limit is not chargeable to nor reimbursed by the Company. Use of such conveyances is authorized only when the consultant complies with the following requirements regarding minimum primary liability insurance coverage:

a. Motor Vehicles—The consultant must certify that the vehicles to be used on Company business are covered with bodily injury liability insurance of $250,000 per person and $500,000 per accident, and property damage liability insurance of $50,000 per accident. The Company does not reimburse a consultant for the deductible portion of the insurance if a collision or damage occurs while driving on Company business.

b. Use of personal aircraft, whether owned or leased, on Company business is prohibited.

Automobile Rental Automobiles may be rented by consultants on travel status as necessary to accomplish business objectives. Generally, an automobile may be rented if its prospective use will be at least twenty miles per day. Normally, automobile rental is not authorized for local travel. Automobile rentals must be approved and authorized in advance whenever possible. Automobile rentals, when authorized, provide for standard or compact model cars only. The excess cost over standard models for sports cars or luxury model rentals will not be reimbursed by the Company. Mileage charges attributable to personal use are not to be borne by the Company. The cost of automobile full collision insurance coverage purchased by the traveler from the rental agency will be reimbursed. Travelers using rented automobiles are responsible for:

a. Reporting accidents involving property damage or bodily injury promptly to the lessor, local law enforcement agencies, the consultant’s monitor, and the Company’s Security Control Center.

b. Returning the automobile to the lessor or an authorized representative.

262

Protection of Assets  Copyright © 2012 by ASIS International

CONSULTANTS AS A PROTECTION RESOURCE Appendix J: Consultant Travel Policy

Reporting Travel expenditures should be reported to the Company within thirty days of the completion of the trip. The original receipts, paid bills, or similar documentary evidence are required for all expenditures except meals. However, receipts need not be submitted for expenses for which they would not ordinarily be given: such as taxi or bus fares.

a. Expenses which are unusual in nature, such as reasonable and necessary costs of secretarial service, office equipment rental, and related expenditures shall be explained and justified in each instance.

b. Valet and laundry service, if required, are reimbursed for trips in excess of four days or under unusual circumstances which must be explained on the Professional Services Statement.

c. Consultants are reimbursed all reasonable and necessary actual expenditures for meals and lodging.

d. Telephone calls to the various Company facilities should be placed collect, and tie-lines should be used wherever available.

Lodging The maximum amount for lodging in the Company headquarters area considered “reasonable” by the auditors is _______________________ per night, including tax.

Meals The maximum amount considered “reasonable” for three meals per day in the Company headquarters area is _______________________.

Personal Losses Responsibility for loss of cash or loss of or damage to personal property is not assumed by the Company while the consultant is in travel status.

Deviations Deviations from the Company’s Travel Policy or Practice may be approved in specific instances, when unusual circumstances justify such action. Such deviations must be fully documented and approved by the appropriate management.

Protection of Assets  Copyright © 2012 by ASIS International

263

CONSULTANTS AS A PROTECTION RESOURCE References

REFERENCES nd

Cohen, W. A. (1985). How to make it big as a consultant, 2 ed. New York, NY: AMA COM. Forensic methodology best practice. (2000). International Association of Professional Security Consultants. General security risk assessment guideline. (2003). Alexandria, VA: ASIS International. Poynter, D. (1997). Expert witness handbook: Tips and techniques for the litigation consultant. Santa Barbara, CA: Para Publishing. rd

Sennewald, C. A. (2004). Security consulting, 3 ed. Woburn, MA: Butterworth-Heinemann. Vellani, K. H., & Nahoun, J. D. (2001). Applied crime analysis. Woburn, MA: ButterworthHeinemann. Weiss, A. (2001). The ultimate consultant: Powerful techniques for the successful practitioner. Somerset, NJ: Pfeiffer.

264

Protection of Assets  Copyright © 2012 by ASIS International

CHAPTER 9 EXECUTIVE PROTECTION IN THE CORPORATE ENVIRONMENT

Executive protection—the field of safeguarding a key person from harm—is practiced in the private world (for wealthy persons), in civilian government (for a few persons in top-level positions or in jobs that place them in high-threat regions), in the military (for the highest-ranking officers), and in the corporate world (for senior executives, employees, visitors and family members of expats who work in or travel to dangerous locales). This chapter focuses on executive protection (EP) as practiced in the corporate sector for executives at high risk. The sections that follow describe the key elements of EP. The discussion covers such topics as the importance of EP, some philosophical underpinnings of the field, and specific methods of protection in various settings

9.1

HISTORY OF EXECUTIVE PROTECTION Political leaders have used bodyguards and special military details for protection throughout history. One of the earliest well-documented examples is the Cohors Praetoria, or Praetorian Guard, which began as a cohort of bodyguards for Roman generals in the second century BC and evolved to become a protective force surrounding the Roman emperors. Eventually, it became powerful enough to affect the appointment of emperors and was deemed to be a disruptive force. Roman Emperor Constantine I disbanded the guard in 312 AD (Praetorian Guard, 2004).

Protection of Assets  Copyright © 2012 by ASIS International

267

EXECUTIVE PROTECTION 9.1 History of Executive Protection

The Yeomen of the Guard was established by King Henry VII in 1485 to serve as the personal protection organization for the ruler of England. In the beginning, the yeomen provided travel security, attending to the king’s safety on journeys in Britain or overseas and in battle. They also guarded palace entrances and tasted the king’s food. The Yeoman of the Guard exists to this day but serves a mainly ceremonial function (Yeomen of the Guard, 2004). Other personal protection groups in history include the samurai of Japan, the medieval knights of many European states, the housecarls of Scandinavia, and the Vatican’s Swiss Guard. These precursors of today’s executive protection organizations were essentially military divisions that were assigned to protect a sovereign. The modern history of executive protection begins with the formation of the United States Secret Service in 1865. Originally established to investigate currency counterfeiting, the Secret Service did not undertake EP work until 1894, when it began informal, part-time protection of President Grover Cleveland. In 1901, Congress requested Secret Service presidential protection, again informally, following the assassination of President William McKinley. Finally, in 1902 the Secret Service assumed full-time responsibility for protecting the U.S. President. Two operatives were assigned full-time to the White House detail (Secret Service History—Timeline, 2004). Executive protection (EP) in its current, corporate sense—that is, practiced without the vast th resources and law enforcement powers of the federal government—appears to be a mid-20 century innovation. As corporations established security departments, those departments naturally looked to the protection of their top executives. At first, EP specialists—the actual protective personnel—were drawn from the ranks of former Secret Service agents, police department dignitary protection officers, and military personnel. Over time, another path to EP work developed: staff would rise through the ranks of corporate security and develop EP skills at private sector EP training programs. Such programs began to be seen in the early 1980s. Interest in corporate executive protection began to grow in earnest in the early 1990s as a result of a rise in all types of crime and the advent of workplace violence. The trend was fueled by mainstream media reports of high-profile executive kidnappings, which led to huge ransom payments and even deaths. Corporations began to see the value of providing their top executives with personal protection, and executives welcomed the comfort zone provided by having an EP specialist on staff. Organization such as ASIS International began offering courses on executive protection to train security professionals in this specialty. Demand for EP services grew further after the terrorist attacks of September 11, 2001. During the subsequent war on terror, interest remained high, as terrorist attention expanded to include “soft targets,” or persons who do not receive high-level government protection but play a role in international affairs and the world economy. Many corporations turned to EP for the first time at the urging of a corporate board that saw the potential for stock volatility should their high-ranking executives be targeted.

268

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.2 Research on Executive Protection

9.2

RESEARCH ON EXECUTIVE PROTECTION As a relatively new private security specialty, EP has not been the subject of any known formal studies. It is not a field that lends itself to clinical trials, testing by engineers, or reproducible experiments. Further, it is not yet practiced on a large enough scale to provide statistically significant research. Studies are also inhibited because persons receiving executive protection generally do not want to publicize that part of their security plans. In fact, secrecy is often literally a condition of the kidnap-and-ransom insurance policies that accompany such protection. Research has been conducted on the specific EP subtopic of assassination, however. The Exceptional Case Study Project performed by the U.S. Secret Service examined the thinking and behavior of 83 persons known to have attacked or come close to attacking prominent public officials and figures in the United States in the past 50 years. The following points are among the study’s key findings: x

Mental illness only rarely plays a key role in assassination behaviors. Attacks on prominent persons are the actions of persons who see assassination as a way to achieve their goals or solve problems, which requires fairly rational thinking. Those who made near-lethal approaches and the great majority of assassins were not mentally ill. While none were models of emotional well-being, relatively few suffered from serious mental illnesses that caused their attack behaviors.

x

Persons who pose an actual threat often do not make threats, especially avoiding direct threats. Although some who threaten others may pose a real threat, usually they do not. The research found that none of the 43 assassins and attackers communicated a direct threat to their targets before their attacks. This finding does not mean that individuals should ignore threatening communications. However, careful attention should also be paid to identifying, investigating, and assessing anyone whose behavior suggests that he or she might pose a threat of violence, even if the individual does not communicate direct threats to a target or to the authorities.

x

Attackers and those who made near-lethal approaches described having a combination of motives. Eight specific motives were identified: to achieve notoriety or fame; bring attention to a personal or public problem; avenge a perceived wrong; end personal pain, be removed from society, or be killed; save the country or the world; develop a special relationship with the target; make money; or bring about political change.

x

Inappropriate or unusual interest, coupled with action, increased the likelihood that the person may pose a threat. Inappropriate or unusual interest alone is not cause for great alarm. But if that interest also includes visits to the target’s home or office or attempts to approach the target in a public place, the case is more serious.

Protection of Assets  Copyright © 2012 by ASIS International

269

EXECUTIVE PROTECTION 9.3 Basics of Executive Protection

In addition, numerous articles and books have studied EP by examining and describing the way it is practiced in different settings. The references at the end of this chapter provide direction for additional reading.

9.3

BASICS OF EXECUTIVE PROTECTION In the corporate world, executive protection is a business measure taken to preserve the organization. EP is not a perquisite designed to pamper top staff; rather, where it is justified by a careful risk assessment (see EP Risk Assessment), it is a necessity to maintain the company’s ability to operate and to preserve confidence among employees, customers, and investors. Even an attack that causes no serious injury can bring unflattering attention to an organization and raise questions about its competence and preparedness. In times when the general risk level is elevated, EP strives to (Oatman, 2003) create an environment in which business can flourish. Executives face special dangers at present, but these threats are not all equally relevant to every company decision-maker. EP can help executives decide which dangers are serious and which are less so for their own unique situations. EP can also reduce those dangers, enabling executives to concentrate on business and giving them the necessary confidence to travel in search of opportunities.

9.4

FINANCIAL IMPLICATIONS OF EXECUTIVE PROTECTION Threats to an executive constitute a business risk. By protecting the executive, a valuable corporate asset, EP fulfills a legitimate part of the organization’s risk management mission. In addition, EP maximizes the utility of that asset, enabling the executive to live safely in, and move efficiently through, this dangerous world. Under proper protection, the executive need not focus on his or her personal safety and can concentrate fully on the business at hand. A good EP program costs less than the benefits it produces or the damage it prevents. The financial argument in favor of EP is, in fact, overwhelming. For example, assume that a corporation has a modest EP program, consisting of four EP specialists and an EP manager, which costs $300,000 per year. Then suppose the chief executive is kidnapped, murdered, or otherwise made incapable of running the company. The organization can expect three types of financial losses: its stock price may slide following release of the bad news, which can easily cost a company millions of dollars; the executive’s services will be lost either temporarily or permanently, which can be calculated conservatively as the compensation he or she would have been paid, again possibly millions of dollars; and employees may well be distracted from their work, which is difficult to quantify but surely significant. Thus, while the cost of the EP program was $300,000, the losses avoided could be millions of dollars.

270

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.5 Philosophy of Protection

In addition, the cost of the EP program should be offset by the positive benefits it provides, not just the avoidance of injury. If the EP program enables the executive to effectively work an extra hour each day because his or her transportation is facilitated to and from the office, for example, the corporation will have gained further productivity from its executive. A specific example of an extreme case of corporate losses after an attack against company principals occurred on July 1,1993, when Gian Luigi Ferri walked into the offices of the San Francisco law firm Pettit & Martin, hauling a black canvas bag stuffed with guns and ammunition. He entered a conference room and began shooting, then walked through two floors of the firm’s offices, continuing to shoot. Ferri, a disgruntled client, killed eight people, wounded six, and then shot himself. Less than two years later, the firm’s partners voted to dissolve the firm, which at its height in the 1980s had employed 240 lawyers (Chicago Tribune, 1993-1995).

9.5

PHILOSOPHY OF PROTECTION In the corporate sphere, the person who oversees executive protection may be the chief security officer (CSO) or a security manager or EP manager ranking below the CSO. The best approach is to establish a crisis management team during the preplanning stage. The person who performs the in-person, up-close service—who walks, rides, and flies with the executive— is usually called the EP specialist. The term “bodyguard” is not favored in the EP field because that term connotes a swaggering, blustery approach more like that of a bar’s bouncer who often physically intimidates troublesome people. By contrast, the favored approach in professional executive protection is to draw little attention to the principal as well as the protector. The EP specialist (EPS) should develop a particular mindset that focuses on preventing and avoiding trouble rather than combating it. The following six principles can guide one’s thinking about EP (Oatman, 1997): x

Prevent and avoid danger.

x

Realize that anyone can protect anyone.

x

Don’t stop to think.

x

Keep clients out of trouble.

x

Understand the security vs. convenience continuum.

x

Rely on brains, not technology.

Protection of Assets  Copyright © 2012 by ASIS International

271

EXECUTIVE PROTECTION 9.5 Philosophy of Protection

Prevent and avoid danger. The principal and the EP specialist should make a conscious decision to seize control of potential or real dangers that threaten the executive, deal with them firmly, and conquer them. Avoiding danger may not have been a driving character trait of either the EPS or the principal until they decided to engage in executive protection. Top executives are often risktakers, and individuals who become EP specialists often have backgrounds in law enforcement and the military, where a mindset of heading toward trouble, rather than retreating from it, prevails. Therefore, the executive and the EPS must make a deliberate, firm commitment to prevent and avoid danger. Good results—and good fortune—follow from thinking hard and working hard to stay at least a step ahead of trouble To accomplish this goal, the EPS and the executive do not need to passively sit back and receive what comes their way. Instead, they should reach out mentally to anticipate threats. To counter potential problems, the strengths of the protection program and the resources available to the EPS should be cataloged so they can be used when needed. Likewise, the protection program’s vulnerabilities should also be identified (undoubtedly, the adversary will find them). By predicting the adversary’s probable approach, he or she can be outwitted. Finally, the EP specialist should quietly control the principal’s risks. For example, hotel inspectors do not die if a poorly inspected hotel burns; the guests do. Therefore, the EPS can and should prevent and avoid danger by selecting hotels with proven safety records and even plotting fire escape routes and packing smoke masks.

Realize that with proper training anyone can protect anyone. While protecting another human being is a daunting task, the EP specialist can combine his or her personal strengths with those of others with different abilities. Perhaps a particular EPS is brave, intelligent, and strong but has little experience in defensive driving. In that case, the EPS can lobby for the hiring of a professional driver or can become one through training and practice. Although the most visible components of EP involve physical acumen—for example, driving cars, watching for attackers, or moving quickly to avoid threats—executive protection is primarily a brain game. Therefore, anyone—that is, anyone who is intelligent, trained, and physically fit—can protect anyone.

Don’t stop to think. A thoughtful, deliberate reaction to a dangerous situation will almost always fail. When a threat, attack, or danger actually arises, it typically explodes onto the scene, leaving no time for a thoughtful, deliberate reaction. By remembering this principle, the EP specialist can keep in mind the necessity of constantly practicing reactions to different scenarios. Such practice should be physical, rehearsing protective movements and quick escapes or practicing driving or shooting. It should also be mental, constantly asking “what if?” and considering reactions. By maintaining both physical and mental acuity, the EPS has a better

272

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.5 Philosophy of Protection

chance of reacting to a real or potential emergency appropriately and immediately, without a lengthy thought process because the thinking has already been done. Assaults and assassination attempts start and end with astonishing rapidity. Being mentally prepared to respond far outweighs the value of any other precaution.

Keep clients out of trouble. Because EP specialists are not fighters, bodyguards, or soldiers, their primary job is not to knock down, arrest, or kill the bad guys. Their primary job is to avoid dangerous persons or conditions, such as fire, street crime, or embarrassment. In an encounter with a would-be assassin, the EPS should move the principal out of harm’s way, shield him or her, and then remove the subject from the area as quickly as possible. The EPS should not stand and fight unless there is no alternative. An example of getting the client out of trouble would occur if, upon spotting a nearby, potentially violent disturbance, the EPS pushes the principal into a car and speeds away to safety. An example of keeping an executive out of trouble occurs when the EP specialist and the subject communicate subtly, with a nondescript phrase or visual cue, that it is time to leave a certain group or place before an embarrassing or dangerous situation arises.

Understand the security vs. convenience continuum. EP specialists often state that security and convenience inhabit opposite ends of a continuum. At one end of the continuum is the highest degree of security as well as the highest degree of risk. At the other end is the greatest degree of convenience along with the fewest inhibitors to a person’s lifestyle. Movement toward one end results in an equal movement away from the other end. In other words, the more security an executive demands, the less convenience he will have, and the more freedom he demands, the less security he will have. This principle helps keep security measures in perspective. Clearly, neither extreme—total convenience or total security—is practical. The principal and the agent must decide where on the continuum the executive should be and what tradeoffs to make. Each time an EP specialist develops a new strategy to protect the executive, this principle can serve as a reminder that increasing security beyond a certain point may needlessly hobble the executive, making him less effective and, essentially, a victim of protection instead of a victim of attack.

Rely on brains, not technology. Protective equipment, while necessary, is not by itself sufficient for the protection of an executive. Firearms, alarm systems, armored cars, and two-way radios are useful tools in the EP specialist’s collection, but not one or all of them can be relied on to protect an executive for several reasons.

Protection of Assets  Copyright © 2012 by ASIS International

273

EXECUTIVE PROTECTION 9.6 EP Risk Assessment

First, overreliance on security technology tends to place subjects in a vault. To fulfill their corporate obligations, executives must move around. If sequestered, they are no longer executives but prisoners. Second, adversaries are often intelligent enough to defeat security equipment. A determined adversary can defeat or circumvent alarms, disable armored cars, or eavesdrop on two-way radios. An EPS can hope to buy defensive time with equipment, but when the adversary strikes, salvation lies in the EPS’s conditioned responses for removing the principal from harm’s way. Among gun battles that have taken place in the executive protection field, almost none have lasted more than a few seconds. Likewise, in every U.S. presidential assassination attempt to date, the Secret Service has chosen to follow its model of “cover and evacuate” and has not opted to return fire. In other words, in crises, historically it has been shown to be more important for EP specialists to use their heads, not their weapons or other security equipment.

9.6

EP RISK ASSESSMENT Executives in the United States may think of kidnapping as something that occurs only in other countries. While kidnapping rates are much higher outside the United States, this crime does happen within U.S. borders more often than one might imagine. Annual FBI kidnapping statistics, excluding parental kidnappings, show the following number of incidents in recent years: 304 in 2000, 263 in 2001, 201 in 2002, and 227 in 2003. While no official list records business-related kidnappings, news accounts describe many victims: Charles Geschke, president and chief executive officer of Adobe Systems Inc.; Kevyn Wynn, daughter of casino tycoon Steve Wynn; and Harvey Weinstein, chief executive of Lord West Formalwear. A typical incident occurred in January 2003, when three men abducted 40year-old hedge fund executive Edward Lampert and held him at a hotel for two days. Lampert, worth an estimated $800 million, was grabbed in the parking garage of his Greenwich, Connecticut, investment company headquarters. He was eventually freed unharmed, even though a $5 million ransom demand was not met. When the police cornered the perpetrators in their hotel room, they also found a mask, a shotgun, and seven rounds of ammunition. Two of the three kidnappers were fresh from prison after serving stretches for drug dealing (Scarponi, 2004). Financial gain is only one of the many motives of corporate adversaries, however. Many large corporations and many corporate executives are at risk of attack from many types of dangerous individuals and groups. They may have personal grievances against the corporation or its executives, may be animated by greed, or may object to such issues as environmental or labor practices, political affiliation, or animal testing. The company’s role

274

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.6 EP Risk Assessment

in the global marketplace or its involvement in controversial biomedical issues may cause some malcontents to plot harmful tactics against a corporate executive who, in their minds, embodies the perceived corporate misdeeds. To counter potential attacks, every company has a finite amount of protective resources. Those resources, which include money, staff, influence, knowledge, and contacts, must be spent wisely. It would be foolish and inefficient to divide the resources evenly across the universe of conceivable threats. It makes more sense to allocate those resources toward preventing the threats that present the greatest possibility of harm. The appropriate allocation of resources to a specific situation is determined through a risk assessment. In conducting an EP risk assessment, the specialist must consider two factors. First, the threats that the executive faces must be analyzed based on multiple considerations such as the executive’s position with the employer, access to and level of exposure among potential adversaries, access to wealth or other lifestyle attributes, publicity, and travel practices. An EP risk analysis answers questions such as the following: x

Who would want to harm the executive?

x

How are adversaries gaining information about the executive?

x

What is the current likelihood of the various identified threats?

x

Does the executive desire, require, and accept protection during the work day? Only when traveling? Twenty-four hours a day?

Second, the specialist must assess the likelihood that threats could be carried out successfully. The range of threats to a person’s safety and well-being is vast. Perhaps the most troubling are events that have been known to occur, but are unexpected. The following list is only a sample of the real threats faced by many executives: x

assassination

x

kidnapping

x

extortion

x

street violence

x

attacks by insane persons or zealots

x

workplace violence

x

embarrassment (deliberate or accidental)

x

injury (unintentional)

x

illness or medical emergency

Protection of Assets  Copyright © 2012 by ASIS International

275

EXECUTIVE PROTECTION 9.7 The Power of Information

The results of these two reviews will provide a relative risk ranking: negligible, low, moderate, high, or critical. At a given company, not all executives face the same risk level. Some executives represent controversial aspects of the company and have a high public profile, while others operate behind the scenes and are relatively unknown. To arrive at an appropriate threat level for a particular executive, the EP risk assessment should identify all potential threat elements, from protesters, criminals, extremists, and terrorists to workplace violence and hazards due to the executive’s travel or other activities. The specialist should then analyze whether each element poses a threat to the executive. The assessment should ascertain how an event might unfold. It should also identify individuals who have the capability and intent to harm, have a history of threatening the executive or others, or have actually targeted the executive. Based on the results, the principal can be given one of the risk rankings and provided with the appropriate protection. A key feature of risk assessments is that they do not last. In other words, the level of risk shifts often, so risk assessments must be performed on a recurring basis. An example of reassessing risk in light of changing events and altering EP measures accordingly is illustrated in the following report (Oatman, 2002): [S]hortly after the September 11 terrorist attacks, one company … developed reliable intelligence that its aircraft and passengers faced an elevated risk. To deal with this increased threat, the company decided to send an executive protection specialist on every corporate flight. The specialist not only provided security during flights but also was responsible for ensuring physical and procedural security of aircraft on the ground.

9.7

THE POWER OF INFORMATION The importance of conducting ongoing research about potential threats to the executive cannot be overstressed. Details on changes in the executive’s status, new threat groups, exposure in the media, and other factors need to be constantly monitored. One of the key determinants of threat level is how well the executive is known to potential adversaries. Access to information about an executive by those intent on doing harm increases and facilitates several kinds of threats, such as identity theft, extortion, kidnapping of family members or relatives, and efforts to do the executive personal injury. Also, obtaining one piece of information makes it easier to obtain others. Dedicated adversaries can generally build a thorough profile of an individual by learning the names of schools attended by the executive or family members and by obtaining school yearbook photographs, which can be parlayed into other information.

276

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.8 Office and Home

The Internet makes it almost effortless for researchers, both benevolent and malevolent, to read current and past articles about any topic or person they choose. Even a cursory Web search on many executives discloses the names of their spouses and children and their city of residence. It is important to remember that the Web truly is worldwide, so adversaries in other parts of the globe can research an executive just as easily as the executive’s next door neighbor. In addition, information seekers can learn more detailed information about their targets by paying a small fee for vehicle title records, property records, voter registration records, birth and death records, genealogical information, and other data. Such information can be gathered either online or through visits to local record repositories, such as city halls. Another common practice is simply to ask a target’s friends and neighbors for information, using various pretexts. In assessing risk, it is useful to know what information is available that could arouse envy, hatred, or revenge or help an adversary locate and harm the executive or his family (Shackley, 2003, p. 86): If the executive can be thought of as having “deep pockets,” the possibility of kidnapping ought to occur to him. Note, we are not talking here in terms of absolutes, but of how a person appears to others within his environment. It is not his net worth that counts so much as how he is perceived by a prospective kidnapper. And, we might add, whether he is perceived. Any media publicity about a person’s wealth is harmful, and, unfortunately, the press seems to take an excessive interest in the private financial affairs of the well-to-do. One of our metropolitan newspapers recently published a list of the twenty best-paid regional CEOs, together with the amount of their compensation and their photographs, thereby handing potential kidnappers invaluable target intelligence.

9.8

OFFICE AND HOME Most executives spend the majority of their time at their offices and their homes. While they are in those locations, traditional security methods should be employed to protect them. Those methods are described in detail elsewhere in Protection of Assets. Nevertheless, in general, effective executive protection requires rings of protection: an outer perimeter, one or more inner perimeters, and in some cases a safe room. (A safe room is a protected space in the innermost part of the office or home to which the executive can safely retreat during an attack.) Those rings are typically composed of physical security tactics such as perimeter protection (using fences, gates, or other barriers), access control (using protective doors, turnstiles, card readers, or other devices), lighting (to impede hiding and improve recognition of adversaries), closed-circuit television (to identify visitors and to provide counter-

Protection of Assets  Copyright © 2012 by ASIS International

277

EXECUTIVE PROTECTION 9.9 The Advance

surveillance on adversaries who may be watching the site), and intrusion alarm systems (to announce penetrations). Executives who are at risk of attack tend to be more aware of security at work than at home. An adversary, however, may actually find it easier to attack an executive at his or her residence. Historically, the home is a softer target simply because an executive, at the end of a busy day, wants to relax in an atmosphere that does not resemble a corporate security setting with lights, cameras, and other equipment. An infamous example of the risk in and around an executive’s home concerns Sidney Reso, a New Jersey Exxon executive who was kidnapped as he left his home April 29, 1992. He was shot in the arm when he was seized and died five days later, found bound and gagged in a sweltering storage locker (Chicago Tribune, 1992).

