The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Bok Asis, 2019-12-03 09:20:40

psoma

INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection

Several standards from Underwriters Laboratories (UL) relate to security equipment, such as
locks, alarms, and access control systems. Other standards are set by trade and professional
associations, such as the Illuminating Engineering Society (lighting standards and practices)
and the Electronic Industries Association (electronic components and products).

Statutory or Regulatory Standards

Unlike voluntary standards, statutory or regulatory standards are binding under the law and
can be enforced by formal authorities. In the United States, binding security standards are
promulgated in various sources:

x Code of Federal Regulations
x National Industrial Security Program Operating Manual
x Executive Orders, Presidential Directives, and Homeland Security Policy Directives
x regulations of the Occupational Safety and Health Administration, Nuclear Regulatory

Commission, Federal Energy Regulatory Commission, and Federal Trade Commission
An international source of binding standards is the International Maritime Organization.

Mixed Standards

The distinction between statutory and voluntary standards becomes blurred when voluntary
standards are incorporated into laws or regulations. For example, many of the requirements
in Occupational Safety and Health Administration directives are verbatim references to
standards from such organizations as the NFPA.
In other situations, a standard may remain technically voluntary but practically obligatory.
For example, security standards from UL or Factory Mutual may be used as criteria by
insurers. In other words, they may determine the availability and cost of casualty insurance
based on the use of UL-approved materials or UL-standardized practices. Contracts, too,
may incorporate standards as requirements.
Figure 4-4 lists some of the more prominent standard-setting bodies.

80 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection

INTERNATIONAL www.astm.org
ASTM International www.iec.ch
International Electro-technical Commission www.imo.org
International Maritime Organization www.iso.org
International Organization for Standardization
www.ansi.org
UNITED STATES www.dot.gov
American National Standards Institute www.ferc.gov
Department of Transportation www.ftc.gov
Federal Energy Regulatory Commission www.nfpa.org
Federal Trade Commission www.nist.gov
National Fire Protection Association www.nlrb.gov
National Institute for Standards and Technology www.nrc.gov
National Labor Relations Board www.osha.gov/comp-links.html
Nuclear Regulatory Commission www.ul.com/info/standard.htm
Occupational Safety and Health Administration
Underwriters Laboratories

Figure 4-4
Selected Standard-Setting Bodies

Protection of Assets Ɣ Copyright © 2012 by ASIS International 81

INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection

Professional Certifications and Licensing

Standards may also be implemented via professional certification and licensing. In the
security arena, ASIS International certifications are perhaps the best-known. The Certified
Protection Professional designation, established in the 1970s, recognizes a broad skill set in
security management. More recent ASIS certifications include the Physical Security
Professional and Professional Certified Investigator designations.

The International Foundation for Protection Officers offers several certifications for security
officers and supervisors: the Certified Protection Officer, Certified in Security Supervision
and Management, and Certified Protection Officer Instructor designations.

Several IT security certifications are also available, such as the Certified Information Systems
Security Professional (through the International Information Systems Security Certification
Consortium) and the Certified Information Security Manager (though the Information
Systems Audit and Control Association).

Specialized security certifications within particular industries are also becoming common in
such sectors as health care, hospitality and lodging, and finance. Finally, certification in crime
prevention is available through many state agencies and also through the International CPTED
Association.

Some jurisdictions require licensing of various types of security practitioners. Most licenses
require training, background screening, qualification, and registration. In the United States,
licensing is generally the purview of states or localities, but national licensing is under
consideration.

ASIS International www.asisonline.org/certification/index.xml
www.isaca.org
Information Systems Audit and Control Association www.cpted.net/certification.html
www.ifpo.org
International CPTED Association
www.isc2.org
International Foundation for Protection Officers
International Information Systems Security
Certification Consortium

Figure 4-5
Selected Security Certification Web Sites

82 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection

4.3.4 CONVERGENCE OF SECURITY SOLUTIONS

In assets protection, convergence generally means the integration of traditional and IT security
functions. A broader definition might consider convergence to be the merging of disciplines,
techniques, and tools from various fields for the purpose of protecting critical assets.

It is widely accepted that “companies’ assets are now increasingly information-based and
intangible, and even most physical assets rely heavily on information” (ASIS International,
2005). An approach using only physical or IT security measures is insufficient. Assets
protection managers must also employ traditional information security, personnel security,
technical security, and public relations and other external communications to protect
intangible assets. A true convergence approach would also employ security architecture and
design, crime prevention through environmental design, investigations, policies and
procedures, and awareness training.

4.3.5 HOMELAND SECURITY AND THE INTERNATIONAL SECURITY ENVIRONMENT

The terrorist attacks of September 11, 2001, made it “crystal clear that the risks and threats of
global terrorism … were no longer vague or unlikely, but rather a genuine reality” (Sennewald,
2003, p. 19). Sennewald contends that 9/11 elevated the corporate security professional to a
higher plateau of respect and recognition within the enterprise.

From an assets protection perspective, reactions to the attack have been a mixed
development. On the positive side, 9/11 raised awareness of security among decision makers
and increased the respect paid to the security profession. It also made resources available for
security enhancements and led to increased interaction among security officials, first
responders, emergency planners, and the communities they serve. On the negative side, 9/11
caused knee-jerk reactions that resulted in wasteful spending, unnecessary security measures,
misdirection of needed funds, and the surfacing of dishonest or unqualified vendors.