9.9

THE ADVANCE In executive protection, an advance is the process of researching a destination before the principal arrives—in effect, a preemptive strike against confusion and exposure. Advance work requires that a member of the protection team actually go to the destination to prepare the way. However, advance work does not apply solely to long-distance travel. Any location that the executive intends to visit should be advanced—even if it is just across the street. An EPS who has done a proper advance has a much better chance of keeping the principal out of trouble. Further, should a threatening event actually occur, the EPS will know how to remove the executive from the situation, whom to summon for help, and where to get medical or any other type of needed assistance. When two EP specialists are available, both need not be assigned to accompany the traveling executive. A preferred method is to have one conduct the advance while the other accompanies the executive. Advance work is that important. A good advance reduces the executive’s exposure by smoothing logistics. If hotel check-in, billing, baggage handling, parking, and other matters are worked out by the EP specialist handling the advance, then the executive can exit his car at a hotel’s front door, walk straight through the lobby to the elevators, and arrive quickly at his or her room. Similarly, if an advance agent has scouted out the route to an executive’s speaking engagement and has properly studied the meeting location, then the agent accompanying the executive can lead him or her into the building through a side door if necessary or can take an alternate route to avoid unfavorable conditions and circumstances (Oatman, 1997). Obviously, these tactics can keep the executive out of many potentially undesirable encounters and locations.

278

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.9 The Advance

Local Travel If a protected executive must travel locally, the ideal arrangement will place the executive in a suitable car driven by a trained security driver and accompanied by the EP specialist. The route selected should be carefully previewed, and the rest of the company’s security function should be aware of the plan. While executives are vulnerable when they drive themselves, they do not need to be driven at all times and to all places. The decision to use a car and driver should be based on a risk assessment. If driven by someone else, however, the executive can work, rest, or, if an attack occurs, lie down out of the line of fire. The vehicle in which the executive is transported should provide generous interior space (for the executive, the EP specialist, and any necessary equipment), substantial protective bulk (for ramming), and a powerful engine (to escape attackers). The risk assessment should determine whether an armored vehicle is needed. Most cars can be armored after manufacture, and some major automotive companies provide factory-armored vehicles. An advantage of factory-armored vehicles is that they blend in with other vehicles and, thus, do not attract attention to the principal. Features of armored vehicles include bullet-resistant metal panels and glass; run-flat tires; an anti-exploding fuel tank; a steel-reinforced front bumper designed for ramming; electric dead bolt locks; a dual battery system; an inside/outside intercom; and a remote starter. Many new cars, armored or not, now come with a device for opening the trunk from its interior, which is useful if needed for escape. A car used for EP should also have a global positioning system (GPS) to reduce the likelihood of getting lost; a locking gas cap; a mobile phone; a protected exhaust pipe; an electronic aid system such as On-Star; and an alarm system. Regarding the driver, it is best to employ a trained security driver, not simply a chauffeur. The security driver will know the protocol of a chauffeur plus have the ability to take evasive action if needed (Scotti, 1995). If the security department’s staffing can accommodate it, the security driver should be someone other than the EP specialist. If an EPS must also drive, he or she will be unable to scan the travel route for potential threats and may have to drop the principal at the destination and then park, leaving the executive alone during crucial arrival and departure periods. A key practice is for the EPS to call the main security office as soon as the executive’s trip gets under way. By noting travel details, such as “We are leaving the plant and returning to the office. It’s now 3:15 p.m., and we’re taking I-67 to U.S. 20,” the EPS makes it possible for other security personnel or law enforcement authorities to retrace the executive’s steps if the car should be missing. To prevent the communication from being heard by an adversary who

Protection of Assets  Copyright © 2012 by ASIS International

279

EXECUTIVE PROTECTION 9.9 The Advance

may be eavesdropping, discreet or coded language should be used to describe who is traveling and what route is being taken. The EP specialist should also search the car thoroughly anytime it has been out of sight and unguarded. Because a thorough search is time-consuming, the car should be kept in a locked, alarmed garage whenever possible. Once the car has been searched, it only stays “sterile” if it is locked away or kept under surveillance. Finally, regarding the route, the driver should rely on advance work to ensure that the route selected is fast, does not pass through dangerous areas, and requires a minimum of stopping. The driver also needs to know several alternate routes, identify safe havens for stops along the way, and find the location of hospitals, police stations, and other potentially vital resources along the route. The driver should also investigate such factors as the time it takes to reach various stages along the route, the likely level of traffic, road conditions, construction work or detours, drawbridge openings, and other temporary conditions that could affect the trip. The advance should be performed at the same time of the day the executive will be traveling so the EP specialist can ascertain the traffic flow. An additional precaution would be to drive the advance route in a different vehicle than the one in which the principal will be transported.

Long-Distance Travel Out-of-town travel can present many risks to an executive. Some of those risks have to do with the unfamiliarity of the place visited, while others have to do with making scheduled, public appearances before potentially hostile audiences. Trips within the executive’s home country present one level of risk; trips to other countries can be even more risky if the destination is unfamiliar or especially dangerous. In general, before taking the executive on a trip to another country, the EPS should complete both research from home and advance travel. In the pre-travel research, the EP specialist should first determine whether the trip is truly necessary. If the answer is “yes,” the EPS should pursue the following “know before you go” steps:

280

x

Conduct Internet research on current facts about the destination.

x

Obtain a professional country briefing to learn the history and current affairs of the country, including attitudes held there about the executive’s home country. Such information is available from numerous governmental and commercial sources.

x

Become familiar with the country’s climate, health conditions, time zone or zones, and currency rates.

x

Learn the key points of local social customs.

x

Clarify why the principal is going on the trip, how he or she wishes to travel, and who will attend scheduled meetings.

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.9 The Advance

Also, before the executive actually embarks on the trip, the EPS should take the following steps: x

Conduct an advance mission to the proposed destination.

x

Touch base with local security or law enforcement contacts and the local embassy or consulate of the executive’s home country.

x

Perform a risk assessment for the destination.

x

Make reservations strategically, by choosing the safest lodgings and modes of transportation, and discreetly, by not advertising to potential adversaries that the executive will be traveling.

x

Arrange appropriate travel documents such as visas, passports, and itineraries.

x

Rehearse, mentally if not physically, security measures for travel by all modes that could be used, including commercial and private planes, autos, boats, ships, and trains.

x

Review personal security tips with the executive.

x

Examine health aspects of the trip. Pack appropriate health-related items and information, and develop or refresh the plan that will be followed in health emergencies. Line up all necessary emergency assistance, such as hospitals, trauma centers, medical transportation, and suitable doctors.

When the trip actually takes place, the EPS should remember a three-part key security concept: keep a low profile, stay away from problem areas and situations, and know what to do if trouble arises. As was recommended for local travel, the EP specialist should also communicate frequently with the security home base. Avoid western gathering places. If you are traveling to a region designated as high risk by the U.S. Department of State, there are additional measures that should be considered. Often, terrorists will seek to identify and attack a location that will be certain to have a high concentration of Americans or other westerners present at a specific time. For example, a horrific practice, which has long been used by terror groups, is to target religious services at houses of worship frequented by westerners. The reason is obvious. A Christian church serving the international community will provide them a target, which is certain to be filled every Sunday morning at 9:00 a.m. This presents a tough choice for an individual to whom church service is an important part of life. The same is true for nightclubs and other locations catering to Americans and western Europeans. If the State Department suggests avoiding such places in a country to which the principal is traveling to, it is best to heed the warning. Wherever the principal travels, it is always a good practice to immediately identify all emergency exits and make sure they are functional. Many foreign countries do not have fire

Protection of Assets  Copyright © 2012 by ASIS International

281

EXECUTIVE PROTECTION 9.10 Working the Principle

codes that mandate identifiable emergency exits in all public establishments. It is vital for the EP specialist to know how to get out of any place he might take the principal into. For some executives, the risk level warrants the use of private aircraft whenever possible. Commercial air travel presents risks both on the ground and in the air. On the ground, at large, busy airports, inconvenient delays can occur during pickup and drop-off; the executive may be recognized and bothered by other travelers; airport lobbies (on the unsecured side) are notorious terrorist targets; and busy security checkpoints can create opportunities for losing personal property, missing flights, and enduring embarrassing searches. By traveling in a private aircraft, the executive can avoid bothersome people and receive individualized customer service. Further, the small lobbies used by general aviation fixedbase operators (FBOs) are not prime targets for terrorists who wish to draw attention to their cause. EP specialists can exert much more control over the security conditions of a general aviation FBO and private aircraft than they can over large, bustling airports serving major airlines. A popular option for private travel is fractional aircraft ownership through an aircraft management company. The principal’s corporation might, for example, purchase a onequarter share of a certain type and size of aircraft. Flying via general aviation using private aircraft at terminals or airports that are separate from those used by major air carriers reduces the likelihood of being in the wrong place at the wrong time—that is, of happening to be at a major public airport during a significant attack. Also, general aviation airports in the United States must abide by the detailed security guidelines established by the Transportation Security Administration of the U.S. Department of Homeland Security (Security Guidelines for General Aviation Airports, 2004). Once a commercial aircraft takes off, the executive cannot know whether a dangerous person is on board. By contrast, in private aviation, every passenger will probably be known to the executive or someone else on the aircraft.

9.10

WORKING THE PRINCIPAL The choreography used by the EP specialist to physically move about with the subject is called “working the principal.” A combination of the risk level and the personal preferences of the executive will determine the extent to which an EP specialist must personally accompany the principal. The CSO, EP manager, or EP specialist should discuss this issue with the executive. It may be that the risk level is high and the principal is willing to be accompanied by an EP specialist at all times. Alternatively, despite the high risk, the principal

282

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.10 Working the Principal

may be unwilling to be accompanied by an EP specialist and may only tolerate using the EPS as a driver. A lower risk level might suggest that the specialist only needs to be with the executive when he or she is outside the home or leaves the office. There are many points on that continuum of protection, and the issue can only be worked out through discussions between the security staff and the principal. If the CSO, EP manager, or EP specialist believes the risk level warrants close-in, personal protection, the executive should understand that a trained EP specialist can blend into professional settings and not look like a “bodyguard.” Some EP specialists now use the title “assistant to the CEO” to blend in, standing off to the side of a meeting or social gathering while performing their countersurveillance tactics. The relationship between the EP specialist and the executive is an extremely important component of executive protection. In some ways, the relationship calls for an odd juxtaposition of roles. The executive is clearly the boss, yet the EP specialist must be able to give orders in times of danger and advice at regular intervals. In executive protection, a professional but not too personal relationship enables both the protector and the principal to perform their jobs freely. An interesting rule of thumb, from the perspective of the executive, comes from a former high-ranking U.S. government official who is now receiving private protection. He tells his protective detail, “Stand close enough to protect me, but not so close that I have to introduce you.” When working a principal, an EPS will find that conditions change. The EPS may safely bring the executive to a destination, such as a conference at which he or she is speaking, but the job does not end there. Once inside the meeting hall, for example, the EPS should start scanning and calculating—that is, scanning the surroundings for items, people, or arrangements that appear potentially threatening or seem somehow out of place, and calculating possible reactions should trouble arise. This is the time for the EPS to take notice—especially of people’s hands, of objects they may be carrying, or of visible signs of nervousness—and to constantly ask, “What if?” If the EPS conducted an advance visit to the site, he or she should try to discern what may have changed since that visit. Is the layout different? Are entrances and exits temporarily blocked? Are different people at key locations? What about that fidgety, inappropriately dressed man in the front row? Who are those people in the back with signs, pushing their way through the crowd? Should an attack occur, all of the EP specialist’s instincts, training, and conditioning come together. When an attacker pulls a knife, fires a shot, rams the executive’s car with his own,

Protection of Assets  Copyright © 2012 by ASIS International

283

EXECUTIVE PROTECTION 9.10 Working the Principal

lunges at the executive, or makes some other clearly dangerous, aggressive move, the specialist cannot stop and ponder how to react. The whole sequence, from the EPS’s first sighting of the threat to the evacuation of the executive, might take as little as four seconds. A good example of how fast an attack can happen and how fast the correct response must take place is the March 30, 1981, assassination attempt against U.S. President Ronald Reagan outside the Washington Hilton. The perpetrator, John Hinckley, fired six rounds into the gathered crowd in less than three seconds. On hearing the shots, Secret Service Agent Jerry Parr reacted instinctively and pushed the President into a waiting limousine, which rushed to The George Washington University Hospital. Many responses happened at once, which makes this case an interesting example of professional executive protection. In a matter of seconds, some members of the protective detail shielded the President with their own bodies, others pushed him into the car, and the driver knew where to take the wounded President. Still others surrounded and piled on top of the assailant, who was arrested by police on the spot. The Hinckley episode also illustrates a widely accepted chain of action that must occur during an incident. The following list defines the four steps in the chain:

284

x

Arm’s reach. If the attacker is within an arm’s reach of the EPS, the EPS should move to immobilize him. If the attacker is beyond an arm’s reach, the EPS should move to cover the executive.

x

Sound off. The specialist shouts the type of weapon displayed and the direction, in relation to the principal, from which it is coming. By shouting “Gun!” or “Gun to the right!” the specialist alerts other EP specialists who may be present to spring into action and attempts to involve other people in the resolving the situation.

x

Cover. This term means far more than simply finding cover or a safe place to which the agent and principal can flee. Its primary meaning is to call on the EPS to cover the executive’s body with his or her own.

x

Evacuate. The overriding need to get the executive out of danger underscores the difference between the missions of executive protection specialists and of the police or the military. The EPS mission—avoiding opponents rather than pursuing them— cannot be overemphasized. Stopping to fight an adversary when it would be quicker to dash out a side door raises, not lowers, the odds that the executive will be injured. The protective detail should concentrate on shielding and removing the principal, leaving apprehension of the attacker to the police.

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION 9.11 Protection Resources

9.11

PROTECTION RESOURCES A key phrase to remember in executive protection is “use your resources.” EP is a complicated task, and the wise EPS makes use of all the resources at his or her disposal. The following are several of the most important:

9.12

x

Law enforcement contacts. Law enforcement contacts can provide intelligence and specialized assistance such as off-duty staffing, if permitted. These contacts work best when they are developed over time or at least during the advance visit.

x

News and briefings. The EP specialist should periodically conduct Internet or other research to discover and track information on the principal as well as on individuals, organizations, and conditions that might pose a threat to the principal.

x

Networking. By developing a network of colleagues from EP training or protective assignments, the EP specialist will have a ready resource from which to extract answers to such questions as which hotels in a given city are safe and convenient, which airports have become impractical to use, which companies are good suppliers of protection support personnel, which types of automobiles are especially useful in protective operations, and which security driving services are the most reliable.

FUTURE OF EXECUTIVE PROTECTION Though prediction is an inexact art, the risk level faced by corporate executives seems unlikely to decline substantially anytime in the near future. Somewhat more predictable is the march of technological progress and information exchange. The following developments will most likely affect the future of executive protection: x

Technological miniaturization and combination. Now that mobile phones can take digital photographs and video, EP specialists can capture images while conducting advance visits and send the photos or video back to a security headquarters. Similarly, as GPS devices are miniaturized to the point where they can be concealed in wristwatches and belts, they can be used to track a principal if he or she is missing.

x

Up-to-date travel information. Many companies provide around-the-clock intelligence regarding travel destinations. They can even send immediate updates by mobile phone to keep an EPS posted on such general information as travel delays or weather problems, or specific details on a company’s striking employees or a city’s political demonstration.

Protection of Assets  Copyright © 2012 by ASIS International

285

EXECUTIVE PROTECTION 9.12 Future of Executive Protection

x

Information Sharing and Analysis Centers (ISACs). ISACs in several industrial sectors (such as chemical or financial services) share threat information and solutions with each other and with the U.S. government. They are a potentially powerful source of information for EP specialists.

x

Improved training equipment. The newest firearms training simulators enable EP specialists to engage in realistic practice and problem solving.

x

Protected vehicles. Protected cars, now being built by auto manufacturers, look identical to ordinary cars and, therefore, do not draw attention to themselves or their occupants.

x

Body armor. The newest body armor is lightweight and can be worn comfortably and unobtrusively if the need arises. However, it is not generally available to individuals in the private sector.

In today’s corporate environment, executive protection, formerly an exotic service, has become a mainstream security function. Many corporations have taken the initiative to conduct risk assessments of their top executives, especially executives who are recognizable representatives of the organization, travel extensively, or are exposed to other hazards. If the risk level justifies protection, corporations choose from a continuum of service levels, ranging from upgraded physical security measures at home and at work to full-time, inperson protection by EP specialists. The corporation, the executive, and the EP specialist cooperate to strike the right balance between convenience and security. Fortunately, when EP is delivered skillfully, many executives find such protection to be both convenient and comforting. The service adds valuable time to the executive’s day and relieves the executive from having to focus on personal security concerns. As with other fields in corporate security, a company’s investment in executive protection pays dividends by protecting a key corporate asset: the executive’s life and well-being.

286

Protection of Assets  Copyright © 2012 by ASIS International

EXECUTIVE PROTECTION References

REFERENCES Fein, Robert A., & Vossekuil, Bryan. (2000). Protective intelligence & threat assessment investigation: A guide for state and local law enforcement officials. (Presents findings of the U.S. Secret Service Exceptional Case Study Project.) Washington, DC: National Institute of Justice, U.S. Department of Justice. Encyclopædia Britannica [Online]. (2004.) Praetorian guard. Available: http://www.britannica. com/eb/article?tocId 9061166 [2004, November 30]. Encyclopædia Britannica [Online]. 2004. Yeomen of the guard. Available: http://www.britannica. com/eb/article?tocId 9077938 [2004, November 30]. Fox News [Online]. 2004. $5M kidnap thwarted by a pizza. Available: http://www.foxnews.com [2003, January 14]. Glazebrook, Jerry, & Nicholson, Nick. (2003). Executive Protection Specialist Handbook (2 Shawnee Mission, KS: Varro Press.

nd

ed.).

Law firm dissolving after mass murder. (1995, March 7). Chicago Tribune. Oatman, CPP, Robert L. (1997). The art of executive protection. Baltimore, MD: Noble House. Oatman, CPP, Robert L. (2002, June). Airing on the side of safety. Security Management [Online]. Available: http://www.securitymanagement.com [2004, June 4]. Oatman, CPP, Robert L. (2003, June). Protecting Spirited Leaders. Security Management [Online]. Available: http://www.securitymanagement.com [2004, June 4]. Revenge motive seen in Exxon kidnapping. (1992, July 12). Chicago Tribune. San Francisco carnage: Gunman kills 8, self. (1993, July 2). Chicago Tribune. San Francisco gunman’s rage is revealed in four-page letter. (1993, July 4). Chicago Tribune. Scarponi, Diane. (2004). Man gets jail for snatching executive [Online]. Associated Press. Available: http://www.detnews.com [2004, September 2]. Scotti, Anthony (1995). Driving techniques. Ridgefield, NJ: Photo Graphics Publishing. Security guidelines for general aviation airports. (2004). Transportation Security Administration, Information Publication A-001, May 2004, Version 1.0.

Protection of Assets  Copyright © 2012 by ASIS International

287

EXECUTIVE PROTECTION References

Shackley, Theodore G. (2003). Still the target: Coping with terror and crime. Baltimore, MD: Noble House. United States Secret Service [Online]. (2004.) Secret Service history—Timeline. Available: http:// www.ustreas.gov/usss/history.shtml [2004, September 2].

288

Protection of Assets  Copyright © 2012 by ASIS International

CHAPTER 10 SECURITY AWARENESS

Security awareness means consciousness of an existing security program, its relevance, and the effect of one’s behavior on reducing security risks. Security awareness is a continuing attitude that can move individuals to take specific actions in support of enterprise security. While education imparts general knowledge and training develops specific skills, security awareness efforts solicit conscious attention. Employees and nonemployees who have been informed by security awareness programs can act as a force multiplier for the security program. Security awareness is vital because “the security of an organization rests squarely on the practices of employees” (Fay, 2006, p. 377).

10.1

LEVELS OF AWARENESS Different levels of security awareness are appropriate for different categories of employees and visitors.

10.1.1

EXECUTIVE MANAGEMENT Chief executives, chief operating officers, and other senior personnel must be aware of the security program because they are an enterprise’s top decision makers regarding risk and resources. If they perceive the security program as an expense with no compensating return, they may reduce or eliminate program funding.

Protection of Assets  Copyright © 2012 by ASIS International

291

SECURITY AWARENESS 10.1 Levels of Awareness

If the program is in fact valuable, security awareness efforts should focus on conveying the following points: x

the program’s benefits

x

the reasonableness of the program’s expenses compared to those benefits

For executive management, security awareness means awareness of the security program’s financial contribution to the bottom line.

10.1.2

MIDDLE MANAGEMENT Middle managers tend to be held accountable for the success of their individual departments, so they view the security program in terms of its contribution toward that goal. If a manager thinks the security program does not support the business goals or program initiatives of the business unit, he or she may not support the program. The result may be dislocations and strains that cause failures elsewhere in the enterprise. For example, if the manager of a sensitive research laboratory believes the security requirements are unnecessary, he or she may disregard them and permit a general exchange of information. In time, the widespread internal disclosure of sensitive data may result in an unauthorized disclosure and the loss of a competitive advantage. The mere prospect of this loss should encourage the lab manager to support security, as long as its requirements do not impair research efforts.

10.1.3

FIRST-LINE SUPERVISION First-line supervisors are typically concerned with specific processes or activities. For these employees, security awareness focuses on how the security program aids or detracts from specific performance objectives. For example, the head teller in a retail bank might be hostile to a security practice involving bait money at teller positions because of the extended counting time required at the close of the banking day. In addition, most complaints from other employees about security are first raised with the supervisor. If many complaints are lodged, the supervisor may view security as consuming an inordinate amount of his or her time. Thus, security awareness efforts should show supervisors that the time and attention required to comply with security rules are worthwhile in terms of supporting the supervisor’s main tasks and protecting the employees and the business.

292

Protection of Assets  Copyright © 2012 by ASIS International

SECURITY AWARENESS 10.1 Levels of Awareness

10.1.4

INDIVIDUAL EMPLOYEES Most modern management approaches to employee motivation assume that the employee is willing and interested, and that while information and instruction are needed, coercion and pressure are not. In many enterprises, the only formal exposure an employee gets to the security program may be a brief reference to it on the first day of work. Such slight emphasis on security awareness sends the message that the enterprise does not consider security to be important. If supervisors and managers are interested in and supportive of security, employees may gain a favorable view of the program and support it by observing its rules. By contrast, if supervisors and managers disapprove of the security program or show no interest in it, employees may feel little motivation to support it.

10.1.5

NONEMPLOYEES People who are not employees of the organization may also be affected by the security program. They include vendors and suppliers, customers, service personnel, representatives of government, and members of the public. Most of them have less opportunity than employees to learn the applicable security requirements, but nevertheless it may be important that they learn those requirements. For example, if a supplier will be given access to sensitive proprietary information, he or she should be made aware of security procedures that protect and account for such information. Nonemployees may be more willing to comply with security procedures if they are given at least a brief explanation of the reasons for the procedures. For example, a visitor may not automatically perceive the wearing of a guest badge as useful or necessary. However, the visitor may view the matter differently after a brief explanation that the badge permits immediate recognition by and assistance from employees. In some cases, security awareness must be supported formally with a confidentiality agreement.

Protection of Assets  Copyright © 2012 by ASIS International

293

SECURITY AWARENESS 10.2 Purposes of Security Awareness

10.2

PURPOSES OF SECURITY AWARENESS Security awareness supports many important goals. Those who receive security awareness instruction are better able to do the following: x Protect company assets. First and foremost, the purpose of the security awareness program is to educate employees on how to help protect company assets and reduce losses. Everything else flows from this prime responsibility. x Understand the relationship between security and successful operations. This purpose is the prime one for awareness efforts directed toward executive management. Assets protection professionals should devote the necessary time and talent to demonstrate the program’s value and cost-effectiveness. x Identify their obligations under the security program. It is important to identify security obligations for all employees and nonemployees and to present those obligations as reasonable and necessary. Employee orientation and periodic refreshers can be used to teach people precisely which security requirements apply to them. x Recognize the connection between security program objectives and selected security measures. This purpose is important to middle management. Unit and department heads must recognize (and, preferably, agree) that security measures are appropriate and necessary. x Be familiar with sources of help for carrying out security responsibilities. Security awareness materials should address the specifics of implementing security requirements. For example, if a security rule states that particular spaces or containers must be locked, affected employees need to know how to obtain a lock and key. If persons with legitimate questions or problems do not know where to go for assistance, they might either (1) not consult anyone and simply improvise an answer or (2) consult the wrong person and be needlessly delayed. x Comply with statutory or common-law requirements for notice. This purpose applies to both employees and nonemployees. Civil trespass to land is generally defined as unauthorized entry into or presence on real property. To recover civil damages for trespass, the landowner or other person in control must prove that the trespasser intended to trespass. Physical, verbal, and symbolic indicators must make clear that there is a boundary past which movement is not authorized. Likewise, the owner of a trade secret must take positive actions to prevent its unauthorized disclosure. One of those actions is to convey to employees entrusted with the secret that the information is indeed secret and valuable. Developing programs for conveying such notices, and documenting such notification, are phases of the security awareness effort.

294

Protection of Assets  Copyright © 2012 by ASIS International

SECURITY AWARENESS 10.2 Purposes of Security Awareness

x Comply with regulatory requirements. Governments often require that specific security-related information be conveyed to employees and others. In the United States, for example, employee orientation is required by the Bank Protection Act and related regulations of the Federal Reserve System and the Controller of the Currency. Other agencies imposing security training and awareness requirements by regulation are the Drug Enforcement Administration, the Department of Transportation, and the Nuclear Regulatory Commission. x Comply with contract obligations. Security awareness efforts may need to take account of various contracts that apply to the enterprise. For example, in the United States the National Industrial Security Program Operating Manual (which sets forth the security obligations of contractors handling classified defense information) imposes numerous requirements for briefings and for security education and training, including awareness efforts. Similarly, collective bargaining agreements typically require that discharges be for just cause and that employees receive due notice of the rules they must follow—including security rules. Some insurance contracts, such as those covering kidnapping, require that specific procedures be adopted and communicated to designated officials in regard to coverage under the policy. A contract on the use of another company’s proprietary information may require the organization using that information to provide security awareness training to its employees. x Comply with company policies and procedures. Security awareness efforts should facilitate the ability of employees and others to comply with established company policies and procedures. These policies may address compliance with company standards and procedures for such matters as access control requirements or with program initiatives such as a “clean desk” initiative to protect proprietary company information. x Prepare the organization for emergencies. Organizations with security awareness programs are better prepared to respond to emergencies and nonroutine issues (Piazza, 2004). In particular, organizations that educate management and employees through security awareness programs are better able to respond to cyber attacks and keep their information secure (BSA-ISSA, 2003, p. 2).

Protection of Assets  Copyright © 2012 by ASIS International

295

SECURITY AWARENESS 10.3 Developing and Delivering a Security Awareness Program

x Reduce organizational liability. Security awareness efforts are an important part of an organization’s liability reduction strategy. In defending lawsuits against a company, it helps to “show that the company is aware of security and makes an effort to provide a safe environment” (Ahrens & Oglesby, 2006, p. 82). Moreover, effective awareness programs make employees accountable for their actions (Whitman & Mattford, 2004, p. 34). A company pursuing criminal charges against an employee will have greater success if it can prove it has a security awareness program that was effectively communicated to employees (Kovacich & Halibozek, 2003, p. 249). x Communicate the value of the security department. A final goal of security awareness is to convey the value of the department. Security personnel should not attempt to frighten management and employees but instead should, though their security awareness program, demonstrate they are providing a valuable service to the organization (Gerloff, 2004, p. 26).

10.3

DEVELOPING AND DELIVERING A SECURITY AWARENESS PROGRAM Security awareness programs typically must address the following topics (Roper, Grau, & Fischer, 2006, p. 90): x

why the organization requires protection strategies

x

the value protection strategies bring to the organization

x

what actions are required for the protection of specific assets

x

what employees’ security responsibilities are

x

how they can meet those responsibilities

x

how employees can report program violations

x

how employees can identify indicators of risk or danger and how they should react

Unlike detailed security training, security awareness material may not contain specific security task information. It may instead direct recipients to security content available elsewhere and focus on generating support for the security program. Finally, it should be enjoyable and interesting, as “the best training tools engage staff and let them have fun” (Gips, 2006, p. 20).

296

Protection of Assets  Copyright © 2012 by ASIS International

SECURITY AWARENESS 10.3 Developing and Delivering a Security Awareness Program

10.3.1

TECHNIQUES, MATERIALS, AND RESOURCES Security awareness programs often make use of the following techniques and materials: x

Written material. This includes instructional or advisory material, agreements, and acknowledgments. It also includes written security policies and procedures, posters, and other informal reminders. The materials can be distributed in the form of security department handbooks, pamphlets, and guides, or they can be incorporated into materials used by other departments. Formats include pocket reminder cards, desktop reference material, calendars, tri-fold information sheets, notepads, bookmarks, letter openers, cups, pencils, rulers, key chains, newsletters, posters, refrigerator magnets, stickers, posters, etc. Sometimes security awareness materials can be integrated into materials distributed by professional organizations. For example, one security department arranged to have its security awareness materials added to the Annual Patient Nursing Assessment for Private Duty Patients, which addresses violence prevention (Morris, Carter, & Krueger, 2002, p. 72). Security awareness guides can address organizational assets, personal safety, safety while traveling, information asset protection, terrorist threat awareness, safeguarding classified materials, counterintelligence, cybercrime, personnel security, foreign intelligence threats, operational security, responsible use of company equipment, access control procedures, and potential penalties for violating security rules.

x

Audiovisual material. Formats include audio and video tapes, interactive CD-ROMs, films, 35 mm slides, software-based presentations, e-mail, and company and noncompany Web sites. However, it is important not to post sensitive information where it is publicly accessible (Roper, Grau, & Fischer, 2006, p. 241).

x

Formal security briefings. These can be done pre-and post-hiring, at new assignment orientation, and at times of promotion or transfer. Briefings can be delivered to individuals or groups.

x

Integration into line operations. Security staff can use several means to integrate security awareness into regular enterprise operations. Individual employees’ security awareness can be examined in their performance reviews, can be considered in setting bonuses, and can be reinforced in supervisory and management staff meetings. Another technique is to include security tasks in job descriptions or employee handbooks and standards, perhaps collaborating with other departments.

x

Inside experts. In developing a security awareness program, security staff can get help from company training staff and communications staff.

x

Outside experts. Security professionals can call on outside experts in communications, advertising, and public relations to add their knowledge, experience, and credibility to the security awareness program.

Protection of Assets  Copyright © 2012 by ASIS International

297

SECURITY AWARENESS 10.3 Developing and Delivering a Security Awareness Program

Typically, a security awareness program must rely on a variety of delivery methods. Some staff learn well by using computer-based instruction on their own, while others learn best when they attend classes.

10.3.2

OBSTACLES TO AN EFFECTIVE AWARENESS PROGRAM Creating employee and management buy-in to an awareness program is not automatic. Security staff may face several obstacles in implementing a security awareness program (Roper, Grau, & Fischer, 2006, pp. 91–92): x

Low credibility of security department. This may stem from previous performance of departmental staff, a new department’s lack of a track record, biases that employees bring from other organizations, a lack of professionalism within the security department, or security staff’s lack of understanding of company functions.

x

Organizational culture. A security awareness program can be hindered by a culture that holds such views as “we’ve never done it that way before” or “we always do it this way” (Dalton, 1998, p. 53). If a company believes security is not directly related to the organization’s success, the security department will find it difficult to implement a security awareness program.

x

Naiveté. Organizations sometimes develop a mentality that bad things will not happen to them, especially if they have not been victimized in the past. Likewise, they may believe that employees will always do their utmost to protect company assets and would never knowingly harm the organization. As a result, they may decide that an awareness program is unnecessary.

x

Perception of a minimal threat. Employees may feel less interested in increasing their security awareness if they feel the relevant threat is insignificant or unlikely to occur. For example (Roper, Grau, & Fischer, 2006, pp. 91–92): Security educators in the 1990’s and later whose programs were geared to the prevention of espionage have had to contend with the fact that perceptions of the foreign intelligence threat have radically changed. Without the monolithic Soviet adversary, security educators were hard-pressed to argue that critical information was still at risk. However, the continuing frequency of espionage case associated with a variety of foreign entities in recent years —Cuba, China, Saudi Arabia, South Korea—has redefined the foreign intelligence threat and made it credible.

x

298

Departmental or employee indifference. Some employees may not see security as their responsibility. They may be overworked, or they may have a competing agenda (e.g., if they are stealing from the company); or they may simply see security responsibilities as undesirable extra work. Some employees believe that securing company assets is the responsibility of the security department alone.

Protection of Assets  Copyright © 2012 by ASIS International

SECURITY AWARENESS 10.3 Developing and Delivering a Security Awareness Program

x

10.3.3

Lack of reporting capability. It is essential that employees have access to an effective reporting system. “Information collection is the basis of a security management plan” (Kitteringham, 2006, p. 29), and the existence of a security reporting system, in itself, has been found to heighten employee awareness, resulting in an increase in reporting (Kellogg & McGloon, 2006, p. 98). With an incident reporting system in place, security professionals are better positioned to measure their departments’ effectiveness and report back to senior management.

MEASURING THE PROGRAM Because security awareness efforts take time and money (and may briefly interrupt employees’ work), security staff may need to seek management approval to start and continue the program. One way to gain support is through the use of metrics—that is, “a standard of measurement using quantitative, statistical, and/or mathematical analysis” (Kovacich & Halibozek, 2006, p. xxvii). Following are examples of potential measurements: x

company losses before and after the security awareness program was implemented

x

number of persons briefed and number of briefings conducted in specific periods

x

topics covered, projected or actual briefing completion date, and method of delivery (Roper, Grau, & Fischer, 2006, pp. 134–135)

x

cost of briefings per employee (Kovacich & Halibozek, 2006, p. 119–121)

If a program is new and lacks data on its effectiveness, one approach is to start with a limited budget and build momentum over time. It is possible to create awareness literature cheaply via desktop publishing. Further, by partnering with other departments, such as the human resources department, security personnel can brief employees during regular training exercises. Data can be collected and assessed until there is an opportune time to implement the awareness program on a larger scale.

Protection of Assets  Copyright © 2012 by ASIS International

299

SECURITY AWARENESS 10.4 Engaging Employees to Prevent Losses

10.4

ENGAGING EMPLOYEES TO PREVENT LOSSES All employees are responsible for helping to protect organizational assets, as security personnel cannot be everywhere and see everything. By working with employees from other departments and providing leadership in developing protective strategies, security staff can increase the likelihood of employee cooperation. A cooperative employee is less likely to circumvent security rules and measures. Most enterprises devote at least some time to fostering security awareness among their employees. However, knowing that a security program exists is not the same as playing an active role in loss prevention. Every department and employee has a role in identifying, preventing, and reducing losses. Before developing a security awareness program that will teach employees what they need to know, the security manager must become familiar with all elements of the organization’s business—in order to know what assets must be protected from what risks. Losses that employees may be able to help reduce include traditional physical concerns, such as theft of money or goods or misuse of equipment or facilities. Through awareness training, employees may also be able to help reduce other losses, including those related to contractual, statutory, regulatory, insurance, or other concerns. Seemingly small losses can have expensive ramifications. For example a laptop theft resulting in the loss of a client’s personal information can be very costly, especially given emerging privacy legislation. One study (Ponemon Institute, 2006) found that the average loss per corporate data breach was $4.8 million.

10.4.1

POSITIVE SECURITY CONTACTS Success in security depends heavily on employees’ cooperation. To strengthen that support, the security department should maximize the positive (helpful) contacts it has with employees while still carrying out the primary security mission. One way security staff can enhance the department’s reputation and build relationships is by promoting the personal safety and security of employees and their families at work, at home, and elsewhere. The following are examples of such measures: x

conducting home protection clinics

x

lending property-marking devices

x

offering group purchase opportunities for burglary and fire protection devices

x

conducting personal protection programs

x

conducting cyber security awareness programs

x

conducting children’s fire prevention poster campaigns with cash prizes.

Employees themselves may be able to suggest other programs they would like the security department to provide.

300

Protection of Assets  Copyright © 2012 by ASIS International

SECURITY AWARENESS 10.4 Engaging Employees to Prevent Losses

10.4.2

POLICIES AND PROCEDURES One of the most important missions of security awareness programs is to familiarize employees with the organization’s policies and procedures. Policies establish rules, while procedures explain how to follow those rules. Security awareness programs can help promulgate policies and procedures and ensure that employees understand specifically what they should and should not do in a wide variety of situations. Serious and costly outcomes can result when employees do not know or do not follow company policies. For example, in 1999 a suspected shoplifter was apprehended in a grocery store in Canada by two store clerks and a uniformed security officer. He died from accidental restraint asphyxia during the arrest. A news report states that “the company employing the store clerks insisted that it expressly forbids staff from using force on people suspected of shoplifting. The inquest had heard that the employees who chased [the suspected shoplifter] were unaware of the store’s policy to avoid using force with shoplifters” (CBC News, 2004). As one writer on security policies observes (Roberts, 2002, p. 94): Good polices are not enough to ensure that the staff will react properly to an incident. Continuous training of a store’s retail staff is essential to ensure that they understand, and act in accordance with, the stores policies for dealing with suspected shoplifters. Further, store managers, loss prevention professionals, and human resource staff need to be monitoring incidents that arise so that they can retrain or discipline employees who do not act in accordance with store policies.

Some employees fail to follow company policies and procedures because they do not understand what they are supposed to do, while others simply choose not to cooperate. An examination of compliance with information technology (IT) policies (Mallery, 2007, pp. 40– 42) found two categories of users who fail to follow policies: (1) “uneducated users,” who have a limited understanding of computers and the consequences of ignoring policies, and (2) “arrogant users,” who feel they do not have to follow the rules that apply to others—“they feel they are more powerful, intelligent and sophisticated than everyone else, so they can do what they want on corporate systems.” Ultimately, employees who refuse to follow policies and procedures, even after security awareness efforts have brought those issues to their attention, must be disciplined. Otherwise, the company may be needlessly exposed to a variety of losses and liabilities.

Protection of Assets  Copyright © 2012 by ASIS International

301

SECURITY AWARENESS References

REFERENCES Ahrens, S. A., & Oglesby, M. B. (2006, February). Levers against liability. Security Management. Vol. 50, No. 2. Business Software Alliance and Information Systems Security Association. (2003). BSA-ISSA information security study: Online survey of ISSA members. Washington, DC: Business Software Alliance. CBC News. (2004, April 23). Man died from accidental suffocation during arrest: inquest [Online]. Available: http://www.cbc.ca/canada/story/2004/04/23/Shandverdict_040423.html [2007, August 6]. Dalton, D. (1998). The art of successful security management. Burlington, MA: Butterworth-Heinemann. nd

Fay, J. J. (2006). Contemporary security management, 2 ed. Burlington, MA: Elsevier ButterworthHeinemann. Gerloff, J. (2004, December). Communicating security’s value. Security Management, Vol. 48, No. 12. Gips, M. A. (2006, April). Identity theft can be fun. Security Management, Vol. 50, No. 4. Kellogg, D., & McGloon, K. (2006, October). Distilled protection. Security Management, Vol. 50, No. 10. Kitteringham, G. W. (2006). Security and life safety for the commercial high-rise. Alexandria, VA: ASIS International. Kovacich, G. L., & Halibozek, E. P. (2003). The manager’s handbook for corporate security. Burlington, MA: Elsevier Butterworth-Heinemann. Kovacich, G. L., & Halibozek, E. P. (2006). Security metrics management. Burlington, MA: Elsevier Butterworth-Heinemann. Mallery, J. (2007, June). Policy enforcement. Security Technology & Design. Morris, R., Carter, P., & Krueger, C. (2002, October). Nurses learn vital signs of safety. Security Management, Vol. 46, No. 10. Piazza, P. (2004, March). Companies better prepared for trouble. Security Management, Vol. 48, No. 3. Ponemon Institute. (2006). 2006 annual study: Cost of a data breach. Elk Rapids, MI: Ponemon Institute. Roberts, J. R. (2002, September). The policy was perfect. Security Management, Vol. 46, No. 9. Roper, C. A., Grau, J. A., & Fischer, L. F. (2006). Security education, awareness and training. Burlington, MA: Elsevier Butterworth-Heinemann. Whitman, M. E., & Mattford, H. J. (2004, November). Making users mindful of IT security. Security Management, Vol. 48, No. 11.

302

Protection of Assets  Copyright © 2012 by ASIS International

CHAPTER 11 WORKPLACE SUBSTANCE ABUSE: PREVENTION AND INTERVENTION

A drug is a chemical substance that alters the physical, behavioral, psychological, or emotional state of the user. Drugs of abuse—psychoactive (mind-altering) substances—target the central nervous system and impair the user’s ability to think and to process sensory stimuli, thereby distorting the user’s perception of reality. Drugs of abuse include legal and illegal substances and are often consumed socially. In this analysis, alcohol is considered a drug. Substance abuse may harm a person physically, mentally, or emotionally. Abuse can often easily lead to increased tolerance and eventual addiction or chemical dependency. Abuse can also create personal, family, and financial problems beyond the abuser’s control. National prosperity requires a healthy workforce. More than technology, industrial capability, or natural resources, a nation’s workforce makes possible all the social and economic abundance a country enjoys. Substance abuse plagues nearly every nation. In the United States, illegal drugs are everywhere: in schools, communities, factories, and offices. Substance abuse harms productivity and competitiveness and destroys individuals, families, and jobs. It causes birth defects, industrial accidents, business failures, and highway fatalities. The worldwide illicit drug trade is a multibillion-dollar industry that spans national borders, deals almost exclusively in cash, and enforces its policies with violence. Drug abuse is more common among unemployed than employed persons. In 2006, among adults aged 18 or older, the rate of drug use was higher for unemployed persons (18.5 percent) than for those who were employed full-time (8.8 percent) or part-time (9.4 percent). Although the rate of illicit drug use is highest among unemployed persons, most drug users are employed. Of the 17.9

Protection of Assets  Copyright © 2012 by ASIS International

305

WORKPLACE SUBSTANCE ABUSE 11.1 Historical Perspective

million current illicit drug users aged 18 or older in 2006, 13.4 million (74.9 percent) were employed either full-or part-time (U.S. Department of Health and Human Services, National Survey, 2007). Employers pay a high price. It is generally accepted that employee substance abuse does the following: x decreases productivity and morale x increases turnover and absenteeism x increases accidents x increases insurance costs x increases theft and dishonesty x increases unnecessary consumption of benefits x decreases profits x increases potential liability of the company x increases the potential for negative public exposure and image Substance abuse can rob an organization of its talent, vitality, and enthusiasm. It can destroy teamwork and cooperation and make organizations less competitive and less successful.

11.1

HISTORICAL PERSPECTIVE Other than alcohol, opium may be the oldest compounded drug used by man. In 1500 BC, the Egyptians used opium for medical purposes. In the Greco-Roman period, opium was considered an important drug and was used to induce sleep and relieve pain. By the latter th part of the 18 century, doctors in other parts of Europe, too, were recommending opium as a pain reliever. The addictive properties of opium were not appreciated, and the problem of addiction grew in the early 1800s with the discovery of two opium alkaloids: morphine and codeine. Morphine became popular because of its potency—one grain of morphine is about as effective as 10 grains of opium. The newly invented hypodermic needle was used during the Civil War to administer morphine to the wounded, and many soldiers returned to civilian life addicted to the drug. As the hypodermic needle grew in popularity as a way to administer the drug, morphine abuse began to spread in the United States.

306

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.1 Historical Perspective

Opium was commonly taken orally, smoked, or pulverized and used in suppository form. Opium and its derivatives could be purchased legally and inexpensively in pharmacies and many rural general stores. They were used alone or as components in pharmaceutical preparations or patent medicines. Heroin, a morphine derivative, was first synthesized in 1898. At first, it was considered nonaddictive and was used for treatment of morphine addiction. It was also available in many pharmaceutical preparations. Easy access to the drug led thousands into addiction.

11.1.1

A CHANGE OF MOOD th

In the 19 century, opiate use in the United States was found at all levels of society but was most prevalent among members of the middle and upper middle classes. (An exception was opium smoking, which was associated with the underworld.). Among the prominent indivith duals of the 19 century who abused opium were the writers Edgar Allan Poe and Samuel Coleridge. Thomas de Quincy, author of Confessions of an English Opium Eater, was probably the best-known addict at the time. Public attitudes began to change by the 1890s. Many physicians recognized the destructive nature of addiction and publicized their findings. Some regarded addiction as an illness, while others felt it was a vice. An addict could still purchase drugs legally and secure assistance from doctors in the early 1900s; at that time, addiction did not appear to be linked with criminal behavior.

11.1.2

LEGAL CONTROLS In 1880, the United States and China completed an agreement that prohibited the shipment of opium between the two countries. In 1887, the U.S. Congress enacted legislation making it a misdemeanor to import opium from China. In the 1930s it became unlawful to possess or cultivate marijuana in the United States. The first major attempt to control opium use in the United States came in 1909 with a federal act that limited the use of opium and derivatives except for medical purposes. Later, the 1914 Harrison Act attempted to control the production, manufacture, and distribution of narcotics. The law required registration and payment of a tax by those dealing in narcotic drugs. It specified that only physicians could dispense narcotics and that pharmacists could sell drugs only on written prescription. The rapid increase in the number of drug arrests by the mid-1950s prompted the passage of the Narcotic Drug Control Act of 1956, which provided a mandatory minimum penalty of five

Protection of Assets  Copyright © 2012 by ASIS International

307

WORKPLACE SUBSTANCE ABUSE 11.2 Human Cost of Substance Abuse

years’ imprisonment with no possibility of probation or parole for a first illegal sale. Eventually, methadone was used as a substitute for heroin in the treatment of addicts.

11.1.3

WAR ON DRUGS In 1971, U.S. President Nixon initiated a nationwide “war on drugs.” The effort increased public awareness of the dangers of drug abuse, restricted supplies, and drove prices up. It also amalgamated an already growing international network of producers, smugglers, and wholesalers. As prices rose, more criminals entered the market and imported more illicit drugs into the country. The upward trend in supply and demand did not seem to abate until th the end of the 20 century. In 1988, the Reagan administration created the Office of National Drug Control Policy (ONDCP). Its mission was to coordinate the government’s efforts to manage substance abuse in the realms of legislation, security, diplomacy, research, and health. The director of ONDCP is commonly known as the drug czar. Today, the war on drugs is fought on many fronts by many people and organizations. Although the most obvious battles are fought by law enforcement, important battles are fought in the workplace as well.

11.2

HUMAN COST OF SUBSTANCE ABUSE Compared to nonabusing employees, employees who engage in substance abuse may be absent 16 times more often, claim three times as many sickness benefits, and file five times as many workers’ compensation claims. Abusers are also more likely to be laid off or fired (Ferraro, 1994). Substance abuse affects abusers’ family members, too. For example, nonalcoholic members of an alcoholic’s family use 10 times more sick leave than others. They are also more prone to long-term illness, accidents, and divorce. Children of alcoholics are five times more likely to become alcoholics than children of non-alcoholics (Ferraro, 1994). Substance abuse also breeds dysfunctional relationships. Abusers have difficulty in getting along with others. They tend to withdraw from friends and be more secretive. They spend less time at home and work. They contribute less to meaningful relationships and avoid opportunities to socialize with nonabusers.

308

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.3 Role of the Employer

For the employer, they grow less productive and creative and frequently become disciplinary problems. They engage in denial and quickly blame others for their shortcomings and disappointments. They become the 20 percent who consume 80 percent of management’s time.

11.3

ROLE OF THE EMPLOYER Substance abuse—long considered a law enforcement or government problem—has now become a workplace problem as well. Executives, managers, supervisors, employees, and unions are looking for answers. Organizational leaders have learned that to create a drug-free workplace they must do the following: x

Make a commitment.

x

Set goals and objectives.

x

Assign responsibility.

x

Formulate a comprehensive policy.

x

Communicate the policy.

x

Equitably enforce the policy.

x

Provide education and training.

x

Provide help to those who want it.

x

Audit the process regularly.

11.4

WHY THE WORKPLACE?

11.4.1

RATIONALIZATION Rationalization is the use of superficial, apparently plausible explanations or excuses for one’s behavior. Substance abusers rationalize constantly. They may rationalize that the use of drugs is a constitutional right, that addiction and chemical dependency happen only to others, and that drug use enhances their ability to perform, produce, and create. They may rationalize that they can quit using anytime, that drug use at work is acceptable because it is common, and that selling drugs to coworkers is a gesture of camaraderie. Often, they blur the line between personal consumption off the job (what they do on their own time) and their rationalization that such personal habits don’t affect their work performance.

Protection of Assets  Copyright © 2012 by ASIS International

309

WORKPLACE SUBSTANCE ABUSE 11.4 Why the Workplace?

These rationalizations help substance abusers abandon their values, shirk their responsibilities, and lose respect for other people and their property. They may lie to their families, steal from their friends and employers, and continue to use drugs without guilt, despite the potential harm caused by their behavior.

11.4.2

OPPORTUNITY For the substance abuser, the workplace abounds with opportunity. Here are the key reasons:

310

x

They know one another. Workplace deals enable sellers and buyers to have regular contact with one another that is not suspicious. Also, the workplace venue is generally private property and therefore not under the direct scrutiny of law enforcement, thereby creating somewhat of a safe haven for illicit activities to transpire.

x

Better quality. Workplace dealers want repeat customers, and they recognize that high-quality products keep them coming back.

x

Fairer quantity. Illegal drugs are expensive. Because drugs are often sold in quantities as small as 1/4 gram, accuracy in weight is important to the buyer. Again, because workplace dealers recognize the importance of repeat business, they tend to sell accurate quantities.

x

Low risk. Abusers perceive supervisors and managers as uninformed or untrained and often unwilling to confront them or their problems. Moreover, security measures— such as barriers, fences, or locked doors—that protect company assets may also protect abusers and dealers from monitoring or detection.

x

High return on investment. An ounce of high-quality cocaine that is cut (diluted by adding an impurity) and repackaged in 1 gram quantities can yield the dealer several thousand dollars in profit. In a workforce of 100 employees or more, a single employeedealer may be able to sell an ounce of cocaine each week.

x

Ability to buy and sell on credit. When “fronted,” drugs are sold to the employee-user with the agreement that they will be paid for later. This agreement usually establishes terms and consequences for the failure to pay. Fronting allows users to obtain drugs even when they do not have money to buy them. For this service, employee-dealers generally charge a small premium—typically the retention of a small amount of the drug for personal use. This quantity is known as a pinch, and the practice is called pinching.

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.5 Path of Workplace Substance Abuse

11.5

PATH OF WORKPLACE SUBSTANCE ABUSE No one aspires to be drug addicted or chemically dependent. Involvement with drugs usually begins with experimentation. This typically involves introduction to the drug by a friend or family member. If the drug produces an enjoyable effect, experimentation may lead to periodic use, often in social settings. If the progression is uninterrupted, users begin to develop relationships with friends or coworkers who are involved with the same drug. As these relationships solidify, relationships with former friends and coworkers are diminished and may eventually end. Abusers’ appearance, behavior, interests, and relationships all begin to change, and they become more secretive, suspicious, and paranoid. Abusers’ attitudes toward the drug also change. They may defend the drug’s benefits, its value to society, and their right to use it. They may frequently think about it, study it, and talk about it. In addition, abusers’ job performance deteriorates. They develop attendance problems, usually with recognizable patterns. They appear less focused and claim to have more personal problems. They use drugs more frequently and irresponsibly. They may drink and drive, smoke marijuana while hunting or while handling firearms, or consume drugs in public places with people they do not know. Eventually, they begin to use drugs on the job. At first their use is discreet, but often it becomes flagrant. In fact, they may enjoy testing the boundaries of acceptable behavior in the workplace. They may drink in the parking lot during lunch and on breaks. They may smoke marijuana in restrooms and locker rooms. They may consume cocaine or methamphetamine at their desks or workstations. They may use drugs in company-owned vehicles or while out of town on business. Given the opportunity, they may even use drugs with customers and vendors. They may keep drugs in their desks, lockers, or toolboxes. In addition, abusers may use the company mailroom or shipping department to distribute and receive drugs and money. They may hide drugs in workplace safes, furniture, trash containers, hazardous material containers, beverage containers, lunch boxes, briefcases, purses, shoes, coats, raw materials, and finished goods. Employee substance abusers are resourceful, cunning, and deceitful. When given the opportunity, dealers may also secretly sell right in front of nonabusers, supervisors, and managers. In some instances, it is hard to understand how any real work gets done. Dealers tend to socialize more than others. They are constantly networking while feverishly trying to avoid detection. Often they are absent or not where they belong. They avoid interaction with management whenever possible. Though they tend not to make trouble, if accused of misconduct they become belligerent. They often support employee causes and enjoy creating strife between management and labor. Employee drug dealers tend to resist team building, pursue secret agendas, and despise authority.

Protection of Assets  Copyright © 2012 by ASIS International

311

WORKPLACE SUBSTANCE ABUSE 11.5 Path of Workplace Substance Abuse

If substance abusers exhaust their discretionary income, they generally resort to purchasing their drugs on credit. Once their credit is exhausted, they may begin to sell drugs or engage in theft. If they become dealers, they generally sell to colleagues at work. If they choose to steal, the principal victim will be the employer. Substance abuse-related employee theft often begins with stealing food from coworkers. It eventually leads to the theft of petty cash, cash receipts, office equipment, and coworkers’ personal valuables. Left unchecked, the substance abuser will eventually steal to the extent the organization allows. The stolen goods may range from scrap, raw materials, and finished goods to intellectual property, such as client lists, confidential information, and trade secrets. Employee substance abusers may also steal from customers and vendors. They may short a shipment to an important customer, keeping and selling the difference. They may accept kickbacks for miscounting, allowing overages, double shipping, approving improper or unauthorized credits, or diverting a vendor’s delivery. The impact on the employer can be devastating. Business relationships may be destroyed, and valuable vendors may withhold service or materials. Customers may cancel contracts, refuse payment, or take legal action. In addition, substance abusers are more likely to have accidents and get injured. They file more health claims and consume more than their share of benefits. More illnesses and injuries yield higher insurance costs. Abusers’ absences may be disruptive and costly and require the recruiting, hiring, and training of replacements. Also, substance abusers are more prone to file false claims and feign on-the-job injuries. As abusers’ performance begins to slip, discipline begins. Abusers may foresee termination but view it as unacceptable, as their jobs may be the only element of stability and normalcy in their lives. For years they may have rationalized that continued employment is evidence that they live a normal life. In extreme cases, they may give up their family, children, home, and car but struggle to keep their job. Once the job is in jeopardy, they may choose to give up drugs. However, a more common way of escaping workplace discipline is to feign an on-thejob injury. In abusers’ eyes, an extended absence can provide several benefits: relief from job responsibilities, a break from the environment where they are most exposed to drugs and the temptation to use them, and an opportunity to give up drugs and start anew. Usually, however, these benefits go unrealized. Without the structure of a job, their life often begins to unravel completely. Drug consumption may rise and financial burdens increase. Months later, when abusers finally return to work, they are more chemically dependent, less productive, and more likely to file another claim. This cycle of destruction may repeat several times before the employee is terminated. At that point, everyone is a loser: the employer, spouse, family, friends, and the abuser.

312

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

11.6

DRUGS OF ABUSE

11.6.1

CONTROLLED SUBSTANCE ACT In the United States, the legal foundation for the federal strategy of reducing the consumption of illegal drugs is the Comprehensive Substance Abuse Prevention and Control Act of 1970, Title II (CSA). The law contains four fundamental parts: (1) mechanisms for reducing the availability of controlled substances, (2) procedures for bringing a substance under control, (3) criteria for determining control requirements, and (4) obligations incurred through international treaties. Specifically, the law regulates the manufacturing, purchase, and distribution of drugs according to their potential for abuse. The Drug Enforcement Administration (DEA) is responsible for enforcement and oversees the classification of all drugs. These classifications or schedules are as follows: x

Schedule I. The drug or substance has a high potential for abuse and currently has no accepted use in medical treatment in the United States. Examples of Schedule I drugs are hashish, marijuana, heroin, and lysergic acid diethylamide (LSD).

x

Schedule II. The drug or substance has a high potential for abuse but currently has an accepted medical use in the United States with severe restrictions. Abuse may lead to severe psychological or physical dependency. Examples of Schedule II drugs are cocaine, morphine, amphetamine, and phencyclidine (PCP).

x

Schedule III. The drug or substance has a potential for abuse less than the drugs or substances of schedules I and II and currently has an accepted medical use in the United States. Abuse may lead to moderate or low physical dependency or high psychological dependency. Examples of Schedule III drugs are codeine, Tylenol with codeine, and Vicodin.

x

Schedule IV. The drug or substance has a low potential for abuse relative to Schedule III substances and currently has an accepted medical use in the United States. Abuse may lead to limited physical or psychological dependency. Examples of Schedule IV drugs are Darvon, Darvocet, phenobarbital, and Valium.

x

Schedule V. The drug or substance has a low potential for abuse relative to Schedule IV substances and currently has an accepted medical use in the United States. Abuse may lead to a lower physical or psychological dependency than caused by Schedule IV substances. Examples of Schedule V drugs are the low-strength prescription cold and pain medicines found in most homes.

Protection of Assets  Copyright © 2012 by ASIS International

313

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

11.6.2

DEPRESSANTS Depressants include such drugs as Quaalude (methaqualone), Valium (diazepam), Librium (chlordiazepoxide), Nembutal (pentobarbital), Seconal (secobarbital), and alcohol. In small doses, depressants produce a calm feeling and can be used for various medical purposes. In larger doses, they can cause impaired reflexes, slurred speech, and uncontrollable drowsiness. Abusers often combine depressants with other depressants or with stimulants. The abuse of depressants can lead to birth defects, overdose, and even death.

Alcohol Alcohol is a fast-acting central nervous system depressant that functions as an analgesic with sedative affects. In small quantities, it produces a sense of well-being and slightly impaired reflexes. In larger quantities, the sense of well-being is replaced by disorientation, reduced inhibition, loss of coordination, and irrationality. Alcohol is addictive, and prolonged abuse can cause brain, liver, and heart damage, as well as sexual dysfunction, gastritis, ulcers, malnutrition, high blood pressure, cirrhosis of the liver, pancreatitis, cancer, and death. According to the U.S. Department of Health and Human Services (Alcohol, 2007), alcohol dependence, also known as alcoholism, includes four symptoms: x

craving: a strong need or compulsion to drink

x

loss of control: the inability to limit one’s drinking

x

physical dependence: the occurrence of withdrawal symptoms, such as nausea, sweating, shakiness, and anxiety, when alcohol use is stopped after a period of heavy drinking

x

tolerance: the need to drink greater amounts of alcohol to get the desired feeling

Alcoholics are in the grip of a powerful craving that overrides their ability to stop drinking. This need can be as strong as the need for food or water. The essential difference between a social drinker and an alcoholic is a loss of control over the time, place, and amount of drinking. Although some people are able to recover from alcoholism without help, the majority of alcoholics need assistance. Alcoholism appears to be caused by both genetic and environmental components.

11.6.3

NARCOTICS In the medical sense, narcotics are opiates: opium, its derivatives, and synthetic substitutes. Opiates (also called opiods) are indispensable in pain relief, but they are also highly addictive and frequently abused.

314

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

Opiates include such drugs as morphine, heroin, and codeine. Usually taken orally or intravenously, they can also be smoked. Opiates are relatively uncommon in the workplace, as they are expensive and their physiological effects on the user are usually obvious. In small doses, narcotics create effects like those of depressants. In larger doses, they induce sleep, unconsciousness, and vomiting. Intravenous use increases the chance of contracting such diseases as hepatitis and AIDS. Users describe the euphoric effect of these drugs as being “high” or “on the nod.” With repeated use of narcotics, tolerance and dependence develop. Tolerance is characterized by a shortened duration and a decreased intensity of analgesia, euphoria, and sedation, leading to the need to consume larger doses to attain the desired effect. Dependence is an alteration of normal body functions such that the continued presence of a drug is needed to prevent withdrawal symptoms. In general, shorter-acting narcotics tend to produce shorter, more intense withdrawal symptoms, while longer-acting narcotics produce protracted but less severe symptoms. Although unpleasant, withdrawal from narcotics is rarely life threatening. Without intervention, the withdrawal syndrome disappears in seven to ten days. Psychological dependence, however, may continue. Unless the physical environment and the behavioral motivators that contributed to the abuse are altered, the user’s probability of relapse is high. In the United States, some abusers of narcotics begin their drug use in the context of medical treatment and escalate it by obtaining the drug through fraudulent prescriptions and “doctor shopping” or by branching out to illicit drugs. Other abusers begin with experimental or recreational uses of narcotics. The majority of individuals in this category may abuse narcotics sporadically for months or even years. Although they may not become addicts, the social, medical, and legal consequences of their behavior are very serious. Some experimental users eventually become dependent. The younger an individual is when drug use is initiated, the more likely the drug use will progress to dependence and addiction (DEA, 2006). Over the past 30 years, the prescription painkiller oxycodone has been widely abused in the workplace. It is a Schedule II narcotic analgesic, supplied as OxyContin (controlled release), OxyIR and OxyFast (immediate release), Percodan (with aspirin), and Percocet (with acetaminophen). The 1996 introduction of OxyContin, also known as OC, OX, Oxy, Oxycotton, hillbilly heroin, and kicker, led to a marked escalation of its abuse. Effects include analgesia, sedation, euphoria, feelings of relaxation, respiratory depression, constipation, papillary constriction, and cough suppression. As an analgesic, a 10 mg dose of orally administered oxycodone is equivalent to a 10 mg dose of subcutaneously administered morphine. Oxycodone’s behavioral effects can last up to five hours. The controlled-release product (OxyContin) lasts 8–12 hours.

Protection of Assets  Copyright © 2012 by ASIS International

315

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

Chronic use of opioids can result in tolerance for the drugs. Long-term use can lead to physical dependence and addiction. Properly managed medical use of pain relievers is safe and rarely causes clinical addiction. However, a large dose of an opioid can cause severe respiratory depression that may lead to death.

11.6.4

STIMULANTS Stimulants may make employees appear more alert, eager, and productive. However, what appears to be productivity may actually be wasted efforts that lead to mistakes. Stimulant abusers may believe the drugs enhance their creativity and endurance, but they are actually being robbed of their energy and rationality. Abusers experience frequent, severe mood swings, and they become difficult to manage and have trouble getting along with others. Abusers often try to control their mood swings by using another drug, most often alcohol. Prolonged abuse typically results in weight loss, drug-induced psychosis, and addiction to multiple drugs. Among the stimulants used in the workplace are cocaine, amphetamines, methamphetamine, methcathinone, methylphenidate (Ritalin), and anorectic drugs (appetite suppressants).

Cocaine Cocaine (cocaine hydrochloride) is a white, crystalline substance extracted from the coca plant. Though it has some medicinal value as a topical anesthetic, it is a common drug of abuse and is considered highly addictive. Most often ingested through the nose (snorted), it can also be injected and smoked. Cocaine stimulates the central nervous system, and its immediate effects include dilated pupils, elevated blood pressure, increased heart rate, and euphoria. Crack or rock cocaine (usually smoked) is prepared from powdered cocaine, baking soda, and water. The high lasts only a few minutes, leaving the user eager for more. Being under the influence of cocaine is often referred to as being “wired” or “buzzed.” Cocaine’s effects appear almost immediately after a dose and disappear within a few minutes or hours. In small amounts (up to 100 mg), cocaine usually makes the user feel euphoric, energetic, talkative, and alert. It can also temporarily decrease the need for food and sleep. Some users find that the drug helps them perform simple physical and intellectual tasks more quickly, while others experience the opposite effect. The duration of cocaine’s euphoric effect depends on the route of administration. The faster the absorption, the more intense but shorter the high. The high from snorting is relatively slow in onset and may last 15–30 minutes, while that from smoking comes quickly and may last 5–10 minutes.

316

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

Large doses (several hundred milligrams or more) intensify the user’s high but may also lead to bizarre, erratic, or violent behavior, along with tremors, vertigo, muscle twitches, paranoia, or a toxic reaction. Some users report restlessness, irritability, and anxiety. In rare instances, sudden death can occur on the first use of cocaine or unexpectedly thereafter. Cocaine-related deaths are often a result of cardiac arrest or seizures followed by respiratory arrest. Cocaine is powerfully addictive. Some users develop a tolerance and must increase their doses to attain the desired effects. Other users actually become more sensitive to the drug over time and may die after low doses. Bingeing—that is, taking the drug repeatedly and in increasing doses—may lead to irritability, restlessness, and paranoia. Eventually, the user may develop paranoid psychosis, losing touch with reality and experiencing auditory hallucinations (DEA, 2006).

Methamphetamine Methamphetamine is a synthetic drug easily manufactured using common materials and simple laboratory equipment. Also known as crank, meth, crystal meth, or speed, it has, in many workplaces, replaced cocaine as a drug of choice among stimulant abusers. Methamphetamine can be smoked, snorted, swallowed, or injected. The drug alters moods in different ways, depending on how it is taken. Immediately after smoking the drug or injecting it intravenously, the user experiences an intense rush or “flash” that lasts only a few minutes and is described as extremely pleasurable. Snorting or swallowing produces euphoria—a high but not an intense rush. Snorting produces effects within three to five minutes, and swallowing produces effects within 15 to 20 minutes. Methamphetamine is usually used in a “binge and crash” pattern. Because tolerance for methamphetamine occurs within minutes—meaning that the pleasurable effects disappear even before the drug concentration in the blood falls significantly—users try to maintain the high by bingeing on the drug. Ice, a smokable form of methamphetamine, came into use in the 1980s. Ice is a large, usually clear crystal of high purity that is smoked in a glass pipe (like that used for crack cocaine). The smoke is odorless, leaves a residue that can be re-smoked, and produces effects that may continue for 12 hours or more. As a powerful stimulant, methamphetamine, even in small doses, can increase wakefulness and physical activity and decrease appetite. A brief, intense sensation, or rush, is reported by those who smoke or inject methamphetamine. Swallowing or snorting the drug produces a long-lasting high (instead of a rush), which can continue for half a day. Both the rush and the high are believed to result from the release of the neurotransmitter dopamine into areas of the brain that regulate feelings of pleasure.

Protection of Assets  Copyright © 2012 by ASIS International

317

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

Methamphetamine has toxic effects as well. The large release of dopamine produced by methamphetamine is thought to contribute to the drug’s toxic effects on nerve terminals in the brain. High doses can elevate body temperature to dangerous, sometimes lethal levels, as well as cause convulsions. Long-term methamphetamine abuse results in many damaging effects, including addiction. Chronic methamphetamine abusers may exhibit violent behavior, anxiety, severe mood swings, weight loss, irritability, confusion, insomnia, and general deterioration of health. They may also experience psychotic effects, including paranoia, auditory hallucinations, mood disturbances, and delusions (for example, the sensation of insects creeping on the skin, called formication). The paranoia can result in homicidal and suicidal thoughts. With chronic use, tolerance for methamphetamine can develop. To intensify the desired effects, users may take higher doses of the drug, take it more often, or change their method of drug intake. In some cases, abusers forgo food and sleep while indulging in a form of bingeing known as a run, injecting as much as a gram of the drug every two to three hours over several days until the user runs out of the drug or is too disorganized to continue. While under the influence of methamphetamine, users describe themselves as wired. Regular users are referred to as speedsters or cranksters.

11.6.5

HALLUCINOGENS Hallucinogens are mind-altering drugs that drastically alter users’ mood, sensory perception, and ability to reason. For centuries, hallucinogens found in plants and fungi have been used in shamanistic practices. More recently, even more powerful synthetic hallucinogens have been produced. The most commonly abused hallucinogens are LSD (lysergic acid diethylamide), also called acid; MDA (methylenedioxyamphetamine); MDMA (methylenedioxymethamphetamine), also called ecstasy; PCP (phencyclidine), often called angel dust; mescaline, which comes from the peyote cactus; and certain mushrooms. The biochemical, pharmacological, and physiological basis for hallucinogenic activity is not well understood. Even the name for this class of drugs is not ideal, since hallucinogens do not always produce hallucinations. In nontoxic dosages, these substances produce changes in perception, thought, and mood. Physiological effects include elevated heart rate, increased blood pressure, and dilated pupils. Sensory effects include perceptual distortions. Psychic effects include disorders of thought associated with time and space. Time may appear to stand still, and forms and colors seem to change and take on new significance. This experience may be either pleasurable or frightening.

318

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

Users often experience vivid hallucinations, panic attacks, and even synaesthesia or sensory crossover. In this state, users’ senses become confused, and they may actually believe they can see sound or smell colors. The effects of hallucinogens are unpredictable each time the drugs are used. In some instances, weeks or even months after taking hallucinogens, a user may experience flashbacks—fragmentary recurrences of certain aspects of the drug experience—without actually taking the drug. Some hallucinogens are neurotoxic. However, the most common danger is impaired judgment, which may lead to rash decisions, accidents, injuries, and even death.

LSD Lysergic acid diethylamide or LSD, a colorless, odorless, and tasteless drug, is one of the most powerful hallucinogens. It was developed in a Swiss pharmaceutical laboratory in 1938. LSD is sold as tablets, capsules, and sometimes a liquid. Ingested orally, it is called acid, blotter acid, window pane, microdots, and mellow yellow. It is often added to absorbent paper and divided into small decorated squares, each representing one dose. Users under the influence of LSD are said to be tripping. The effects of LSD are described above in the section on hallucinogens. The use of LSD on the job is rare. However, in very small doses LSD may be substituted for methamphetamine or another stimulant.

PCP Phencyclidine or PCP was originally compounded as an anesthetic for large animals. Because of its unpredictability and sometimes frightening side effects, its veterinary use was discontinued. PCP, often called angel dust, comes in both a liquid and powder form. Most often a liquid, it has a strong ether-like odor and is kept in small, dark bottles. PCP is typically applied to a tobacco or marijuana cigarette and smoked. Its effects often last for hours. Users refer to being under the influence of the drug as being dusted. PCP sometimes causes the eyes to twitch uncontrollably, one vertically and the other horizontally. Overdose may result in convulsions, coma, and death.

Protection of Assets  Copyright © 2012 by ASIS International

319

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

11.6.6

MARIJUANA After alcohol, marijuana is the second most common drug of abuse in the workplace. In small quantities, marijuana produces effects similar to those of alcohol, and it is often substituted for alcohol by recovering alcoholics. In larger doses, marijuana can cause hallucinations, memory loss, and lethargy. When two people share a single marijuana cigarette (which takes about seven minutes), the effect is much that same as if they had each consumed six to eight mixed alcoholic beverages. The effect may last two to six hours. Marijuana, hashish, and hash oil are all derived from the hemp plant, cannabis sativa. The principle psychoactive component, tetrahydrocannabinol or THC, is retained in the fatty tissue of the body. Because THC is not easily eliminated, it can accumulate. As a result, the user becomes less and less tolerant of the drug and steadily requires less of it to achieve the desired effect. This condition is known as reverse tolerance. Abusers may smoke less, but they tend to smoke more frequently. Marijuana found in the workplace may be combined with other drugs to enhance its potency and salability. Users can never be assured of consistent doses when smoking marijuana, and the drug is sometimes treated with an opiate or PCP. Abusers can find themselves addicted physically and psychologically not only to marijuana but also to other drugs that have been mixed with it. Users describe their state while under the influence of marijuana as being stoned or buzzed.

Hashish Hashish consists of the THC-rich resinous material of the cannabis plant, which is collected, dried, and then compressed into a variety of forms, such as balls, cakes, or cookie-like sheets. Pieces are then broken off, placed in pipes, and smoked. The Middle East, North Africa, Pakistan, and Afghanistan are the main sources of hashish. The THC content of hashish available in the United States has increased significantly over the last decade.

11.6.7

ANALOGUE OR DESIGNER DRUGS An analogue, also known as a designer drug, is a synthetic preparation with effects and characteristics similar to those of a natural substance. Analogues are developed in laboratories but, being different in formation from the substance they imitate, are not initially classified as controlled substances—even though the imitated substance may be. Many analogues are much more powerful than the imitated or natural substance; some have led to deaths from overdose. Under provisions in the Controlled Substance Act, the U.S. attorney general can institute emergency scheduling of analogue substances once they have been seized and their properties confirmed (21 USC 813).

320

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.6 Drugs of Abuse

11.6.8

PRESCRIPTION DRUGS Prescription drugs are frequently abused in the workplace. Those most often abused are stimulants and sedatives. They may be prescribed by physicians but then overused or continued when no longer needed. Physical or psychological dependency may develop. If the user can no longer obtain the drug legally, he or she may resort to illegal sources or substitute another drug for it. Employees who sell these drugs at work usually think they are doing their friend or coworker a favor. The most common prescription drugs sold at work belong to the family of drugs known as benzodiazepines, which are depressants designed to relieve anxiety, tension, and muscle spasms. Librium, Xanax, and Valium are some of the more common benzodiazepines found in the workplace. Given the millions of prescriptions written for benzodiazepines, relatively few individuals increase their dose on their own initiative or engage in drug-seeking behavior. Those who do often maintain their supply by getting prescriptions from several doctors, forging prescriptions, or buying diverted pharmaceutical products on the illicit market. Abuse is associated with adolescents and young adults who take benzodiazepines to obtain a high. This intoxicated state results in reduced inhibition and impaired judgment. Employee abusers also frequently mix prescription drugs with alcohol, thus compounding the effect of the drug. Mixing benzodiazepines with alcohol or another depressant can be life-threatening. Abuse of benzodiazepines is particularly high among heroin and cocaine abusers. A large percentage of people entering treatment for narcotic or cocaine addiction also report abusing benzodiazepines. Flunitrazepam (Rohypnol) is a benzodiazepine that is not manufactured or legally marketed in the United States but is smuggled in by traffickers. Known as “rophies,” “roofies,” and “roach,” flunitrazepam gained popularity among youth as a party drug. It has also been used as a date rape drug, placed in the alcoholic drinks of unsuspecting victims to incapacitate them and prevent resistance from sexual assault. Often, victims are unaware of what happened to them and do not report the incident to authorities. Because of its effects, flunitrazepam is not often used in the workplace but is sometimes sold there.

Protection of Assets  Copyright © 2012 by ASIS International

321

WORKPLACE SUBSTANCE ABUSE 11.7 Addiction and Chemical Dependency

11.7

ADDICTION AND CHEMICAL DEPENDENCY

11.7.1

ADDICTION Addiction is the disease of compulsion. One may be addicted to or by anything. Most often, however, one thinks of addiction as the uncontrollable, repeated use of a substance or performance of a behavior. In the case of substance abuse, the addict often becomes addicted not only to the effects of the drug but also to the social behaviors surrounding it (including the rituals for obtaining, preparing, and using it). Addiction progresses through three stages: x

Stage One. The first stage is characterized by an increased tolerance to the drug, occasional memory lapse, and lying about how much and how often it is used. Supervisors, friends, and family members begin to become concerned. They notice behavior changes and a reduced interest in friends, family, and job.

x

Stage Two. The second stage is characterized by increases in rationalization, more frequent lies, unreasonable resentment (particularly of supervision and management), suspiciousness, increased irritability, and remorse. Abusers often plead for forgiveness and promise managers and family members that they will change. The change, however, is increased isolation, greater irritability, and more rationalization.

x

Stage Three. In this final stage, use becomes an obsession. Use is no longer a behavior— it is a destructive way of life. Frequent memory loss, unusual on-and offthe-job accidents, unexplained absences, and on-the-job impairment are common. Paranoia, depression, and anger also begin to set in. Problems may escalate with the law, at home, and at work, which in turn may affect the abusers’ productivity, performance, and continued employment. Left unmanaged, this stage is frequently terminal.

As the addiction progresses, it takes more and more away from the addict. In many ways the addict becomes a dues payer. The drug addict or alcoholic pays the following prices:

322

x

impaired driving arrests and convictions

x

hangovers and blackouts

x

dysfunctional relationships

x

confrontations with family, friends, and employers

x

disciplinary actions

x

demotions

x

terminations

x

loss of freedom (through imprisonment)

x

bodily injury and death

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.7 Addiction and Chemical Dependency

Addictions are treatable. In some instances, addiction can be broken without help. However, in most cases professional help is required. That help may be available through the organization’s employee assistance program or any number of public programs. The following are some U.S. examples:

11.7.2

x

National Drug Information and Referral Line, 800-662-HELP

x

National Council on Alcoholism and Drug Dependence, 800-NCA-CALL

x

Narcotics Anonymous, 818-780-3951

x

Food Addiction Hotline, 800-872-0088

x

National Council on Problem Gambling, 800-522-4700

CHEMICAL DEPENDENCY Chemical dependency is an integral component of addiction. It is the physiological craving brought on by chemical changes in the body. These changes are both mental and physical. Substance abusers experience a craving for the drug relieved only by the consumption of it. People who are chemically dependent may lose all rationality and do anything to obtain their drug. Repeated use of a drug can also lead to tolerance. As the body becomes accustomed to the effects of the drug, progressively larger doses are required to achieve the desired effect. Abstinence or drug deprivation usually results in painful physiological responses collectively known as withdrawal. Withdrawal is the result of the body’s attempt to chemically adapt in the absence of the drug. It may be painful and sometimes very violent. Symptoms may include irritability, vomiting, tremors, sweating, insomnia, and convulsions.

11.7.3

FUNCTIONAL ABUSERS Addiction and chemical dependency manifest themselves in various ways. Sometimes abusers appear to be able to manage their dependency. However, if the drug use is obsessive, they may require the drug just to function “normally.” In that case, they are called functional abusers. In many ways functional abusers look like everyone else. They keep steady jobs, work regular hours, have families, and appear happy. However, they lead two distinct lives— one seen, the other secret. These abusers usually use drugs every day. On the job they appear to contribute and be productive. However, when they are deprived of their drug, they are entirely different people.

Protection of Assets  Copyright © 2012 by ASIS International

323

WORKPLACE SUBSTANCE ABUSE 11.7 Addiction and Chemical Dependency

11.7.4

DENIAL Denial is the condition or state of mind in which people refuse to believe or consciously acknowledge that their behavior is harming them and those around them. Abusers in denial rationalize that their behavior is acceptable and minimize the adverse impact of their conduct. They deny that their involvement with drugs is affecting their health, job, and family. They deny the existence of a relationship with their drug of choice and the ever-escalating cost of that relationship. Abusers in denial say (and often believe) such statements as the following: x

I can quit anytime.

x

It doesn’t affect me like other people.

x

What I do on my own time is my own business.

x

I’ve never hurt anybody.

x

I don’t use enough to become addicted.

x

It doesn’t affect my work.

x

My wife (or husband) doesn’t care.

x

I can handle it.

Friends and coworkers may also be in denial. They usually deny the abuser has a problem. If they do admit it, they rationalize that the problem is temporary or even justified. Denial by friends and coworkers may encourage the abuser to continue by suggesting that the behavior is normal, acceptable, or even expected. An abuser who is supported by friends in denial will not accept the advice of his or her spouse. The spouse, then, is viewed as abnormal, and continued involvement in drugs is seen as a natural response to the problem at home. Naive friends may even discourage therapy, treatment, or abstinence. Supervisors, managers, and even organizations also engage in denial. Supervisors and managers sometimes deny that an employee has a problem even in the face of obvious proof. Organizations in denial fail to create sound substance abuse policies, fail to enforce the policies they have, and fail to respond to workplace incidents involving substance abuse. Managers in denial make statements like these:

324

x

We don’t have a drug problem here.

x

If we had a drug problem, we would see it.

x

We’re only concerned about the dealers, not the users.

x

We know a few employees smoke pot on lunch break, but what is the harm in that?

x

If we enforced our policies, we couldn’t get anybody to work here.

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.7 Addiction and Chemical Dependency

x

This industry doesn’t have those kinds of problems.

x

Those kinds of people don’t work here.

Out of fear and unwillingness to confront the truth, organizations in denial deny the abuser the help he or she needs. In doing so, they participate in the progression of the abuser’s disease and the ruin of some of their most important employees.

11.7.5

ENABLING Enabling consists of consciously or unconsciously allowing or encouraging the destructive behavior of others. Enabling often extends from denial. The enabler’s actions shield the abuser from experiencing the full impact and consequences of substance abuse. The enabler helps maintain everyone’s delusion that the abuser is fine and does not have a problem. Family members enable when they call in sick for the abuser, make excuses to their bosses for them, and lie to protect them from discipline. Such behavior may seem kind and protective, but it feeds the abuser’s rationalizations and allows him or her to continue in denial and abuse. Family members also enable when they forgive. Promises and commitments by the abuser are continuously broken and become a pattern. Enablers come back for more. Supervisors and managers enable also. They cover up for the abuser at work. They accept the abuser’s excuses for attendance problems and weak performance. They enable when they believe an abuser’s rationalizations, such as the following: x

I have a lot of problems at home.

x

It will never happen again.

x

I can handle it. Just give me more time.

x

I’m not the only one who has problems around here.

x

I promise …

Most people find it easier to enable abusers than to confront reality. Dealing with difficult employees and the problems they bring to work is unpleasant and even frightening. Managers and supervisors may doubt their own judgment and worry about how their actions might affect their careers. Abusers may use those worries to their advantage.

Protection of Assets  Copyright © 2012 by ASIS International

325

WORKPLACE SUBSTANCE ABUSE 11.7 Addiction and Chemical Dependency

Supervisors and managers should do the following: x

Know and understand their organization’s substance abuse policy and how it is to be enforced.

x

Know the symptoms of substance abuse and when to get help.

x

Accurately document employee performance.

x

Recognize enabling behaviors and stop them when they occur.

x

Communicate their expectations and hold employees accountable.

x

Document their efforts and results.

x

Communicate with upper management.

Breaking the cycle of enabling requires honest confrontation of the problem.

11.7.6

CODEPENDENCY Codependency is another destructive behavior common in the workplace. People are codependent when they allow the behavior of another to overshadow their own values and judgment. Codependency consists of not standing up for what one knows is right. The resultant dynamic virtually assures the destruction of the relationship. Those who are codependent typically x

feel they have to do more than their fair share of the work to keep the relationship going,

x

are preoccupied and consumed with a partner’s or coworker’s chemical dependency problem,

x

are afraid to express their feelings about the abuser,

x

accept the abuser’s inability to keep promises and commitments, and

x

fear disciplining an employee out of concern that the employee will leave and have to be replaced.

Codependency involves such feelings as anger, isolation, guilt, fear, embarrassment, despair, and loss of control. For fear of rocking the boat, they may provide the abuser with a support mechanism to continue substance abuse. Codependents become rescuers, caretakers, complainers, and adjusters. They also sometimes become overachievers in an attempt to be a role model for the abuser. At other times they may actually join the abuser in his or her substance abuse.

326

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

To avoid codependency, supervisors and managers should do the following: x

Focus on performance. Do not allow the manipulative behavior of the abuser to overshadow what management knows is right.

x

Set limits and boundaries for the abuser. Tolerate only what is acceptable.

x

Get help from internal resources, such as the human resources department and the organization’s employee assistance program (EAP).

x

Refer the problem employee to resources that can help.

x

Document efforts and results.

x

Communicate with upper management.

To be effective, supervisors and managers must understand the intricacies of addiction and chemical dependency. They should also understand and be able to recognize the destructive behaviors of denial, enabling, and codependency. Failure to confront those behaviors is uncaring and cruel.

11.8

ROLE OF SUPERVISORS AND MANAGERS

11.8.1

DRUG-FREE WORKPLACE POLICY For the creation of a drug-free workplace, a policy is absolutely necessary. The policy must be practical, functional, and enforceable. It should also be written, effectively communicated, acknowledged in writing by every employee, and equitably enforced. An effective policy should do the following: x

State the organization’s objective—to create a drug-free workplace—and explain why a drug-free workplace is important to all employees.

x

State the unacceptability of drug and alcohol abuse at work and prohibit the use, sale, or possession of controlled substances (as well as the offer to sell them) in the workplace or while on the clock.

x

Define on-the-job impairment.

x

Describe how and when employee drug testing will conducted. The policy should describe what constitutes a positive drug test and state the consequences of failing to provide a specimen for testing.

x

Define what constitutes an infraction of the policy and describe the consequences.

x

Recognize that drug problems and abuse are treatable and spell out the availability of treatment and rehabilitation options.

Protection of Assets  Copyright © 2012 by ASIS International

327

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

x

Define the function of the organization’s employee assistance program and explain how to gain access to it.

x

Answer any questions that might be asked about substance abuse, the policy, or policy enforcement.

The policy should avoid the term “under the influence.” Only for alcohol is there a legal definition of “under the influence.” No such standard exists for the other drugs of abuse. Thus, proving that an individual is under the influence of anything other than alcohol is not possible. Once the policy has been created, the organization should institute an appropriate waiting period during which to educate the employees. Once the implementation date arrives, supervisors and managers should state their willingness to enforce it. Such communication is one of the most significant yet least recognized deterrents against employee substance abuse. More than ferreting out substance abuse and employee substance abusers, supervisors and managers must monitor performance. They should not be expected to catch employees using and selling drugs. Instead, they should be expected to evaluate employee performance and be able to take remedial action when performance is not adequate.

11.8.2

INVESTIGATION AND DOCUMENTATION Sometimes employees violate company policy. When they do, management must respond swiftly and effectively. Part of that response is often an investigation of the circumstances and individuals involved. A workplace investigation is a fact-finding process, ideally separated from the decision-making process. If such separation is not feasible, the fact finder must not let any preexisting bias influence his or her findings and conclusions. An investigation can be simple and informal (for example, confronting the suspected violator and asking questions) or complicated and formal. Effective investigations must, at minimum, be fair and impartial, factual and objective, thorough, and well documented, and they must protect the rights of suspected violators and witnesses. In addition, workplace investigations must not violate the law, company policy, labor agreements, or anyone’s right to privacy. They must also be confidential. Evidence, findings, notes, reports, and conclusions should only be shared with those who need to know. Upper management and the human resources department should always be involved. Disciplinary action should only take place after a detailed review of the investigation’s findings by qualified management. Frequently, the findings of a workplace investigation do not call for discipline. In such cases, the most appropriate response for supervisors and managers is intervention.

328

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

11.8.3

EMPLOYEE HOT LINES In the wake of the corporate scandals of the late 1990s and early 2000s, organizations have scrambled to provide new ways to receive employee reports of misconduct. Still, fear of retaliation often impedes employees from making a report, even anonymously, though the implementation of modern anonymous incident reporting systems has curbed some of that fear. Open-door policies are not enough to ensure that an organization gains the information necessary to prevent and detect employee substance abuse.

Legal Mandates In the United States, the Sarbanes-Oxley Act of 2002 requires all publicly traded companies to establish a confidential means by which questionable accounting or auditing activities can be reported anonymously by employees, customers, and vendors. Organizations are further charged with ensuring proper “receipt, retention, and treatment of complaints.” Employers can use these same tools to obtain information about employee substance abuse. A challenge to multinational businesses is that hot lines, required in some countries, may be illegal in others. These conflicting legal mandates likely reflect cultural attitudes toward whistleblowers. European countries have historically felt uneasy about employees who anonymously report the behavior of others.

Early Warning Systems Anonymous employee hot lines allow for all types of employee misconduct to be detected sooner than they might otherwise be, enabling organizations to address the problems before significant losses accrue and their reputation is tarnished. Human resources officers and security managers have quickly realized the benefit of receiving reports of employee misconduct and substance abuse through workplace hot lines. The cost of implementing an anonymous employee hot line is minimal compared to the potential losses that can be avoided. Establishment of an anonymous incident reporting solution shows employees that their concerns are taken seriously and that the organization is committed to ensuring safety and security for employees. Such a system encourages employees to act when they discover coworkers behaving inappropriately.

Selecting a System Outsourcing hot lines provides many advantages. First, Sarbanes-Oxley limits an organization’s ability to provide strictly internal reporting mechanisms. Second, reporting system vendors tend to have better technology for the task. Third, vendors generally employ bettertrained call takers who can collect the data most pertinent to the issue being reported.

Protection of Assets  Copyright © 2012 by ASIS International

329

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

11.8.4

INTERVENTION Intervention is the calculated interruption of the destructive behaviors of a substance abuser and those around that person. Intervention is not discipline. It is a caring behavior in which those involved plan, prepare, and act. Through intervention, an organization can bring the consequences of the abuser’s actions to his or her attention. Intervention is an attempt to salvage the troubled employee and eventually return the person to work as a productive contributor. For intervention to be effective, employee performance must be documented. Supervisors and managers must escape the state of denial and abandon the assumption that the employee will improve if left alone. Moreover, they must not rationalize or accept substandard performance or inappropriate behavior. In many cases, management intervention is the substance abuser’s only hope prior to discipline. Supervisors and managers should take the following steps in an intervention: x

Observe and document performance. Be objective and fair. Ensure that employees understand what is expected of them. Observe and document inappropriate behavior. Obtain the opinion of another supervisor or manager if there is any doubt as to the appropriateness of an employee’s behavior. Take immediate action if it is necessary to prevent an accident or serious mistake.

x

Confront the problem employee. Remove the problem employee from his or her immediate work area and confront the employee in private. Do not do or say anything that may embarrass or shame the employee.

x

Interview and discuss. Once in private, interview the employee. Have a witness present if possible. Include a union representative if appropriate or required. If an investigation has preceded the interview, share with the employee any information that is appropriate. State only specifics and never generalize. Provide the employee documentary proof of substandard performance (such as attendance records or timecards). Describe in detail what is expected of the employee, referring to written policy whenever possible. If witnesses assisted in the investigation, do not identify them unless absolutely necessary. Do not accuse the employee or attempt to diagnose or rationalize the employee’s behavior. Next, offer the employee the opportunity to provide an explanation. Be open-minded, but remember that the employee may be steeped in denial and might easily rationalize away responsibility. Document the employee’s responses and comments. Ask the employee what the organization might reasonably do to help him or her meet the desired expectations. Empathize, but do not make a commitment; just listen and attempt to understand the request. Suggest that the employee seek professional assis-

330

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

tance, such as that offered through the organization’s employee assistance program or community resources. Be prepared to provide the employee with the appropriate telephone numbers or literature if available. Again, specify the employee’s shortcomings and the organization’s expectations. Define boundaries and the specific consequences that will occur if those boundaries are violated (for example, stating, “Your next absence will result in a final written warning.”). Indicate that the employee’s performance will continue to be monitored, and identify when his or her efforts will formally be reviewed and discussed (for example, stating, “In 30 days, we’ll meet again here in my office to review your progress.”). Conclude the discussion on a positive note. Indicate that it is anticipated the employee will improve his or her performance and meet expectations. Ensure that the employee knows he or she has the support of the organization. Make clear that his or her success will be a win-win. Then send the employee back to work. x

Document results. Next, document what took place: what was said by all parties, the employee’s demeanor, and the employee’s response to the demand for better performance. Put the follow-up meeting on the calendar, and ensure, in writing if necessary, that the employee knows the date.

x

Communicate with upper management. Thoroughly brief upper management and the human resources department. Provide that department with copies of notes and supporting documents from the meeting. If appropriate, suggest that a human resources representative participate in the next meeting.

x

Follow up. As scheduled, meet again with the employee. The meeting should be short and direct. Those who attended the first meeting ought to be in attendance. Review the employee’s progress. If the employee has met prescribed expectations, state appreciation and congratulate him or her. If the employee has not, invoke the progressive action or discipline described in the prior meeting. Set goals and establish a follow-up date.

Intervention is an important management tool design to correct, not punish. Used properly, it can enable supervisors and managers to salvage a problem employee. In the long run, intervention can prevent unnecessary discipline, reduce employee turnover, and maybe even save a life.

Protection of Assets  Copyright © 2012 by ASIS International

331

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

11.8.5

WHEN INTERVENTION FAILS Sometimes intervention is not enough. Substance abusers do not always respond as hoped. Sometimes addiction and chemical dependency are too much for the abuser to overcome alone, no matter how accommodating the organization may be. At this stage the abuser may be resentful, seemingly uncaring, and even angry. If the person has surrendered to the disease, progressive discipline may be the only answer. Documented progressive discipline is the incremental escalation of discipline in response to continued performance shortcomings. It often begins with oral warnings, followed by written warnings, suspensions, and ultimately termination. The escalation of discipline clearly sends the message to the abuser that his or her relationship with drugs has a cost. Progressively the abuser may begin trading things of value for that relationship. As the abuser slides down this slippery slope, the last thing he or she will surrender is the job. The abuser may already have given up his or her family, friends (except those also involved in drugs), home, car, savings, and even health. The only remaining constant may be the job. In such circumstances, the job represents more than a source of income. It represents the last bastion of normalcy and order in the life of the abuser. As a result, abusers often cling to it desperately. They may rationalizes that they are not sick, addicted, or chemically dependent as long as they can keep a job. The abuser at this stage is capable of almost anything— except giving up drugs. He or she may lie, cheat, and steal to keep the job and may even resort to violence if the job is threatened.

11.8.6

EMPLOYEE ASSISTANCE PROGRAMS Another management option is to refer the abuser to an employee assistance program (EAP). EAPs first came into being in the 1940s. Known then as occupational alcoholism programs, they were designed to address the problem of alcohol in the workplace. Today, EAPs address a broader range of issues, including alcohol and substance abuse, family problems, marital problems, and other personal issues. The services of the employer-provided EAP are free and are usually available to family members as well as the employee. The relationship that the employee or family member (both are called clients) has with the EAP is held in strict confidence. Even the employer is not told the names of clients. EAP professionals develop a community referral network to serve their clients. Clients are usually provided with several consultations over the telephone (sometimes in person) to determine their specific needs. Once an assessment is made, the client is provided the names of several resources. It is then up to the client to follow through and seek the appropriate help. For the purpose of support, the EAP may monitor the client’s progress, but actual treatment is provided by independent, outside professionals. Any counseling or treatment performed is confidential. Treatment costs may be covered by the employee’s medical insur-

332

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

ance. Leaves of absence are granted to accommodate the client-employee. In the United States, the Americans with Disabilities Act (ADA) requires reasonable accommodation of employees and job applicants who are recovering drug or alcohol abusers. Current users are not protected. In effect, the EAP is a clearinghouse for employee-help services. EAPs do not conduct investigations or drug tests. They simply connect people with high-quality, professional help. Employees can voluntarily seek help through an EAP, or they can be referred by management. Management referrals typically include the following elements: x

mandatory participation

x

professional diagnosis

x

professional treatment or therapy

x

progress reports and feedback to management

x

goal setting

x

monitoring

Like intervention and progressive discipline, management referral is an incremental approach that encourages performance and behavior modification. Participation is mandatory. Treatment or therapy is professionally administered, and management is provided progress reports and feedback. Upon completion of treatment, and sometimes during treatment, performance and behavior goals are negotiated. The recovering employee, as a condition of employment, agrees to be monitored and is fully informed of the consequences of not meeting the goals. Monitoring usually includes periodic drug testing. Continued therapy or counseling may also be part of the negotiations. Eventually, monitoring may be discontinued and the status of conditional employment removed.

11.8.7

BEHAVIOR MODIFICATION THROUGH ROLE MODELING Role modeling consists of setting an example through one’s own behavior. Parents do it, teachers do it, and so can employers. By setting a good example and doing what they expect others to do, supervisors and managers can encourage employees to change their behavior. If enough people participate, the entire organization’s culture can be altered. Substance abusers prefer to work in environments where others like them work, and they resent the social boundaries that a healthy corporate culture imposes on them. Most of all, they resent the inability to rationalize their substance abuse. Positive peer pressure can force substance abusers to confront their behavior. What they find is that they can no longer lie and deceive.

Protection of Assets  Copyright © 2012 by ASIS International

333

WORKPLACE SUBSTANCE ABUSE 11.8 Role of Supervisors and Managers

11.8.8

REINTEGRATION OF THE RECOVERING EMPLOYEE Recovery for the abuser is a long, painful process. Following treatment, the recovering abuser often chooses to return to work—the same environment in which the abuse may have begun. If it is an environment controlled by abusers, the recovering employee may find it difficult to remain clean and sober. If other abusers control the culture, they may make it impossible for the recovering addict to remain drug-free. On the other hand, if the recovering employee returns to a healthy environment, his or her chances for recovery and long-term sobriety are good. A healthy and caring culture can provide various support mechanisms. Non-abusing coworkers can offer encouragement, positive role models, and an environment free of temptation. Supervisors and managers can hold the recovering employee accountable, set reasonable expectations, and providing positive reinforcement when goals are achieved. The net effect is an environment conducive to recovery and long-term health.

11.8.9

EMPLOYEE EDUCATION AND SUPERVISOR TRAINING Training for employees at all levels should be provided as part of an overall substance abuse program. All employees should be given accurate information about the dangers of substance abuse and about the organization’s policies and expectations. The human resources staff should be trained to identify applicants who may be substance abusers in order screen them out. In addition, all human resources representatives should become familiar with all aspects of the organization’s policies and practices since they will usually be responsible for implementing corrective action and discipline. Training for supervisors and managers is also critically important. While only a trained healthcare professional can definitely diagnose a substance abuse problem, training can provide supervisors and managers the tools they need to properly enforce work rules and administer policies.

334

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.9 Drug Testing

11.9

DRUG TESTING There is little doubt that workplace substance abuse harms performance and productivity. As a result, employers have long looked to workplace drug testing as a tool for prevention and detection. Preemployment drug testing aids in the detection of potential workplace abusers before they are hired. For those who are already on the job, tests can be conducted based on reasonable suspicion, after an accident or injury, at random intervals, after a return to duty following a violation, and as a follow-up to treatment. Workplace drug testing also serves as a deterrent, creating a fear of being caught. Employers have both a right and a duty to promote a drug-free workplace. Drug testing is now widely considered an important component in maintaining a safe and healthy workplace and is used widely. In the United States, the Drug-Free Workplace Act of 1988 requires all businesses contracting with the federal government and receiving grants over $25,000 to certify that they have policies for creating and maintaining a drug-free workplace. Other legislation and regulations require periodic drug testing for some workers in the transportation and public service industries.

11.9.1

METHODS Drug testing is a scientific examination of a biological specimen for the presence of a specific drug or its metabolite (a chemical byproduct left behind after the body metabolizes the substance). The type of specimen analyzed most often is urine, but blood, hair, and saliva may also be tested. Urine testing is preferred because collection is not considered intrusive (that is, the body does not need to be punctured to collect the specimen as it is in the drawing of blood). Collection techniques follow careful protocols ensuring the privacy of the provider. Once the specimen is collected, it is sealed, labeled, and sent to a laboratory for examination. Usually the sample is split; part is used for testing and the rest is preserved (usually frozen) for future examination if necessary. The testing sample is then subjected to one or more preliminary tests, such as immunoassays, radioimmunoassay, and thin-layer chromatography. Of these, thin-layer chromatography (TLC) is the most common and least expensive. Radioimmunoassay (RIA) is the most accurate and can detect drug concentrations on the order of 1 to 5 nanograms per milliliter (1 to 5 parts per billion). If the preliminary test discovers a drug or its metabolite, a confirmatory test is used. Confirmatory tests typically use advanced technologies that are more accurate. They identify both the type of drug or metabolite present and its concentration. The more common types of confirmatory tests include high-performance liquid chromatography, gas chromatography, and gas chromatography/mass spectrometry. Of these, gas chromatography/mass

Protection of Assets  Copyright © 2012 by ASIS International

335

WORKPLACE SUBSTANCE ABUSE 11.9 Drug Testing

spectrometry (GC/MS) is considered the most accurate. However, all methods can yield accurate results and have withstood rigorous legal challenges. Once the specimen has been confirmed positive, the results are confidentially communicated to the employer or its representative (as in the case of an employer’s use of a medical review officer). Because specimens are labeled by number, not name, even the lab does not know to whom the specimen belongs. Employer responses to a positive result vary depending on circumstances and policy.

11.9.2

ACCURACY Drug testing is extremely accurate. A very small percentage of tests may result in a false positive, but confirmatory tests are performed in those cases. Laboratories that perform drug tests are regulated and subject to rigorous performance requirements and quality assurance procedures. Certification by the National Institute on Substance Abuse (NIDA) is difficult and expensive. Under NIDA requirements, every specimen, procedure, and test is documented. Control specimens are frequently tested to ensure accuracy and system integrity. NIDA claims that of the roughly 16 million drug tests its labs perform annually, fewer than 16 produce positive results when a drug is not present.

11.9.3

STRATEGY Many states regulate drug and alcohol testing, and organizations must be mindful of jurisdictional differences as they establish their drug-testing strategies. The following is an examination of some of the issues that should be contemplated when developing an organization’s strategy (Ferraro & Judge, 2003).

For which substances should the organization test? Federal or state law, collective bargaining agreements, and contractual obligations may limit this decision Under federal regulations, for example, an employer may test for alcohol and five controlled substances: marijuana, cocaine, amphetamines, opiates, and PCP. These five drugs are typically referred to as the DHHS-5 (Department of Health and Human Services 5). Some states require employers (federally regulated or not) to follow federal rules when adopting and administering workplace drug and alcohol programs. Employers with operations in those states would, therefore, be limited to testing for the DHHS-5. Other states, such as Iowa, permit testing for additional substances. Still other states, such as Ohio, provide financial incentives if testing includes additional drugs. Employers who are thinking of testing for substances beyond the DHHS-5 should also consider the impact of the Americans with Disabilities Act (ADA), which limits medical inquiries by employers. Strangely, under the ADA, a drug test is not considered a medical

336

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.9 Drug Testing

examination but an alcohol test is. Thus, it is advisable to test only after an employment offer is made. Potentially, an ADA claim could be raised by a non-safety employee disciplined 9 because of a test that detected a substance other than one of the DHHS-5.

When should testing be performed? This is the most difficult and controversial decision in developing a drug testing policy. Tests may be performed before an employment offer is made, upon reasonable suspicion, after an accident or injury, on a random basis, after return to duty following a violation, and as a follow-up to treatment. Federal Highway Administration rules (49 CFR 382) require that commercial truck drivers submit to a test under each of those circumstances. Organizations that are exempt from federal rules should check state laws. Eleven states and two cities have laws related to when employers can or cannot conduct drug testing. For example, Vermont prohibits random testing, while Oklahoma permits post-accident testing only if there is a reasonable suspicion of illicit drug use at the time of the accident. After examining federal and state laws, organizations should determine which type of testing best fits their circumstances. The two most common types of testing are preemployment and random. Employers may also want to consider reasonable-suspicion testing, which researchers Ferraro and Judge (2003) have found in some cases to be a more effective deterrent to drug use. For example, one of the researchers interviewed approximately 2,500 workers nationwide who tested positive for drugs or alcohol and subsequently lost their jobs. In the interviews, the workers indicated that they knew their employers tested for drugs on a random basis, but they did not consequently change their drug use. Statistical analysis suggests this to be a good bet. Even in organizations that randomly test 8 percent of their workforce monthly (unusually frequent but necessary to provide the probability that each employee will be selected at least once a year), a substance abuser who uses twice a week stands only a 2.45 percent chance of testing positive in any given month. A cocaine or methamphetamine abuser who uses once a week would have just a .61 percent chance of testing positive in any given month. The likelihood of being caught is further diminished by absenteeism, holidays, vacations, and collection site availability. By contrast, the workers interviewed said they were concerned about reasonable-suspicion testing. In workplaces where employers actively tested on a reasonable-suspicion or forcause basis, the workers reported that they had attempted to stop using drugs on the job. It appears that for-cause testing programs convinced the workers that the employers were serious and would enforce their drug-testing policies. Case laws suggests that employers may not conduct such tests without some evidence of possible drug use, and reasonable suspicion requires more than a simple hunch. 9

th

See Jane Roe v. Cheyenne Mountain Conference Resort, Inc., No. 96-1086 (10 Cir. 1997).

Protection of Assets  Copyright © 2012 by ASIS International

337

WORKPLACE SUBSTANCE ABUSE 11.9 Drug Testing

What type of testing should be conducted? Employers must determine what types of samples to test—urine, saliva, blood, hair, or breath. In federally regulated workplaces and in states that require employers to follow federal rules, urine must be used for drug tests and saliva or breath for alcohol tests. Employers should look to statutes in each state in which they operate and follow that definition. State laws vary widely. For example, Iowa law prohibits blood tests in workplace testing programs, while Mississippi prohibits alcohol tests using urine. How drug and alcohol tests are carried out is also an important consideration. Thirteen states require split-specimen samples for all substance abuse tests. For example, an Iowa law requires that every sample must be split into two sub-samples. The first is used for testing purposes. If the test result is positive, the remaining sample is offered to the providing employee, who can have it tested at an independent laboratory. The impact of such a rule is significant. If a sample is not split in a state that requires it, the person being tested must be reinstated even if the test is positive.

Who should be tested? This decision may not be entirely at the employer’s discretion. If workers are protected by a collective bargaining agreement, the decision on whom to test will be determined bilaterally. Likewise, the Federal Highway Administration requires commercial carriers to institute and maintain a drug and alcohol testing program for all commercial drivers. Similarly, if an employer does business with the federal government or is regulated by the Department of Transportation, Nuclear Regulatory Commission, or Department of Defense, it will have to follow any applicable federal regulations concerning drug testing. Employers should check state law first, but the following is a general testing guide: Whom to Test

When to Test

all workers all workers all workers all workers all workers only safety-sensitive workers

preemployment reasonable suspicion post-accident/injury return to duty follow up randomly

Who should collect the specimens? Some states, such as Minnesota, require that sample collection be performed only by licensed medical professionals. Federal regulations that took effect January 31, 2003, require that the person collecting the specimen be “qualified.” Some states have passed laws that require even nonregulated employers to use only trained collectors. Under federal regulations only properly trained “breath alcohol technicians” may conduct alcohol tests and only “screen test technicians” may conduct alcohol screening.

338

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.9 Drug Testing

Where should the specimens be collected? The choice is whether to have properly trained technicians collect the specimens at the job site or to have employees go to a medical facility and provide specimens there. Instant, onsite test kits are not currently permitted under federal rules, but in New York, for example, employers can conduct instant, on-site testing if they obtain approval from the state’s health department. Moreover, only certain labs can analyze a urine sample for drug use under some applicable laws. For federal employers, only a laboratory certified by the Department of Health and Human Services or the College of American Pathology (CAP) can analyze workplace samples for controlled substances. Many states have passed laws imposing that same requirement or more restrictive rules. Many collective bargaining agreements and other contractual relationships also require the use of a DHHS-certified or CAP-approved facility.

Who should receive the test results? Essentially, federal and state laws require that laboratory test results go through the confidential process of medical review before being reported to the employer. In a confidential telephone or in-person interview with the specimen donor, a licensed medical doctor called a medical review officer (MRO) will attempt to determine whether the laboratory result is medically justified—that is, whether something other than an illegally used controlled substance caused the positive result. If not, the MRO reports the positive test result to the employer. It is prudent for all organizations to treat test results as confidential medical information in order to protect the employee’s privacy and shield the organization from potential liability.

11.9.4

EMPLOYER INCENTIVES Organizations that implement drug-testing policies should take full advantage of available state incentives. These incentives are typically found under the workers’ compensation laws in the form of reduced annual premiums or presumed denial of benefits when a worker is found to have used prohibited substances at the time of an injury. Twelve states provide premium reductions, ranging from 5 percent to 20 percent. Those states include Alabama, Alaska, Arizona, Arkansas, Florida, Georgia, Idaho, Mississippi, Ohio, South Carolina, Tennessee, and Virginia. Another monetary benefit is found when paying workers’ compensation claims. With few exceptions, employers and their insurers need not pay workers’ compensation claims in two conditions: if the worker violated a known safety rule and if the worker’s intoxication is the cause of the injury. When such cases go to court, often the employer must prove alcohol or drug use was the cause of the injury, not just a contributing factor.

Protection of Assets  Copyright © 2012 by ASIS International

339

WORKPLACE SUBSTANCE ABUSE 11.9 Drug Testing

An illustrative case is Garcia v. Naylor Concrete Co. (2002). Juan Mario Garcia was employed as a welder for Naylor Concrete Company at a shopping mall project. As part of his job, Garcia was required to weld decking to a metal roof. To access the work site, Garcia had to climb a 20-foot ladder and then walk about 90 feet across four-inch joists to reach the decking. On September 30, 1997, Garcia had been welding for about an hour when he slid off the edge of the roof and was seriously injured. At the hospital, a blood test showed his bloodalcohol level as .094 percent. Garcia applied for workers’ compensation benefits. Naylor refused to grant the benefits, arguing that Garcia’s intoxication was the cause of his injuries. Garcia argued that he had been drinking the night before the accident but had not consumed alcohol on the day of the incident. The state Workers’ Compensation Commission denied the benefits on the basis of Garcia’s elevated blood alcohol level on the day of the accident. The commission reaffirmed the decision on appeal, and the state district court agreed during a judicial review. Finally, the state’s Supreme Court upheld the decision, ruling that no matter when Garcia consumed the alcohol, he was still legally drunk at work. However, it may sometimes be difficult for companies to prove that drug or alcohol use caused an employee’s injury. For example, in Kennedy v. Camellia Garden Manor (2003), the court found in favor of the employee because the employer could not prove that the employee’s prior use of marijuana had caused his injuries. Herman Kennedy was employed as an orderly for Camellia Garden Manor, a nursing home. On June 1, 2001, Kennedy injured his lower back while trying to lift a struggling quadriplegic resident out of a whirlpool bath. Kennedy was ordered to provide a urine specimen for drug testing purposes. The test was positive for marijuana. The employer fired Kennedy and refused to pay his workers’ compensation claim because of the positive drug test. Kennedy appealed to the state workers’ compensation board, claiming that the injury was caused by lifting the struggling resident and not by any prior use of marijuana. The board found in favor of Kennedy, ruling that the company could not prove that intoxication was the cause of his injuries. On appeal, the district court upheld the board’s decision. The employer was ordered to pay the claim. Another financial incentive comes in the form of immunity from prosecution in certain employment-related lawsuits. For example, in Idaho, employers who fire an employee as a result of a positive drug test or refusal to provide a specimen for testing are given immunity from lawsuits. Such immunity is waived in cases where the test results were false and the employer knew or clearly should have known they were false.

340

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE 11.9 Drug Testing

Four states—Arkansas, Iowa, Minnesota, and North Dakota—provide immunity for disclosure of records when requested by a prospective employer. For example, an Arkansas law provides for disclosure of the results of drug or alcohol tests administered within one year prior to the request. Iowa law, however, stipulates the conditions under which such information may be released. The law says that immunity is waived if the employer knowingly provides information to a person who has no legitimate or common interest in receiving the workrelated information. Similarly, immunity is waived if the work-related information is not relevant to the inquiry being made, is provided with malice, or is provided in bad faith.

11.9.5

LIABILITY Though drug testing programs can provide monetary rewards, poorly managed programs can lead to costly outcomes in court. A rule governing all federal employers requires that all personnel who collect specimens from employees be qualified. The rule also applies to private employers if state laws require that they follow federal rules. For example, 18 states require certain employers to follow federal laws. Even if collection personnel work for a third party, they are considered agents of the employer, leaving the employer liable if that party breaks the law. Private employers not covered by the law must still be cautious about the way a drug testing program is conducted. If an employer has its own employees (not outside professionals) collect urine samples, the employer must collect the samples in a reasonable manner, in accordance with appropriate procedures. An additional complication is the issue of chain of custody. The chain of custody establishes who handled the specimen from the time it was provided to the time testing results were rendered. Should the chain of custody be broken, the result is deemed invalid. Poor record keeping can bring challenges to the chain of custody and easily jeopardize the validity of a test result. Employers that collect their own specimens are most at risk. Unless the employer establishes strict handling procedures and tightly manages its record keeping, broken chain of custody claims cannot be defended. The employer may not only see the test result invalidated but also end up in court. Drug testing offers many potential benefits, including improved safety and reduced injuries. However, organizations that test for drugs must devise sound written policies and be prepared to navigate the ever-changing rules and regulations.

Protection of Assets  Copyright © 2012 by ASIS International

341

WORKPLACE SUBSTANCE ABUSE Appendix A: Drug Glossary

APPENDIX A DRUG GLOSSARY

STREET NAME

MEANING

STREET NAME

MEANING

acid

LSD

heat

the police

angel dust

phencyclidine

high

under the influence

bag

packet of drugs

hip

non-threatening

base

base cocaine

joint

marijuana cigarette

bindle

packet of drugs

killer weed

PCP-treated marijuana

blotter acid

LSD

meth

methamphetamine

bread

money

microdot

LSD

bunk

low quality substance

nickel bag

$5 quantity

busted

arrested

pop

inject drugs

chipping

occasional use

pot

marijuana

coke

cocaine

reefer

marijuana cigarette

connection

drug dealer

roach

marijuana butt

cop

to obtain drugs

rock

smokable cocaine

cop out

to inform or sell out

rush

euphoria

crack

smokable cocaine

sinsemilla

seedless marijuana

crash

to sober up

skin popping

injecting under skin

crystal

methamphetamine

smack

heroin

cut

additive or impurity

smoke

marijuana

dealer

drug dealer

snort

inhale through nose

dime bag

$10 quantity

speed

methamphetamine

flake

cocaine

speedball

cocaine with heroin

freebase

smoke cocaine

stick

marijuana cigarette

grass

marijuana

weed

marijuana

h

heroin

whites

amphetamines

hash

hashish, marijuana

white stuff

cocaine or heroin

hash oil

hashish oil

works

paraphernalia

342

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE Appendix B: Common Questions About Drug Testing

APPENDIX B COMMON QUESTIONS ABOUT DRUG TESTING

What do drug tests typically test for? x alcohol

x cocaine

x amphetamines and methamphetamines

x opiates x phencyclidine

x marijuana (and marijuana derivatives) Could a person be affected or test positive as a result of secondhand marijuana smoke? No. Although passive inhalation can occur, typically the amounts ingested in that manner are so low that impairment is nearly impossible, as is the possibility for testing positive. Aren’t drug tests discriminatory? Don’t they violate employees’ rights? No. Drug testing under most circumstances is not considered discriminatory or illegal. Employers have the right to create and maintain a drug-free workplace. Drug testing is one of the many legal tools available to the employer to ensure a safe and healthy workplace. What happens if an employee refuses to be tested? An employer cannot force an employee to take a drug test. However, refusal to take a drug test may be a violation of the employer’s drug policy or may be considered insubordinate. Before refusing, an employee should read the policy or talk to a human resources representative. Can vitamins or other substances cause false positives? Not typically. Before providing a specimen, the employee is asked to identify any medication or other substances that may influence test results. The answers are kept confidential and can aid in ensuring accurate test results. How long do most drugs stay in a person’s system? The length of time a drug remains in one’s system is based on a number of factors, including the type of drug, amount ingested, body weight, and metabolism. The length of time drugs remain detectable in the body is called the window of detection.

Protection of Assets  Copyright © 2012 by ASIS International

343

WORKPLACE SUBSTANCE ABUSE Appendix B: Common Questions About Drug Testing

Does a positive drug test indicate that the employee was impaired or under the influence? Not necessarily. Only alcohol has legal blood limits. However, in most instances the mere presence of a controlled substance in one’s system constitutes a policy violation. Where can employees get more information? They should contact the employee assistance program or a human resources representative.

344

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE Appendix C: Supervisor’s Checklist

APPENDIX C SUPERVISOR’S CHECKLIST This checklist includes behaviors and symptoms that may be indicators of substance abuse. However, the presence of some of the indicators does not necessarily mean a person has a substance abuse problem. Users of this checklist are encouraged to look for clusters of behaviors and symptoms merely as an aid to identifying potential employee substance abuse.

Tardiness and Absenteeism x taking frequent breaks

x absence before and after holidays

x taking long lunches

x absence Mondays and Fridays

x repeated tardiness

x immediate use of vacation earned

x arriving late and leaving early x absence from area or office

x absence during period of heavy workloads

x abnormal number of visits to restroom

x calling in sick after denial for vacation

x unexplained absences

x requests for vacation extensions

x absences due to accidents on and off the job

x requests for sick leave extensions x extending sick leave repeatedly

x absence before and after paydays

Performance x repeated procrastination x repeated lateness in completing assignments x irresponsibility in completing assignments x faulty decision-making x increased accident rates x increased errors in judgment x unnecessary wasted materials and scrap

x general lack of interest in work or product x difficulty in handling difficult assignments x difficulty in recalling previous mistakes x alternate periods of high and low productivity x missed deadlines x mistakes due to poor judgment

x unnecessary damage to equipment

x customer or client complaints

x excessive time taken to perform assigned tasks

x inappropriate behavior around others

x difficulty in recalling instructions

x sloppy work habits

Protection of Assets  Copyright © 2012 by ASIS International

x general carelessness

345

WORKPLACE SUBSTANCE ABUSE Appendix C: Supervisor’s Checklist

Interpersonal Relationships x inappropriate emotional outbursts

x isolation from coworkers and friends

x mood swings, early or late in day

x physical volatility

x overreacting to criticism

x exaggerated self-importance

x constantly blaming others

x unbending and unreasonable manner

x making inappropriate statements or comments

x excessive time on the telephone

x rambling, incoherent speech

x failure to keep appointments

x failure to keep commitments

Appearance and Mood x inappropriate clothing

x withdrawn demeanor

x personal hygiene ignored

x unusually deep sadness

x body odor, unkempt hair

x inappropriate laughter

x little interest in general appearance

x suspiciousness

x glazed or red eyes

x paranoia

x slurred speech

x extreme sensitivity

x staggered gait

x unusual irritability

x outbreaks of heavy perspiration

x preoccupation with death and illness

x use of sunglasses at inappropriate times

346

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE Appendix D: Intervention Checklist

APPENDIX D INTERVENTION CHECKLIST The purpose of intervention is to correct, not punish. For best results, supervisors and managers should follow these steps: x

Observe and document.

x

Confront the problem employee in private.

x

Discuss performance and behavior.

x

Affirm expectations.

x

Offer reasonable accommodations.

x

Set goals.

x

Document results.

x

Communicate with upper management.

x

Follow up.

They should never: x

Diagnose a personal problem.

x

Take responsibility for other people’s personal problems or issues.

x

Generalize.

x

Moralize.

x

Cover up.

x

Self-treat.

x

Engage in a confidential or protective relationship.

They should always: x

Monitor performance and behavior.

x

Document specifics.

x

Follow organizational policy and procedures.

x

Consult with employee in private.

x

Interview with a witness.

x

Offer professional assistance.

x

Let the employee know they care.

x

Let the employee make a choice.

Protection of Assets  Copyright © 2012 by ASIS International

347

WORKPLACE SUBSTANCE ABUSE Appendix E: U.S. Federal Legislation

APPENDIX E U.S. FEDERAL LEGISLATION Vocational Rehabilitation Act (29 USC 701, et seq.) Under the Vocational Rehabilitation Act, an individual with a disability does not include “an individual who is currently engaging in the illegal use of drugs, when a covered entity [employer] acts on the basis of such use,” or “an individual who is an alcoholic whose current use of alcohol prevents such individual from performing the duties of the job in question or whose employment, by reason of such current alcohol abuse, would constitute a direct threat to property or the safety of others.” The act also states that one will not be excluded as “an individual with a disability” who has successfully completed a drug rehabilitation program and is no longer engaging in the illegal use of drugs, or has otherwise been rehabilitated successfully and is no longer engaging in such use, or is currently participating in a rehabilitation program and no longer using drugs illegally. The act states that it is not a violation for a covered entity (employer) to adopt reasonable policies or procedures, including drug testing, to ensure that rehabilitated individuals are no longer using drugs illegally.

Americans with Disabilities Act (42 USC 12101, et seq.) The Americans with Disabilities Act (ADA) states in Section 12114(d)(1) that a test to determine illegal use of drugs shall not be regarded as a medical examination. (A medical examination may not be required unless an employment offer has been made and may only be required following an employment offer if all candidates are examined, not merely those with disabilities.) In 12114(d)(2), the ADA states that it “does not encourage, prohibit or authorize” tests for illegal drug use by applicants or employees. In other words, it is neutral. As long as job discrimination is not based on former use or abuse that does not currently affect job performance or safety, firms subject to the ADA will not be prevented from screening.

Drug Free Workplace Act (41 USC 701, et seq.) The Drug Free Workplace Act imposes duties on individuals and other entities that contract with or receive grants from the federal government, and on their employees. The act requires that employers pledge to maintain a drug-free work-place by x publishing a statement that unlawful manufacture, distribution, possession, or use of a controlled substance is prohibited in the workplace; x providing all employees with a copy of the statement; x making all employees aware that they must abide by the terms of the statement and notify the employer within five days of any drug statute conviction for a violation occurring in the workplace;

348

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE Appendix E: U.S. Federal Legislation

x imposing a sanction on or requiring satisfactory participation in a drug abuse assistance or rehabilitation program by any employee so convicted; x notifying the government within 10 days of receiving notice of an employee drug conviction; and x maintaining a credible drug-free awareness program. The Drug Free Workplace Act also requires the employer, within 30 days after receiving notice from an employee of a drug conviction, to take appropriate action against that employee (up to and including termination), or to require the employee to participate satisfactorily in a drug abuse assistance or rehabilitation program that has been approved by a federal, state, or local health, law enforcement or other appropriate agency. A specific provision in section 12114(c)(3) of the ADA permits employers to require employees to comply with the provisions of the Drug Free Workplace Act.

Family and Medical Leave Act (29 USC 2601, et seq.) The Family and Medical Leave Act obliges employers of 50 or more employees within 75 miles of the facility to grant leave of up to 12 work weeks to employees who have been employed at least 12 months and worked at least 1,250 hours during the previous 12-month period. The leave must be granted, among other reasons, to an employee who has a serious health condition that makes the individual unable to perform the functions of the position. The act defines a serious health condition as an “injury, illness, impairment or physical or mental condition” that involves inpatient medical care or continuing treatment by a health care provider. The leave may be unpaid, but an employer who grants less than 12 weeks of personal, sick, or vacation leave annually may require the employee to exhaust that leave as part of the leave provided under the act. Any remaining leave needed to make up the full 12 weeks, should they be required, is unpaid. Upon timely return from leave, the employee is reinstated to the same or equivalent position and suffers no loss of benefits or seniority. (This last provision does not apply to salaried employees who are among the highest-paid 10 percent of the workforce.) Because both the Vocational Rehabilitation Act and the Americans with Disabilities Act protect employees in rehabilitation programs, and because detoxification or other medical need arising from such participation could be described and certified as a serious health condition, there will be situations in which such leave is sought. An employer who seeks to deny or interfere with rights under the act, or to discriminate against employees who file charges or give testimony in a proceeding held under provisions of the act, is liable to an aggrieved employee for civil damages of x any lost wages or actual costs up to 12 weeks’ pay; x interest on that amount; x liquidated damages in an amount equal to the actual costs; x the costs of the action; a reasonable attorney’s fee; and x equitable relief, including reinstatement, employment, and promotion, as appropriate.

Protection of Assets  Copyright © 2012 by ASIS International

349

WORKPLACE SUBSTANCE ABUSE Appendix F: Sample Substance Abuse Policy

APPENDIX F SAMPLE SUBSTANCE ABUSE POLICY Scope XYZ Company is a drug-free workplace and does not permit its employees to be impaired by drugs or alcohol while on Company time or property. Violation of any of the rules and regulations, procedures, requirements, or the spirit of this guideline will result in corrective action. Depending on the circumstances, appropriate corrective action may include termination from employment, suspension, warning, probation, or any lesser sanction; or other action in the Company’s discretion deemed to be commensurate with the problem.

Use or Possession at Work The use or possession of alcoholic beverages or illegal drugs, and the unlawful manufacture, distribution, dispensation, possession, or offer of, or use of a controlled substance, while on Company property, on the job, or performing Company business, is prohibited. This includes possession of drug paraphernalia or empty alcohol containers on company time or company property. The only exception to this rule is that, on occasion, alcohol may be served at Company-sponsored events, such as a holiday party. In those instances, responsible, moderate consumption of alcoholic beverages is not a violation of this policy.

Impairment Appearing for work or performing any job duties or Company business while impaired by alcohol or drugs is prohibited. Employees who are believed to be impaired on the job may, in addition to any other appropriate action, be suspended, sent home, or reassigned for safety reasons while the situation is evaluated.

Off-Duty Use The use of alcohol off-duty and off-premises in any manner that results in impairment on the job, that adversely affects attendance or job performance, or that otherwise adversely reflects on the Company is prohibited. The use of illegal drugs by employees, whether on-or off-duty and whether on-or off-premises, is prohibited under all circumstances.

350

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE Appendix F: Sample Substance Abuse Policy

Legal Drugs The use of legal drugs (over-the-counter or prescription medications) in accordance with a doctor’s orders or manufacturer’s recommendations is not prohibited. Abuse of legal drugs shall be considered to be the same as use of illegal drugs under this policy. If use of legal drugs in accordance with a doctor’s orders or manufacturer’s recommendations may impair the employee’s ability to safely and effectively perform his or her job, the employee must so notify his or her supervisor in advance, so that any necessary arrangements can be made to protect safety and productivity.

Drug Convictions Any employee who is convicted of any criminal drug violation occurring in the workplace must so notify his or her supervisor within five days after the conviction. XYZ Company may be required to report such information to governmental agencies with which it contracts.

Job Applicants XYZ Company will not knowingly hire a job applicant who is currently abusing alcohol or legal drugs or currently using illegal drugs.

Right of Inspection XYZ Company reserves the right to inspect with or without notice at any time all vehicles, lunch containers, purses, boxes, packages, desks, lockers, and other personal property of employees on XYZ Company premises for the purpose of enforcing this policy or other safety and security reasons. XYZ Company premises include all employee parking areas and company-designated parking lots.

Drug and Alcohol Testing Policy XYZ Company may require any employee or job applicant to submit to a breath and/or urine test for drugs or alcohol, in the following circumstances: Preemployment. Preemployment testing shall be required for all job applicants within specified facilities or job categories as determined by management from time to time. Applicants who fail to pass a preemployment drug or alcohol test will be ineligible for employment for a minimum of one year. Reasonable suspicion. XYZ Company may require any employee to be tested for the presence of drugs or alcohol based on reasonable suspicion. Reasonable suspicion shall be defined as a reasonable suspicion, by a supervisor or above, concurred with by the senior manager available within the affected facility or department, that an employee’s faculties are impaired on the job or that an employee has used or possessed illegal drugs. This determination of a reasonable suspicion may be based on a variety of factors, including but not limited to the following:

Protection of Assets  Copyright © 2012 by ASIS International

351

WORKPLACE SUBSTANCE ABUSE Appendix F: Sample Substance Abuse Policy

x direct observation or reports reasonably believed to be reliable from coworkers or others x possession of drugs or alcohol on the premises, or use of drugs or alcohol at work, prior to work or on breaks (such that the employee is impaired while on company premises) x behavior, speech, or other physical signs consistent with impairment x a pattern of abnormal conduct or erratic behavior, which is not otherwise satisfactorily explained x unexplained accidents, on-the-job injuries, or property damage x a combination of some of the above factors and/or other factors in the judgment of management Management’s determination of reasonable cause shall be discretionary and shall be final. Universal. Universal drug testing may be required of all employees within specified facilitates or departments designated by XYZ Company management from time to time. Selection of covered employees to be tested (randomization) shall be conducted by XYZ Company’s testing service provider according to systems established by the provider, which shall notify XYZ Company of the employees to be tested. Universal testing may be conducted at unannounced times spread throughout the year. Refusal to submit to or cooperate in the administration of requested testing, or testing positive for illegal drugs or alcohol, will result in termination of employment, except as provided in the Rehabilitation section of the Substance Abuse guideline.

Testing Process Scope. Drug and alcohol testing of applicants or employees may include a urinalysis and/or breath analysis sample testing as determined by XYZ Company and the testing service provider. Testing may include, but may not be limited to, detecting the presence of marijuana, cocaine, opiates, amphetamines, and phencyclidine (PCP). XYZ Company may increase or decrease the list of substances for which testing is conducted at any time, with or without notice. In addition, XYZ Company may require separate samples if multiple tests are conducted. Test levels and standards will be established by XYZ Company and the testing service provider. Confirmation. Initial positive tests shall be confirmed using a second test in accordance with applicable law. Specimen for testing. Testing shall be conducted at a facility designated by XYZ Company. Job applicants and employees selected for universal or reasonable cause testing shall appear at the facility and provide the necessary sample at the precise time and place specified by XYZ Company. Employees tested based on a suspicion that the employee may be impaired shall be

352

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE Appendix F: Sample Substance Abuse Policy

transported to the testing site by a supervisor or another person designated by XYZ Company. The applicant or employee must sign any consent requested and provide any other requested information; failure or refusal to do so may result in discharge or denial of employment. Testing an injured employee. An employee who is seriously injured and cannot provide a specimen at the time of the accident shall provide the necessary authorization to obtain hospital reports and other documents that may indicate whether there were any controlled substances or alcohol in his or her system. Notification of results. Employees and applicants will receive notification of positive test results and will be given an opportunity to explain such results. Failure to timely respond may result in an uncontested positive verification

Rehabilitation Purpose and responsibility. XYZ Company recognizes that drug dependency and alcoholism are health problems and, in management’s sole discretion, on a case-by-case basis, will attempt to work with and assist an employee who becomes dependent on drugs or alcohol. The employee will be assisted in identifying rehabilitation services, referral agencies, or other resources to help the employee in dealing with his or her problem. It is the employee’s responsibility, however, to see that such problems do not interfere with proper job performance or expose others to the risk of harm. All employees are urged to obtain any necessary help before a personal problem becomes an employment problem. Evaluation and treatment. An employee may be allowed, as an alternative to discipline or discharge for violation of this policy, to undergo an evaluation for chemical dependency. This alternative may be offered on a case-by-case basis, in the sole discretion of XYZ Company management. If recommended by an evaluation, enrollment in and successful completion of an approved program of chemical dependency or alcoholism treatment may, in the sole discretion of XYZ Company management, be offered once as an alternative to disciplinary action of an employee (not applicable to job applicants) and as a condition of continuing employment. Eligibility to return to work, and any special conditions on the employee’s work, shall be determined on a case-by-case basis considering all relevant circumstances, including XYZ Company’s interest in safety and operational efficiency.

Costs Mandatory drug/alcohol testing costs shall be paid by XYZ Company; treatment costs shall be the responsibility of the employee to the extent not covered by the employee’s health insurance.

Protection of Assets  Copyright © 2012 by ASIS International

353

WORKPLACE SUBSTANCE ABUSE Appendix F: Sample Substance Abuse Policy

Definitions Impairment. This is a condition induced by any drug or alcohol or the combination of any drug and alcohol that affects the employee in any physically or mentally detectable manner. The symptoms of impairment are not confined to those consistent with misbehavior or of obvious impairment of physical or mental ability, such as slurred speech, difficulty in maintaining balance, or the odor of alcohol. A determination of impairment may be established by any supervisor or manager, a medical professional, a scientifically conducted test such as urinalysis, or in some instances by a layperson. Furthermore, in some cases lacking any objective or subjective indicator, the mere consumption of a drug and/or alcohol may constitute impairment. Illegal drugs. An illegal drug is any drug that is (a) not legally obtainable or (b) legally obtainable but has not been legally obtained or used. The term includes prescribed drugs not legally obtained and prescribed drugs not being used for prescribed purposes. Included are prescription drugs shared with a coworker under any circumstances. Legal drug. A legal drug is any prescribed drug or over-the-counter drug that has been legally obtained and is being used for the purpose for which it was prescribed or manufactured. Drug paraphernalia. These are items, tools, and devices commonly used in the preparation, storage, and administration of illegal drugs. Examples include but are not limited to rolling papers, roach clips, glass pipes, water pipes and bongs, drug vials, straws and spoons, and in some cases hypodermic syringes. Serious injury. This is any work-related injury resulting in the stoppage of work and requiring medical attention of any kind.

354

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE SUBSTANCE ABUSE References

REFERENCES Code of Federal Regulations. (2007). Controlled substances and alcohol use and testing. 49 CFR 382. Drug Enforcement Administration. (2006). Drug information. Available: http://www.usdoj.gov/ dea/concern/concern.htm [2007, September 9]. Ferraro, E. F. (1994). Employer’s guide to a drug-free workplace. Golden, CO: Business Controls, Inc. Ferraro, E. F., & Judge, W. J. (2003, May). Put your drug policy to the test. Security Management. Garcia v. Naylor Concrete Co., 650 N.W.2d 87, 90 (Iowa 2002). th

Jane Roe v. Cheyenne Mountain Conference Resort, Inc., No. 96-1086 (10 Cir. 1997). Kennedy v. Camellia Garden Manor, Louisiana Circuit Court, 2003. Department of Health and Human Services. (2007). Alcohol. Available: https://ncadistore.samhsa. gov/catalog/facts.aspx?topic=3&h= [2007, September 3]. Department of Health and Human Services. (2007). Results from the 2006 National Survey on Drug Use and Health: National findings. Available: http://www.oas.samhsa.gov/nsduh/2k6nsduh/ 2k6Results.cfm#2.10 [2007, September 14]. United States Code. (2007). Treatment of controlled substance analogues. 21 USC 813.

Protection of Assets  Copyright © 2012 by ASIS International

355

CHAPTER 12 ADDRESSING WORKPLACE VIOLENCE THROUGH VIOLENCE RISK ASSESSMENT AND MANAGEMENT

12.1

INTRODUCTION People have long been concerned about violence, but the use of behavioral assessment and th th intervention to prevent violent behavior is fairly new. During the late 19 and early 20 centuries in the United States, the legal system began to ask “alienists,” who are now called psychiatrists, to render opinions concerning the propensity (likelihood) of identified individuals to commit violence in the future. These opinions were used in both criminal and civil proceedings to determine whether people should be incarcerated and for how long, where they should be held, and under what circumstances they should be released. Unfortunately, psychological studies from the 1960s to the 1990s show that psychiatrists and psychologists who use only their own judgment in such cases are only 40 to 70 percent accurate in predicting violent behavior, depending on how violence is defined, the duration of the prediction follow-up, and the population assessed. Clinical judgments alone rarely 10 outperform actuarial approaches alone. These studies spurred an explosion of psychological research on how to increase the accuracy of predictions and created a specialty called violence risk assessment and management.

10

See two meta-analyses covering a wide range of studies: (1) William M. Grove and Paul E. Meehl, “Comparative Efficiency of Informal (Subjective, Impressionistic) and Formal (Mechanical, Algorithmic) Prediction Procedures: The Clinical-Statistical Controversy,” Psychology, Public Policy, and Law, Vol. 2, No. 2, 1996, pp. 293-323, and (2) Douglas Mossman, “Assessing Predictions of Violence: Being Accurate about Accuracy,” Journal of Consulting and Clinical Psychology, Vol. 62, No. 4, 1994, pp. 783-792.

Protection of Assets  Copyright © 2012 by ASIS International

357

WORKPLACE VIOLENCE 12.1 Introduction

At the same time, the public began to hear about more violence in the workplace, particularly single and mass homicides. In addition, the U.S. government began to gather statistics and develop expectations of what employers should do to provide a safe workplace. A study by the National Institute for Occupational Safety and Health for the period 1980 to 1995 (National Institute for Occupational Safety and Health, 2001) showed that murder was the leading cause of death in the workplace for women and the second leading cause of death in the workplace for all workers in the United States during that period. However, the number of workplace homicides per capita has decreased in the United States since those peak years in the early 1990s (see Figure 12-1). Most workplace homicides result from robberies and similar criminal violence. An examination of workplace violence incidents not involving robbery reveals that perpetrators progressively move through stages resulting in violence. However, a more disturbing subset of violence has become more prominent and is an ongoing concern for employers and employees—mass murder by individuals who are closely connected with the workplace. They include employees, spouses or significant others, long-time customers or clients, shareholders, and suppliers to the business. They commit targeted acts of violence against company personnel who, in their view, have caused them a loss of some type. Even when these individuals do not commit homicide, they cause problems that must be assessed and resolved. A study by Northwestern National Life Insurance Company (1993) stated that 2 million Americans were attacked in the workplace in 1992, 6 million were threatened, and 16 million were harassed. Incidents of homicide, assault, threats, and harassment in the workplace will likely continue to contribute to the turbulence of modern society and reinforce some individuals’ perception that violence is an acceptable way to accomplish their goals.

358

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.1 Introduction

Workplace Homicide, United States 1,200 1,100

1,080

1,036 927

1,000

860

900

714

800

677

651

700

643 609

632 559

600

628

567

542

540

526

2006 2007

2008 2009

500 400 1994

1995 1996

1997

Fatal Occupational Injuries, by Cause

1998 1999

2000 2001

2002 2003

2004 2005

Average 1994-1997

Average 1998-2002

Average 2003-2007

2008

2009

1219

910

831

816

837

Assaults and violent acts Homicides

976

659

585

526

542

Shootings

791

519

458

421

434

Stabbings

70

61

54

33

49

Other (including bombings) Self-inflicted

115

79

73

72

59

214

218

202

263

263

Source: Census of Fatal Occupational Injuries, Bureau of Labor Statistics, U.S. Department of Labor, http://www.bls.gov/ iif/osh_nwrl.htm#cfoi. Note: The homicide figures show a marked decline from the 1994 high of 1,080 workplace homicides. These figures are for private-sector workplaces only.

Figure 12-1 U.S. Fatal Occupational Injuries by Event or Exposure, 1994–2009

Protection of Assets  Copyright © 2012 by ASIS International

359

WORKPLACE VIOLENCE 12.2 Conceptual Framework

12.2

CONCEPTUAL FRAMEWORK The security profession has developed ample means to deal with robberies and other criminal acts that can lead to violence: lighting, locks, bandit barriers, timed safes, closedcircuit television, and more. But only in the last 20 years has a new approach evolved—an interdisciplinary workplace violence risk assessment and management process that allows for the identification and assessment of individuals so they can be diverted from violence before they act. Like other forms of risk assessment, violence risk assessment provides information that aids in appropriate allocation of resources to minimize harm. Violence risk assessment helps differentiate between individuals who pose a threat and those who solely make threats. Security programs aim first to divert someone from committing an unsafe or harmful act and then, if diversion is unsuccessful, to delay the person’s progress in committing the act until trained individuals are notified and respond to the problem. All effective security programs assume that an effective response by properly trained personnel will occur if the perpetrator is not diverted. In the case of threats of workplace violence, this means that one of the planned responses should be (at a predetermined threshold of assessed potential for immediate, physical violence) a response by correctly trained, armed personnel who will handle the situation. In some workplace violence situations, these responders may be law enforcement personnel. However, because of law enforcement’s average response time to crimes of violence 11 (more than 11 minutes in 40 percent of cases in the United States ) and a company’s prior notice of the problem, the only legally defensible option may be to use properly qualified private security personnel. Like a typical security program, a violence risk assessment program employs diversion, delay, and response, but they are the last elements in the program. The most distinctive and important elements are behavioral recognition, notification, assessment, and intervention by planned disruption. Those elements are used before physical security elements come into play. The long-term solution to each situation of potential workplace violence lies in understanding the emotional and mental state of the aggressor and diverting him or her from violence, not solely in strengthening security measures. Early awareness of the problem allows for a thorough assessment and successful intervention. Consequently, companies should develop a comprehensive violence risk assessment and management system that requires reporting of threats to a central position in the company, a thorough assessment of the threats, and a coordinated response to the assessment, involving legal, human resources, security, behavioral, and other organizational and community elements.

11

Bureau of Justice Statistics, National Criminal Victimization Survey, 2003 (Washington, DC: U.S. Department of Justice, 2005). NCJ 207811, available at http://bjs.ojp.usdoj.gov/.

360

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.3 Focus Areas

12.3

FOCUS AREAS Every employer in the United States has an obligation to provide a safe workplace. This obligation could arise from federal laws, state laws, local ordinances, case law precedents, or all those sources. The obligation extends to employees, contractors, visitors, and guests on the premises and generally does not distinguish between internal and external sources of danger. Consequently, if an employer or its representative has reasonable cause to believe that someone may commit an act of violence on the premises or against one of the organization’s employees who is acting within the scope of his or her duties at another location, the employer has an obligation to protect the potential victim. It does not matter whether the aggressor is an employee, spouse or significant other of an employee, shareholder, contractor, supplier, vendor, client, guest, or third party. For example, in Tepel v. Equitable Life Assurance Society (1990) an employee whose husband came to her office and assaulted her successfully sued her employer. The jury held that the employer had known about the husband’s prior threats to harm the employee and had not taken adequate steps to protect her or her coworkers. This level of obligation may be greater than what is understood by the business community, but it has been enforced consistently in state and federal courts and regulatory proceedings. A violence risk assessment program must address a variety of workplace behaviors. Policies and programs dealing with inappropriate workplace conduct, including harassment, intimidation, and discrimination, should be seen as related to the violence risk assessment program because in some cases such behaviors are early warning signs that can lead to violence. Other behaviors that would fall directly into a violence risk assessment program include oral or written threats, assaults with or without battery, stalking, sabotage or vandalism, and homicide. Business-related concerns that the program should address include liability, productivity, workplace morale, and associated costs. The primary source of concern may be the cost of being proven liable for negligence in a tragic incident of workplace violence. There is good reason for concern, as lawsuits claiming negligent security continue to grow in number and cost to businesses throughout the United States. Judgments and settlements for wrongful death cases are averaging more than $2.8 million dollars (Anderson, 2002). However, the greatest economic cost to organizations for acts of violence may come from the loss of morale and productivity. Hundreds of thousands of dollars per incident can be lost in work group productivity due to the absenteeism, sick leave, work slowdowns, management and worker distraction, and general disruption that may follow workplace violence. The costs for treating injuries, too, should not be ignored. Treatment for a single crime-related injury can easily cost tens of thousands of dollars. Further information on productivity and injury costs can be found in Victim Costs and Consequences: A New Look (National Institute of Justice, 1996).

Protection of Assets  Copyright © 2012 by ASIS International

361

WORKPLACE VIOLENCE 12.4 Liability and Legal Considerations

A further consideration is the level of outside support that the company can tap into for a violence risk assessment and management program. The company must be ready to contend with the following problems: (1) limited law enforcement resources to respond to potential violence in the workplace; (2) limited but growing legal experience in workplace violence management; (3) limited number of defensible experts in the psychopathologies and behaviors associated with violence; and (4) limited number of security firms that understand the limits of their role and are capable of providing the broad spectrum of responses necessary. Many unqualified individuals and companies claim expertise in violence risk assessment and 12 management.

12.4

LIABILITY AND LEGAL CONSIDERATIONS Various laws and regulations require U.S. employers to provide a safe workplace. An example of relevant federal law is OSHA 29 U.S.C. § 654(a)(1). Many states, such as California, have enacted similar or additional guidelines (e.g., California Labor Code-6400 and Injury and Illness Prevention Program (6401.7)). A company with locations in several jurisdictions should research the laws in each location. Types of statutes to look for include those that cover threats or threatening behavior, terroristic threats, stalking, threatening or harassing phone calls, trespassing after issuing a threat, violation of a restraining or protective order, possession of illegal or dangerous weapons, brandishing or exhibiting a deadly weapon, assault, battery, assault with a deadly weapon, rape, robbery, armed robbery, maiming, attempted homicide, kidnapping, and homicide. In addition, certain legal duties and tort concepts have become associated with claims and lawsuits arising from workplace violence. Some workplace violence lawsuits have been filed 13 under claims of violations of Title VII discrimination protections, violations of the Americans with Disabilities Act, violations of the Rehabilitation Act, defamation, slander, invasion of privacy, harassment, negligent security, negligent hiring, negligent supervision, negligent retention, employer’s vicarious liability, and other torts. Examples include the following: x former employee returning to kill coworkers after employee assistance program claims he can be fired safely (Allman v. Dormer Tools, Inc.) x supervisor/coworker battery (Clark v. Pangan, 2000) x domestic violence in the workplace (Civil Action, 2001)

12

13

For more information on qualifying security consultants and contractors, see Chapter 8, Consultants as a Protection Resource. Title VII of the U.S. Civil Rights Act of 1964.

362

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.5 Behavioral Dynamic of Workplace Violence

x security director’s threat of violence against an employee (Herrick v. Quality Inn Hotel, 1993) x employee shooting of a supervisor (Smith v. National Railroad Passenger Corporation, 1988) These legal issues are addressed in detail in other sections of Protection of Assets. It is important that the company research, document, and understand the method by which it or its employees can obtain restraining or protective orders against individuals who threaten to harm them. In many jurisdictions such orders can only be obtained by individual (natural person) victims. However, the law is beginning to recognize that business entities can also be the victims of threats and harassment and may need court orders for protection (e.g., 527.8 California Code of Civil Procedure). Some individuals question the value of a piece of paper as protection from violence. Studies (such as Meloy, 1997) have shown that the majority of protective or restraining orders aid in the cessation of violence. However, it is important to obtain them early in the cycle of violence. For example, in 1988, after stalking a coworker for years, even after being fired, Richard Farley went on a shooting spree at his former workplace, Electromagnetic Systems Labs in California, killing seven and wounding three. The object of his stalking, Laura Black, did not obtain a restraining order against him until two years after he was fired for his stalking behavior, and she now believes that 14 obtaining it earlier might have prevented the tragedy.

12.5

BEHAVIORAL DYNAMIC OF WORKPLACE VIOLENCE Before committing violence, a workplace aggressor must first determine that violence is an acceptable means to establish or reestablish control (Corcoran and Cawood, 2003, p. 6). Next, the aggressor selects targets (against which attacks will give the person a sense of control) and locations (that will allow the aggressor to succeed). Then the act of violence can occur (Corcoran and Cawood, 2003, p. 6). In deciding to commit violence, aggressors do not “snap” but go through a process of emotional escalation or, in the case of psychopaths, nonemotional decision making. For security practitioners. the most effective means of preventing workplace violence is early detection of this behavioral, emotional, and psychological dynamic. The way to detect individuals who are destabilized and seeking control is to assess their mental and emotional levels along a continuum of violent behavior and then develop a plan to divert them from violence through a case-specific use of communication, company resources, community resources, and the legal system.

14

Television interview of Laura Black on 2/9/93 by KPIX TV (Channel 5), San Francisco, CA, following a presentation of the Laura Black Story.

Protection of Assets  Copyright © 2012 by ASIS International

363

WORKPLACE VIOLENCE 12.5 Behavioral Dynamic of Workplace Violence

It is beyond the scope of this document to explain thoroughly the difference between psychopathic and affective (emotion-based) violence. Suffice it to say that in the early investigation and assessment of any aggression, the assessor should be attentive to the clusters of behavior that would signal that the aggressor may be a psychopath. Appropriate intervention is much more complex when dealing with psychopaths. For more information on psychopathy, a good starting point is Without Conscience: The Disturbing World of the Psychopaths Among Us (Hare, 1993). This book discusses behavioral elements and clusters to watch for, but only trained, experienced violence risk assessors should attempt to intervene in cases involving a potential psychopath. Because the vast majority of cases involve emotion-based aggressors, this document focuses on them, not psychopaths. In general, the continuum of violent behavior starts with general disgruntlement with a business or a person (Calhoun & Weston, 2003, p. 60). Then, as the situation escalates, one may observe nonspecific spoken intimidation, nonspecific spoken threats, specific spoken threats, written threats, physical violence against property, stalking, physical violence against people without the use of weapons, and finally physical violence against people with the use of weapons. In any individual case, the aggressor could exhibit one or more of these behaviors, escalating or de-escalating them over time. In general, in more serious cases, as cycling occurs, each movement back up the curve involves more serious behavior. The entire process leading to physical violence can occur within a short period if enough influential factors are in place. Figure 12-2 provides a graphic depiction of a potential escalation curve. The curve was the outcome of research by James S. Cawood, CPP, that attempted to identify a consensus among violence risk assessment professionals concerning their ranking of aggressor behaviors by perceived emotional intensity. Behavioral assessment is very information-intensive and requires as much information about the individual as possible. Particular attention should be paid to the aggressor’s history of stressful events (death, divorce, job loss, financial pressure, etc.) and his or her reaction to it. One dictum on which all psychological researchers in this field agree is that “the best predictor of future behavior is past behavior” (U.S. Merit Systems Protection Board, 2003). Consequently, the more one knows about the aggressor’s emotional history, violence history, recent behavior, reactions to stress, and current stressors, the better one can assess the aggressor’s current level of violence risk to the company or its employees.

364

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.6 Incident Management Team and Resources

Figure 12-2 A Theoretical Behavioral Escalation Curve for Emotion-Based Violence

12.6

INCIDENT MANAGEMENT TEAM AND RESOURCES A comprehensive approach to workplace violence includes the creation of an incident management team (IMT). The IMT should include, at a minimum, a senior management representative, a senior human resources manager, a senior security manager, and a legal representative who is familiar with labor and employment law and litigation. The role of the team may be defined differently in different organizations. The simplest role is to x

take reports of workplace aggression, threats, stalking, or potential violence from managers, supervisors, employees, and other parties,

x

assess those reports,

x

gather further information as necessary, and

x

intervene as appropriate to maintain the safety of the organization.

Protection of Assets  Copyright © 2012 by ASIS International

365

WORKPLACE VIOLENCE 12.6 Incident Management Team and Resources

This simple structure can be successfully implemented by one team for a multinational corporation or a single-location organization. Some larger enterprises have established regional teams along with an enterprise-wide oversight team to facilitate consistency of practice, communicate lessons learned, and provide support. Since this role of situation assessment and intervention is similar to the role of crisis management teams, it may be possible to assign an existing team to handle violence risk assessment or develop a subset of the established team to take on that role. Outside members of the team may be added as necessary to provide a higher level of experience in the central aspects of the process, including the legal, behavioral assessment, and security aspects. Operational support members might advise the IMT during the development of certain portions of the incident plan or carry out instructions from the IMT but do not normally serve on the IMT itself. It is essential that the IMT be empowered to commit company assets and personnel to resolve an incident. If the IMT must brief other manager to obtain a decision on employment actions, deployment of personnel, or payment of costs, the assessment process will slow down and the risk of an unsuccessful resolution will increase significantly. The following organizational functions are typically represented on an IMT and among its resources: x

Incident management team (one member of which needs to be a senior management representative) — Human resources — Company security — Legal counsel

x

Outside consulting resources — Violence risk assessment professional — Security and investigations professionals — Additional legal support

x

Operational support resources — Employee assistance program (EAP) — Public affairs, media relations, or corporate communications — Records and benefits — Personnel liaison — Health services — Facility services — On-site contract security

366

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.7 Violence Risk Assessment Process

12.7

VIOLENCE RISK ASSESSMENT PROCESS

12.7.1

NOTIFICATION Notification can come from sources inside or outside the company. In either case, the company needs policy, procedures, and training that direct reporting of inappropriate precursor behaviors, incidents, or reports to a particular person or group in the company that is responsible for initial intake of the report and initial assessment for immediate risk. This means that after notification from any source, by any means (e.g., observation, e-mail, postal mail, phone call, text message, fax, etc.), company operators, receptionists, managers, supervisors, customer service representatives, and other employees will know that they should pass that notification to the appropriate person or group immediately. Company receivers of the notification may need to be available 24 hours a day, seven days a week, and be trained to handle these notifications appropriately. Violence may escalate if management does not respond to early warning signs.

12.7.2

ASSESSMENT Several levels of assessment may occur after notification, depending on whether the aggressor is known or unknown and the quantity and quality of the information provided in the initial notification. If the aggressor’s identity is not known (because, for example, the threatening communications were anonymous), a valid violence risk assessment cannot be conducted. Some preliminary behavioral analysis can be done from the material presented, but the validity of the violence risk assessment will be low. Valid violence risk assessments require a depth of information available only for known subjects. This is one of the differences between behavioral investigative analysis (profiling) and violence risk assessment. Profiling is used to exclude people from an investigative pool of subjects so as to conserve investigative resources, while violence risk assessment is focused on a particular individual’s risk of committing a violent act. If the individual is unknown, investigations can be conducted to determine who the person is, and organizational response to the actions of the unknown aggressor will be driven by other policies or procedures. If the individual is known, at least by name, further assessment can be initiated. Known subject assessment can be broken down into three levels of assessment: initial, threshold, and comprehensive. Each level of assessment is performed by one or more members of the IMT and attempts to determine which resources and what level of resources are appropriate. The first level, initial assessment, attempts to determine whether there is an immediate risk of harm. If the initial assessment points to a significant possibility of immediate harm, emergency procedures are activated until the situation is stable enough to allow further, nonemergency actions.

Protection of Assets  Copyright © 2012 by ASIS International

367

WORKPLACE VIOLENCE 12.7 Violence Risk Assessment Process

If the initial assessment suggests there is not a significant possibility of immediate harm, then further assessment is conducted leading to a threshold assessment. This assessment determines whether assessment should continue (based on the risk assessment thresholds determined by the company) or whether the situation only requires monitoring. If a predetermined threshold has been reached, additional information is gathered and a comprehensive assessment is completed. This assessment uses additional information sources, both inside and outside the company, and provides the basis for the design and implementation of a non-immediate emergency resolution plan. Each of these three assessments is discussed in more detail below.

Initial Assessment When notification is made, the receiver of that information decides, based on company criteria, whether the situation calls for an immediate emergency response. Certainly, managers and supervisors should be taught to respond to immediate risks by notifying community emergency resources. However, they do not always do so. Therefore, the initial assessment must examine what has happened and what has been done, if anything, in deciding whether to contact community emergency resources for help. If the initial assessment leads to a decision to call for immediate community emergency resources, then the person who received the notification must be able to make that call or direct someone to do so. A company with multiple locations in various countries, regions, states, or cities needs advance information on the quantity and quality of community emergency resources, as well as contact information. The next decision, based on the availability of the community emergency resources, may be whether to evacuate the facility or in the case of a bomb threat, employees are best suited to search the premises. A lot can happen in the time it takes for law enforcement officers to 15 respond. The company must consider whether locking down, sheltering in place, or evacuating the facility would best protect employees and other occupants. For example, when an aggressor has a firearm on the premises, a preferred strategy is a 360-degree evacuation in which evacuees move away from the building and find shelter in other buildings or out of sight of the building, preferably behind other objects (such as buildings or trees). This approach minimizes pooling of potential victims the aggressor can shoot. If the shooter is outside the building, then a lockdown might be appropriate. If the perimeter is breached, then evacuation might be necessary. The use of a single, unchanging process, such

15

In this context, locking down means going into classrooms or other securable spaces and locking the door until help arrives. Sheltering in place means finding any place that is immediately available to provide concealment and hiding there, hoping that the person does not discover those who are hiding. Locking down occurs in securable space, while sheltering in place does not.

368

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.7 Violence Risk Assessment Process

as locking students in classrooms regardless of the location of the shooter, does not work. This is illustrated by both the 1999 Columbine High School shooting and the 2005 Red Lake High School shooting in the United States. In those incidents, students were shot as they huddled in the library (Columbine) or were locked in a classroom (Red Lake). As was learned in the 101 California Street office shooting in San Francisco in 1993, “those that run live and those that hide die” (Cawood, 2005). Once a situation is stabilized, further assessment will most likely need to be done. If the aggressor is not dead, further violence risk assessment needs to be conducted to determine whether the individual or related individuals (e.g., spouse, family members, community members, ideologically aligned individuals, etc.) pose a continued risk of harm to the company and its personnel and guests. Some considerations in this regard might be whether the aggressor is still in the community, could get bail, or has stated a desire to continue attacking the target. This comprehensive violence risk assessment would be in done in conjunction with efforts to manage trauma, conduct incident debriefings, and return operations to normal. If the aggressor is dead, the company might still initiate trauma management, incident debriefing, and post-incident assessment (what was known, when it was known, and what was done about it) to help return the company to full operation and manage such issues as publicity, lawsuits, and community questions.

Threshold Assessment If the initial assessment suggests there is no significant possibility of immediate harm, then a threshold assessment is conducted to determine whether, based on the violence risk assessment thresholds determined by the company, the situation warrants further action or only monitoring. This assessment can be conducted by the same person or persons who conducted the initial assessment or could involve other trained IMT members. Including at least two trained individuals at this level of assessment has some distinct advantages: the workload is shared, multiple points of view are involved, and every case will be guaranteed to have at least two people who know its details (in case one individual becomes unavailable). The threshold assessment is driven by x

information obtained by interviewing key witnesses of behavior,

x

review of easily obtainable, pertinent company records, and

x

matches between the behavioral information learned from these sources and an objective violence risk assessment tool adopted by the company.

If a predetermined threshold is reached, a comprehensive assessment is triggered. If that threshold is not reached, appropriate individuals are notified to report any further behavior of concern, and no further action might be taken at that time.

Protection of Assets  Copyright © 2012 by ASIS International

369

WORKPLACE VIOLENCE 12.7 Violence Risk Assessment Process

Comprehensive Assessment The comprehensive assessment uses the most detailed information and resources available to thoroughly assess the potential violence risk. All legally obtainable information is gathered and reviewed to determine the aggressor’s behavioral history and current stressors. Such information usually includes the following: x

contacts with law enforcement

x

civil and criminal court records

x

other community records

x

financial status

x

medical information

x

personal relationships, including family relationships and support structures

x

use of alcohol or other substances that affect behavior

x

ownership of, access to, and training in the use of weapons or explosives

x

employment history

x

foreseeable events that could increase stress

When determining what records to access and what individuals to interview, care must be taken to determine how the aggressor might react if he or she learned of the assessment. It is usually prudent to conceal the investigation if possible. If the potential reaction of the aggressor supersedes the value of the information that might be obtained from a given record or source (if the contact was prematurely disclosed), it might be better to postpone or forgo the use of that source. Placing this detailed information in chronological order makes it possible to analyze patterns of past behavior from a cause-and-effect perspective. Seeing the behavioral choices the aggressor made in response to certain events can provide an understanding of the range of behavior the aggressor might choose in the future. In conjunction with the time line, the use of a valid assessment tool can provide a more objective way to determine the current violence potential of this aggressor compared to other aggressors that the tool has been designed around. Some tools or assessment instruments have been developed for special populations, and others have been used against a wider range of aggressors. For example, if the aggressor was potentially attacking a spouse, the appropriate tool might be the Spousal Assault Risk Assessment Guide (SARA, 1995). If the aggressor was going to attack a coworker or community member, the appropriate tool might be the HCR-20 version 2, the Risk Assessment Guideline Elements for Violence (RAGE-V), or the Assessment/Response Grids. In most cases, after gathering detailed information, developing a behavioral chronology, and using an assessment tool, a violence risk assessment is completed by assigning a value to the

370

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.7 Violence Risk Assessment Process

risk, such as low, moderate, or high. Based on the assigned level of violence risk and the behavioral data gathered, an intervention and situational resolution plan is designed and implemented.

12.7.3

INTERVENTION AND NONEMERGENCY SITUATIONAL RESOLUTION The primary goal of intervention and resolution is the short-term and ideally long-term safety of the identified target or targets. Intervention and situational resolution are meant to divert or deflect the aggressor from acts of aggression or violence to more socially acceptable behaviors in order to resolve his or her perceived need for control. In any intervention and resolution strategy, the overriding consideration is, first, to do no harm to either the target or the aggressor. That goal is accomplished when the aggressor willingly chooses to end the behaviors of concern. Anything less than a willing choice is a less valuable solution, because, with the exception of the death of the aggressor, a unwilling resolution is likely only temporary. Therefore, interventions that involve restraining or protective orders, arrest, or criminal or mental health incarcerations are only short-term, stabilizing interventions. If the aggressor’s attitude toward the target is unchanged, these measures will eventually fail. Intervention options can generally be classified as follows (Cawood, 2005): x

interviews, including “knock and talks”

x

administrative or disciplinary actions, including fitness for duty evaluations

x

cease-and-desist requests (oral or written)

x

no-trespass orders

x

restraining or protective orders

x

voluntary or involuntary mental health evaluations

x

criminal case filing and prosecution

x

probation and parole with close monitoring

16

The choice of an intervention type depends on the assessment of the aggressor’s probable reaction to the intervention and whether the intervention has a probability of correcting the aggressor’s perception of the target. Any form of communication or interaction, whether direct or indirect (through other parties), should be considered an intervention. For example, interviewing the aggressor not only provides information about his or her perception, emotional and cognitive levels,

16

The term “knock and talk” refers to interviews that are conducted on the aggressor’s property or at places frequented by the aggressor, rather than on property controlled by the target or persons related to the target.

Protection of Assets  Copyright © 2012 by ASIS International

371

WORKPLACE VIOLENCE 12.7 Violence Risk Assessment Process

impulsivity, and boundaries but may also allow the interviewer and aggressor to reframe the aggressor’s goals, pose and discuss alternative methods of behavior, discuss cause and effect, discuss consequences, and find other means to solve the problem. Restraining and protective orders create a boundary but only have real value if the target reports violations and the orders are quickly enforced. In many cases, the intervention starts with one technique but readies other techniques that might be needed. For example, before the aggressor interview begins, the language and affidavits for a restraining order might be drafted, a disciplinary warning or termination package might be prepared, and law enforcement might be contacted (to determine what crimes the behavior might constitute, how to make a criminal report, and what responses law enforcement could provide).

12.7.4

MONITORING Monitoring for new behavior is a critical and underappreciated part of the violence risk assessment process. Monitoring creates the behavioral feedback loop that allows the violence risk assessment to be updated, the value of the interventions to be tested, and final resolution of the incident or situation to be determined. In any given case, the IMT can establish passive monitoring or active monitoring. Passive monitoring relies on the target and others who might witness new behavior to report that behavior to the IMT on a timely basis. This is effective only in very low risk cases, in which a lapse in immediate reporting would not lead to a significant risk of harm. An example would be a victim who has received a single anonymous e-mail or voice mail saying, “I hate you and you’re going to pay.” If further investigation finds no other cause for concern, a viable strategy would be to take a “wait and see” approach and passively monitor the situation by asking the victim to report any further contacts or disturbing events to the IMT. Active monitoring means the assessor actively pursues new behavioral information rather than passively waiting for a report. The more elevated the risk, the more often the contacts are made. Active monitoring is the best option for a moderate-to high-risk situation or one in which the target or witnesses cannot be relied on to report new behavior. This lack of reporting reliability could be due to shock, denial, rationalization, minimization, or other psychological defense mechanisms; fear of retaliation or retribution; or a misperception of the target’s ability to handle the situation without help. Regardless of the reason, the information is actively pursued. An example of this might be a domestic violence risk where the target, at work, receives threatening calls in which the aggressor says he or she will make the target pay and threatens to come to the workplace to confront the target. In an interview, the target says the aggressor is not a threat and expects that nothing will happen, but investigation reveals that the aggressor has a history of perpetrating domestic violence

372

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE 12.7 Violence Risk Assessment Process

against the target and prior partners, including confrontations in a prior partner’s workplace. In this case, the target may conceal or play down any contact from the aggressor (because of embarrassment, concern about keeping his or her job, or a belief that he or she is safe) and might not be a reliable source of information on new interactions. In this case, the IMT might locate workers who could witness new contacts from the aggressor and could be relied on to report the contacts. The IMT might also check with them several times a day to see if new contacts occurred. If new contacts are reported, the IMT could contact the target and ask for an update. If the target denies an interaction, the IMT could attempt to lower the target’s resistance to providing the information. The frequency of the active monitoring could be increased or decreased depending on the level of current assessed risk of imminent violence.

12.7.5

REVIEW AND DEBRIEFING Incident review occurs on an ongoing basis as new behavioral information is learned from all sources. This ongoing cycle of reassessment, review of intervention options, implementation of intervention options, and monitoring for new behavioral cues continues until the situation is considered resolved by IMT standards. Review can be used continuously to finetune operational and tactical processes to provide the greatest safety. Debriefing incidents and gleaning lessons learned is a critical part of incident management and process improvement. It allows for a strategy-level look at how a particular incident might affect process improvement on a larger scale. Some companies conduct short incident debriefings after the initial round of assessment and intervention and then conduct monthly, quarterly, semiannual, or annual debriefings to provide updates on specific cases and discuss possible process improvements. Incident reviews, debriefings, or a blend of both can allow for continuous improvement in the management of a particular case and the overall process.

Protection of Assets  Copyright © 2012 by ASIS International

373

WORKPLACE VIOLENCE 12.8 Future of Workplace Violence

12.8

FUTURE OF WORKPLACE VIOLENCE Improvements in assessment, intervention, and monitoring are leading to a greater understanding of the behavioral cues that signal impending violent behavior. In addition, the psychological research literature available on workplace violence has mushroomed in the last decade. Alliant University in the United States is attempting to develop an accredited forensic psychology program with a specialization in workplace violence. Such a program will most likely be followed by others that reflect the same type of specialization seen in business degree programs with a security focus. New tools, including more accurate computerized behavioral assessment programs, also seem likely in the future. Regarding intervention, new methodologies and laws may provide more tools to divert aggressors in specific cases. Austria and Germany have recently passed new stalking laws and are looking to use them to protect their citizens from behaviors that have not been managed legally before. Regarding monitoring, global positioning system (GPS) technology is being used in the criminal justice system to manage offenders (via, for example, ankle bracelets). Functional magnetic resonance imaging (fMRI) is currently being explored for use in mapping brain 17 function to detect deception in individuals. In the future, this technology, coupled with research on aggression and violent behavior, might lead to the ability to monitor aggressors’ neuron changes that would signal their immediate intent to cause physical harm. This and other technological improvements, along with new methodologies to encourage and support victim and witness participation in the process of behavioral monitoring, may lead to significant improvements in the safety of individuals, communities, and nations.

17

See www.cephoscorp.com for information on the work of Cephos Corporation with the Medical University of South Carolina.

374

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE Appendix A: Model Policy for Workplace Violence

APPENDIX A MODEL POLICY FOR WORKPLACE VIOLENCE

Nothing is more important to [YOUR COMPANY NAME] than the safety and security of its personnel; therefore violence against employees, visitors, guests, or other individuals by anyone on [YOUR COMPANY NAME] property will not be tolerated. Any person who makes threats, exhibits threatening behavior, or engages in intimidating, threatening, or violent acts on [YOUR COMPANY NAME] property should be removed from the premises as quickly as safety permits, and should remain off [YOUR COMPANY NAME] premises pending the outcome of an investigation into the incident(s). Should the investigation substantiate that violations of this policy have occurred, [YOUR COMPANY NAME] will follow through with the implementation of a decisive and appropriate response. This response may include, but is not limited to, suspension and/or termination of any business relationship, reassignment of job duties, suspension or termination of employment, and/or seeking arrest and prosecution of the person or persons involved. In carrying out all [YOUR COMPANY NAME] policies, it is essential that all personnel understand that no existing [YOUR COMPANY NAME] policy, practice, or procedure should prohibit decisions designed to prevent a threat from being carried out, a violent act from occurring, or a lifethreatening situation from developing. An essential element in this policy is that all personnel are responsible for notifying the belowdesignated management representative (DMR) of any threats or perceived threats which they have witnessed, received, or have been told that another person has witnessed or received. They should also alert this representative to any behavior they have witnessed which they regard as intimidating, threatening, or violent when that behavior is job-related or the employee has a belief that the behavior of concern might be, or could be, carried out on a company-controlled site or is connected to company business. Employees are responsible for making this report regardless of the nature of the relationship between the individual who initiated the threat(s) or behavior(s) of concern and the person or persons who were threatened or were the focus of the threatening or violent behavior(s). This policy also requires all individuals who apply for or obtain a protective or restraining order, which lists company locations as being protected areas, to provide a copy of the petition and declarations used to seek the protective or restraining order, a copy of any temporary protective or restraining order which is granted, and a copy of any protective or restraining order which is made permanent to the same below-listed designated management representative. [YOUR COMPANY NAME] has an obligation to provide a safe workplace and protect employees from threats to their

Protection of Assets  Copyright © 2012 by ASIS International

375

WORKPLACE VIOLENCE Appendix A: Model Policy for Workplace Violence

safety and that cannot be effectively accomplished unless [YOUR COMPANY NAME] is provided information concerning individuals who have been told by the courts, or other legally constituted entities, to maintain a distance from [YOUR COMPANY NAME] company locations. [YOUR COMPANY NAME] understands the sensitivity of this information and has developed procedures for it to be received, maintained, and acted on, which recognize the privacy of the reporting employee(s).

The designated management representative is: Name: Position: Telephone: E-Mail: Office Mail:

376

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE References/Additional Reading

REFERENCES Allman v. Dormer Tools, Inc. (1999). N.C. Super. Ct., No. 97CVS1161. Anderson, T. (2002, October). Laying down the law: A review of trends in liability lawsuits. Security Management. Anderson, T. (2002, October). Laying down the law: A review of trends in liability lawsuits. Security Management [Online]. Available: http://www.securitymanagement.com [2006, April 17]. Bureau of Labor Statistics. (1997–2002). Census of fatal occupational injuries. Washington, DC: U.S. Department of Labor. Calhoun, F.S. & Weston, S.W. (2003). Contemporary threat management: A practical guide for identifying, assessing and managing individuals of violent intent. San Diego, CA: Specialized Training Services. Cawood, J., CPP, PCI, PSP. (2005, May 17). Speech at ASIS International Advanced Protection Course II on violence risk assessment and management. Civil Action 01-CV-4277 (2001, August 22). U.S.D.C., E.D. Pa. Clark v. Pangan. (2000). 2000 UT 37, 998 P.2d 268, case number 981694, decided 4/7/2000, Utah Supreme Court. Corcoran, M., & Cawood, J. (2003). Violence assessment and intervention: The assessor’s handbook. Boca Raton, FL: CRC Press. Grossman, D. (1996). On killing: The psychological cost of learning to kill in war and society. Boston: Back Bay Books. Grove, W. M., & Meehl, P. E. (1996). Comparative efficiency of informal (subjective, impressionistic) and formal (mechanical, algorithmic) prediction procedures: The clinical-statistical controversy. Psychology, Public Policy, and Law, 2, No. 2, 293–323. Hare, R. D. (1993). Without conscience: The disturbing world of the psychopaths among us. New York: Pocket Books. Herrick v. Quality Inn Hotel, 24 Cal. Rptr. 2d 203 (Cal. App. 2 Dist. 1993). Meloy, J. R., et al. (1997). Domestic protection orders and the prediction of subsequent criminality and violence toward protectees. Journal of Psychotherapy, 34, No. 447.

Protection of Assets  Copyright © 2012 by ASIS International

377

WORKPLACE VIOLENCE References/Additional Reading

Mossman, D. (1994). Assessing predictions of violence: Being accurate about accuracy. Journal of Consulting and Clinical Psychology, 62, No. 4, 783–792. National Institute of Justice. (1996). Victim costs and consequences: A new look. NCJ 155282. Washington, DC: Author. Northwestern National Life Insurance Company. (1993). Fear and violence in the workplace. Minneapolis, Minnesota: Author. nd

Smith v. National Railroad Passenger Corporation (Amtrak), 856 F. 2d 467, 2 Cir. 1988. Tepel v. Equitable Life Assurance Society. (1990). San Francisco, California, Superior Court Case No. 801363. U.S. Merit Systems Protection Board. (2003). The federal selection interview: Unrealized potential. Washington, DC: Author.

ADDITIONAL READING Barish, R. (2001). Legislation and regulations addressing workplace violence in the United States and British Columbia. American Journal of Preventive Medicine, 20, 149–154. Barling, J. (1996). The predication, experiences, and consequences of workplace violence. In G. R. VandenBos & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions (pp. 29–49). Washington, DC: American Psychological Association. Baron, R. A., & Neuman, J. H. (1996). Workplace violence and workplace aggression: Evidence on their relative frequency and potential causes. Aggressive Behavior, 22, 161–173. Bennett, J. B., & Lehman, W. E. K. (1996). Alcohol, antagonism, and witnessing violence in the workplace: Drinking climates and social alienation-integration. In G. R. VandenBos & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions (pp. 105–152). Washington, DC: American Psychological Association. Bies, R. J., Tripp, T. M., & Kramer, R. M. (1997). At the breaking point: Cognitive and social dynamics of revenge in organizations. In R. A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in organizations (pp. 18–36). London: Sage Publications. Björkqvist, K., Österman, K., & Hjelt-Ba¨ck, M. (1994). Aggression among university employees. Aggressive Behavior, 20, 173–184.

378

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE References/Additional Reading

Bolton, R. (1979). Differential aggressiveness and litigiousness: Social support and social status hypotheses. Aggressive Behavior, 5, 233–255. Borum, R., Fein, R., Vossekuil, B., and Berglund, J. (1999). Threat assessment: Defining an approach for evaluating risk of targeted violence. Behavioral Sciences and the Law, 17, 323–337. Boye, M. W., & Jones, J. W. (1997). Organizational culture and employee counterproductivity. In R. A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in organizations (pp. 172–184). London: Sage Publications. Calhoun, F. S. (1996). Hunters and howlers. Washington, DC: United States Marshals Service. Calhoun, F. S., & Weston, S. W. (2000). Defusing the risk to judicial officials. Alexandria, VA: National Sheriff’s Association. Carll, E. K. (1999). Workplace and community violence. In E. K. Carll (Ed.), Violence in our lives (pp. 3–4). Boston: Allyn and Bacon. Cole, L., Grubb, P. L., Sauter, S. L., Swanson, N. G., & Lawless, P. (1997). Psychosocial correlates of harassment, threats and fear of violence in the workplace. Scandinavian Journal of Work, Environment & Health, 23, 450–457. Cornell, D. G., Warren, J., Hawk, G., & Stafford, E. (1996). Psychopathy in instrumental and reactive violent offenders. Journal of Consulting and Clinical Psychology, 64(4), pp. 783–790. Davis, R. C., & Smith, B. (1995). Domestic violence reforms: Empty promises or fulfilled expectations? Crime and Delinquency, 41, 541–552. Davis, R. C., Smith, B. E., & Nickles, L. B. (1998). The deterrent effect of prosecuting domestic violence misdemeanors. Crime & Delinquency, 44, 434–442. Dolan, M., & Doyle, M. (2000). Violence risk prediction: Clinical and actuarial measures and the role of psychopathy checklist. British Journal of Psychiatry, 177, 303–311. Douglas, S. C., & Martinko, M. J. (2001). Exploring the role of individual differences in the prediction of workplace aggression. Journal of Applied Psychology, 86, 547–559. Ekman, P. (2003). Emotions revealed: Recognizing faces and feelings to improve communication and, emotional life. New York: Henry Holt. Farrington, D. P. (1994). The causes and prevention of offending, with special reference to violence. In J. Shepherd (Ed.), Violence in health care: A practical guide to coping with violence and caring for victims (pp. 149–180). New York: Oxford University Press.

Protection of Assets  Copyright © 2012 by ASIS International

379

WORKPLACE VIOLENCE References/Additional Reading

Folger, R., & Baron, R. A. (1996). Violence and hostility at work: A model of reactions to perceived injustice. In G. R. VandenBos, & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions (pp. 51–85). Washington, DC: American Psychological Association. Gall, T. L., Lucas, D. M., Kratcoski, P. C., & Kratcoski, L. D. (Eds.). (1996). Statistics on weapons and violence. New York: Gale Research. Goleman, D. (1995). Emotional Intelligence. New York: Bantam Books. Greenberg, L., & Barling, J. (1999). Predicting employee aggression against coworkers, subordinates and supervisors: The roles of person behaviors and perceived workplace factors. Journal of Organizational Behavior, 20, 897–913. Harris, G. T., Rice, M. E., & Cormier, C. A. (1991). Psychopathy and violent recidivism. Law and Human Behavior, 15, 625–637. HCR-20, version 2. Burnaby, Canada: Mental Health, Law, and Policy Institute, Simon Fraser University. Hurrell, J. J., Worthington, K. A., & Driscoll, R. J. (1996). Job stress, danger and workplace violence: Analysis of assault experiences of state employees. In G. R. VandenBos & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions (pp. 163–170). Washington, DC: American Psychological Association. Kaplan, S. G., & Wheeler, E. G. (1983). Survival skills for working with potentially violent clients. Social Casework, 64, 339–346. Kroner, D. G., & Mills, J. F. (2001). The accuracy of five risk appraisal instruments in predicting institutional misconduct and new convictions. Criminal Justice and Behavior, 28, 471–489. Labig, C. E. (1995). Preventing violence in the workplace. New York: American Management Association. Lewis, G. W., & Zare, N. C. (1999). Workplace hostility: Myth and reality. Philadelphia: Accelerated Development. Maggio, M. J. (1996). Keeping the workplace safe: A challenge for managers. Federal Probation, 60, 67–71. Maiuro, R. D., Vitaliano, P. P., & Cahn, T. S. (1987). A brief measure for assessment of anger and aggression. Journal of Interpersonal Violence, 2, 166–178.

380

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE References/Additional Reading

McClure, L. F. (1996). Risky business: Managing employee violence in the workplace. New York: The Haworth Press. Mehrabian, A., & Epstein, N. (1972). A measure of emotional empathy. Journal of Personality, 40, 525–543. Meloy, J. R. (Ed.). (1998). The psychology of stalking: Clinical and forensic perspectives. Burlington, MA: Academic Press. Meloy, J. R. (2000). Violence risk and threat assessment: A practical guide for mental health and criminal justice professionals. San Diego, CA: Specialized Training Services. Meloy, J. R., Cowett, P. Y., Parker, S. B., Hofland, B., & Friedland, A. (1997). Domestic protection orders and the prediction of subsequent criminality and violence toward protectees. Psychotherapy: Theory, Research, Practice, Training, 34, 447–458. Miller, M. J. (2001). The prediction and assessment of violence in the workplace: A critical review (Doctoral dissertation, United States International University, 2001). Dissertation Abstracts International, 62, 2070. Mohandie, K. (2000). School violence threat management. San Diego, CA: Specialized Training Services. Monahan, J., Steadman, H., Robbins, P., Appelbaum, P., Banks, S., et al. (2005). An actuarial model of violence risk assessment for persons with mental disorders. Psychiatric Services, 56, 810–815. Monahan, J. (1981). Predicting violent behavior: An assessment of clinical techniques. London: Sage Publications. Monahan, J., & Steadman, H. (2001). Rethinking risk assessment: The MacArthur study of mental disorder and violence. New York: Oxford University Press. Moos, R. H. (1988). Psychosocial factors in the workplace. In S. Fisher & J. Reason (Eds.), Handbook of life stress, cognition and health (pp. 193–209). New York: John Wiley and Sons. National Institute for Occupational Safety and Health. (2001). Fatal injuries to civilian workers in the United States, 1980–1995: National profile (p. 16, Table US-7). Washington, DC: Department of Health and Human Services. Neuman, J. H., & Baron, R. A. (1997). Aggression in the workplace. In R. A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in organizations (pp. 37–67). London: Sage Publications.

Protection of Assets  Copyright © 2012 by ASIS International

381

WORKPLACE VIOLENCE References/Additional Reading

Neuman, J. H., & Baron, R. A. (1998). Workplace violence and workplace aggression: Evidence concerning specific forms, potential causes, and preferred targets. Journal of Management, 24, 391–419. Peek-Asa, C., Runyan, C. W., & Zwerling, C. (2001). The role of surveillance and evaluation research in the reduction of violence against workers. American Journal of Preventive Medicine, 20, 141– 148. Roehl, J., O’Sullivan, C., Webster, D., & Campbell, J. (2005, May). Intimate partner violence risk assessment validation study: Final report (NCJRS 209731). Washington, DC: U.S. Department of Justice. Roehl, J., O’Sullivan, C., Webster, D., & Campbell, J. (2005, May). Intimate partner violence risk assessment validation study: The RAVE study assessor summary and recommendations: Validation of tools for assessing risk from violent intimate partners (NCJRS 209732). Washington, DC: U.S. Department of Justice. Slora, K. B., Joy, D. S., Jones, J. W., & Terris, W. (1991). The prediction of on-the-job violence. In J. W. Jones (Ed.), Preemployment honesty testing: Current research and future directions. Westport, CT: Quorum Books. Slora, K. B., Joy, D. S., & Terris, W. (1991). Personnel selection to control employee violence. Journal of Business and Psychology, 3, 417–426. Spector, P. E. (1997). The role of frustration in antisocial behavior at work. In R. A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in organizations (pp. 1–17). London: Sage Publications. SARA: Spousal assault risk assessment guide, 2 Columbia Institute on Family Violence.

nd

edition. (1995). Vancouver, Canada: British

Thistlethwaite, A., Wooldredge, J., & Gibbs, D. (1998). Severity of dispositions and domestic violence recidivism. Crime and Delinquency, 44, 388–398. Tobin, T. J. (2001). Organizational determinants of violence in the workplace. Aggression & Violent Behavior, 6, 91–102. Trafford, C., Gallichio, E., & Jones, P. (1995). Managing violence in the workplace. In P. Cotton (Ed.), Psychological health in the workplace: Understanding and managing occupational stress (pp. 147–158). Brisbane, Australia: Australian Psychological Society. Turner, J. T., & Gelles, M.G. (2003). Threat assessment: A risk management approach. Binghamton, NY: The Haworth Press.

382

Protection of Assets  Copyright © 2012 by ASIS International

WORKPLACE VIOLENCE References/Additional Reading

Waters, J. A., Lynn, R. I., & Morgan, K. J. (2002). Workplace violence: Prevention and intervention, theory and practice. In L. A. Rapp-Paglicci, A. R. Roberts, & J. S. Wodarski (Eds.), Handbook of violence (pp. 378–413). New York: John Wiley and Sons. Weber, R. (1995). Suicide prevention at the workplace. In P. Cotton (Ed.), Psychological health in the workplace: Understanding and managing occupational stress (pp. 171–182). Brisbane, Australia: Australian Psychological Society. White, S., and Cawood, J. Assessment/response grids. White, T. W. (1996). Research, practice, and legal issues regarding workplace violence: A note of caution. In G. R. VandenBos & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions (pp. 87–100). Washington, DC: American Psychological Association. Wilkinson, C. W. (2001). Violence prevention at work: A business perspective. American Journal of Preventive Medicine, 20, 155–160. Williams, K. R., & Hawkins, R. (1989). Controlling male aggression in intimate relationships. Law and Society Review, 23, 591–612. Wodarski, J. S., & Dulmus, C. N. (2002). Preventing workplace violence. In L. A. Rapp-Paglicci, A. R. Roberts, & J. S. Wodarski (Eds.), Handbook of violence (pp. 349–377). New York: John Wiley and Sons.

Protection of Assets  Copyright © 2012 by ASIS International

383

INDEX

9/11, security reaction to, 68, 83, 185, 187

A addiction. See substance abuse aerospace sector, 75 alcohol. See substance abuse American National Standards Institute, 37, 40, 48, 81 Americans with Disabilities Act, 333, 336, 348, 362 armoring, vehicle, 273, 279, 286 assassination, 268, 273, 274, 284 assets protection, forces shaping, 76 assets protection, management of, 84 assets, types of, 65 ASTM International, 36, 81 awareness, security, 58, 72, 74, 83, 92, 109, 138, 152, 291, 300, 348

B background investigation, 114, 128 balance sheet, 15, 17, 19, 23, 26 behavioral science, 89, 91 benchmark, 24, 35, 44, 52 briefings. See security awareness budgets, 10, 13, 27, 30, 68, 109, 113, 237 business improvement district/special taxing district, 190, 201, 210 business processes, 2, 133

C cash flow statement, 20 certifications, 6, 40, 49, 56, 65, 82 community policing, 189, 192, 209, 212, 217 conflict of interest, 255

Protection of Assets  Copyright © 2012 by ASIS International

consultants, 85, 227 controls, financial, 30, 172 convergence (of traditional and IT security), 66, 83 corporate structure, 5, 11 cost avoidance, 114, 117, 119, 130 cost reduction, 113 cost-effectiveness, 47, 93, 107, 112, 202, 294 crime analysis, 232, 246 crime prevention, 82, 86, 91, 179, 189, 192, 198, 205 crime prevention through environmental design (CPTED), 78, 83, 232 crime, fear of, 182, 191, 193, 194 culture, of organization, 5, 44, 71, 78, 85, 298, 333 customers (of security professionals), 85

D data analysis, 112, 119 Deutsches Institut für Normung, 37 Drug Enforcement Administration, 295, 313 Drug Free Workplace Act, 348 drug testing, 327, 333, 335, 343, 352 drugs. See substance abuse due diligence, 102, 227, 230

E earnings, 17, 24 educational sector, 72 employee assistance program (EAP), 323, 327, 331, 332, 344, 362 employee performance measurement and review, 6, 9, 297, 326, 328, 330 employees' role in security. See security awareness executive protection, 267 expert witness, 230

385

F false/nuisance alarms, 109, 110, 188 Family and Medical Leave Act, 8, 349 fast food sector, 2, 74 financial analysis, 13, 21 financial statements, 15, 26, 148 financial strategy, 14, 30 firearms, 203, 208, 286, 368 fraud, 26, 54, 97, 119, 137, 315. See also theft fraud prevention, 74, 137 fraud, elements of, 146

G Global Standards Initiative, ASIS, 48, 56 globalization, 63, 78 guidelines, ASIS, 48, 50, 242. See also Global Standards Initiative guns. See firearms

H health care sector, 71, 82 hiring. See staffing homeland security, 36, 50, 55, 83, 186, 213 homicide. See workplace violence hot lines, employee, 74, 144, 328 human resources, 5, 6, 52, 326, 344

I incident management, 91, 365 incident reporting/data capture, 11, 110, 116, 122, 131, 328 income statement, 15, 29 inspection (search), 144, 201, 212, 280, 282, 350, 368 insurance, 29, 80, 93, 119, 231 internal theft. See theft by employees

386

International Organization for Standardization, 37, 38, 79, 81 investigation, 30, 66, 82, 112, 119, 148, 152, 328, 370 ISO 9000, 40, 47

J Japanese Industrial Standards Committee, 37

K kidnapping, 268, 269, 274, 276, 295 knowledge management, 10

L Law Enforcement Liaison Council (ASIS), 183 law enforcement/private security partnerships, 68, 91, 177 legislation, 69, 148, 347 liability, 69, 94, 96, 193, 296, 341 licensing, 79, 82, 197, 205, 215, 234

M management, administrative, 1 management, financial, 13 management, organizational, 3, 56, 85, 129 management, personnel, 91, 300 metrics, 1, 3, 9, 59, 111, 299 mission, 5, 85, 300

N National Fire Protection Association, 36, 40, 79, 81

O objectives, 5, 43, 58, 86, 116, 242, 294

Protection of Assets  Copyright © 2012 by ASIS International

order maintenance, 182, 191, 202, 212, 218 organization (of security within enterprise), 85, 87, 91 Organizational Resilience Standard, 43, 51, 56 organizational strategy, 3, 9

P performance indicators. See metrics plan-do-check-act cycle, 43, 46, 51 policies and procedures, 6, 8, 68, 87, 145, 229, 295, 301, 334, 361 policing, private. See public environments, private security in policing, public, 178, 185, 194, 198 predictive modeling, 128, 214 principles (of business administration), 1, 5, 13, 85, 87 Private Sector Liaison Committee (IACP), 183 Private Security Services Council (ASIS), 183 privatization. See public environments, private security in profit margins, 14, 22, 139 profitability ratios, 22, 24, 109 public environments, private security in, 190, 196, 204 public/private partnerships. See law enforcement/private security partnerships

Q

S Sarbanes-Oxley Act, 26, 69, 148, 329 search. See inspection (search) security advisory committee, 231, 240 security awareness. See awareness, security staffing, 6, 87, 91 standards development, 34, 36, 39, 41, 49, 55 standards, ASIS. See Global Standards Initiative, ASIS standards, management systems, 42, 47 standards, security, 44, 48, 53, 205, 215 strategic plan. See organizational strategy substance abuse, 140, 305

T technology, 76, 271 telecommunications sector, 74 theft, 119, 123, 137, 206, 311. See also fraud theft by employees, 138, 141, 142, 171 threats, uttered by potential attackers, 52, 269, 360, 361, 364, 375 training, 9, 51, 58, 82, 92, 110, 202, 216, 268, 334 travel and transportation, 112, 261, 270, 279, 285

UV vision, 5, 86, 87 Vocational Rehabilitation Act, 347

quality management, 10, 33, 40, 43, 47, 52, 86

W R return on investment, 28, 109, 110 risk assessment, 35, 51, 53, 58, 242, 270, 274, 358, 360, 367 risk management, 53, 57, 69, 93, 270 risk ratios, 25

Protection of Assets  Copyright © 2012 by ASIS International

workplace violence, 50, 52, 358

XYZ zero-based budgeting, 27, See also budgets

387