Assets protection professionals should study those reactions and apply what they learn to
comprehensive assets protection strategies. That way, they can leverage the awareness and
resources available to improve their organizations’ security posture.

Still, there is a danger of overemphasizing the threat of terrorism and the practice of
homeland security. Assets protection professionals must address the broader security issues
relevant to their particular environment.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 83

INTRODUCTION TO ASSETS PROTECTION
4.4 Management of Assets Protection

4.4 MANAGEMENT OF ASSETS PROTECTION

In addition to technical expertise, assets protection professionals need a solid grounding in
organizational management. Success in the field—which may mean saving lives and
protecting valuable assets—depends on the proper balance of three managerial dimensions:
technical expertise, management ability, and the ability to deal with people.

©2005 Innovative Protection Solutions LLC
Figure 4-6

Three Managerial Dimensions

84 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
4.4 Management of Assets Protection

4.4.1 CONCEPTS IN ORGANIZATIONAL MANAGEMENT

The job of managing involves five basic functions:

planning x organizing x directing x coordinating x controlling

In addition, management should be guided by two principles, called “who is the customer?”
and “quality.” These principles should become part of the organization’s culture.

Who Is the Customer?

Peter Drucker, an authority on management, suggests that “who is the customer?” is the first
and most crucial question in defining business purpose and mission (1974). The assets
protection manager must understand the purpose and mission of assets protection at the
enterprise before adopting an organizational structure.

Most organizations actually serve multiple customers. It is important to identify all of them
and to understand their interrelationships. Then the assets protection manager can sell the
program not just to executives but to all the customers of assets protection services. Figure 4-
7 lists some of those customers.

For a chief security officer or For a security product or For an independent
security director, service provider, consultant,
customers might include: customers might include: customers might include:

Corporate executives Clients Clients
Corporate staff/managers Clients’ clients Clients’ clients
Corporate employees Potential clients Potential clients
Company clients Parent company or headquarters Partners and associates
Partners and affiliates Vendors and suppliers Vendors and suppliers
Contractors Partners and consultants Own employees
Security team members Original equipment Investors
Vendors and suppliers manufacturers Self
Other divisions of company Own employees
Other facility users Other divisions of company
Stockholders Executive management
Stockholders

Figure 4-7
Assets Protection Customers

Protection of Assets Ɣ Copyright © 2012 by ASIS International 85

INTRODUCTION TO ASSETS PROTECTION
4.4 Management of Assets Protection

Taking a more comprehensive view of who the customers are and how best to meet their
needs can result in greater security team effectiveness. The large view also demonstrates the
assets protection manager’s commitment to the business mission as a whole, not just to the
security mission. That commitment often leads to greater respect for the assets protection
function and ultimately greater influence throughout the enterprise.

Quality

Some managers may think that quality is something in a plan on the shelf, something that is
done once, or something that belongs to the quality assurance experts. That view is wrong.
Quality “belongs to everyone, all the time” (Dalton, 2003, p.240).

As one quality consultant notes (Duffy, 2006):
One of the major definitions of quality is “conformance to customer requirements.” Provid-
ing effective professional services or implementing a meaningful assets protection program
for the customer within appropriate resource constraints means delivering the required level
of quality. The security industry is one that must support multiple customers with a wide
variety of requirements.

Although a quality program may begin with tools, measures (metrics), and special processes,
the culture of quality should ideally become a part of the organization and be integrated into
all business practices.

A culture of quality can be developed in any type of security organization. For example, security
service providers are increasingly formalizing and standardizing their quality programs.

4.4.2 MANAGEMENT APPLICATIONS IN ASSETS PROTECTION

Planning, management, and evaluation are important tools in crime prevention programs
(Fennelly, 2004, p. 418). A strategic approach to managing assets protection programs
likewise involves all three tools. They apply as follows:

x Planning includes developing strategic goals and objectives, aligning assets protection
objectives with the organizational vision, organizing the assets protection function in
the way that best meets objectives, and determining how the mission will be
accomplished.

x Management involves conducting the day-to-day operations of the department,
communicating with others, and controlling specific tasks as well as the overall
functioning of the office.

x Evaluation involves stepping back from day-to-day activities to objectively assess how
well objectives are being met and what factors are contributing to the success or lack
thereof. Reporting, documenting, and using information to make adjustments and
improvements are all important parts of evaluation.

86 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
4.4 Management of Assets Protection

These tools are as applicable in the security services or products arena as they are in the
corporate or organizational setting. In a quality assurance/quality control (QA/QC) program
in a firm that provides security officers, the tools could work as follows:

x Planning may entail developing the company’s QA/QC program, obtaining executive
buy-in, preparing documentation, training supervisors, and establishing procedures.

x Management might involve implementing the program, conducting inspections,
reviewing audit reports, handling complaints and compliments, disciplining and
rewarding officers and supervisors, briefing upper management, and interacting with
the client on matters pertaining to QA/QC.

x Evaluation could consist of periodically determining whether the QA/QC program is
serving company objectives and meeting client expectations, identifying systemic
problems, and recommending process improvements.

In a corporate setting, a security department could use the tools as follows:

x Planning may entail setting strategic objectives consistent with the enterprise’s
mission and vision statements, organizing the security function within the enterprise,
determining resource requirements, establishing liaison relationships, developing
policies and procedures, and identifying staffing needs.

x Management would involve day-to-day operation of the department, personnel
management, logistics, vendor management, security systems operations,
coordinating with others internally and externally, and briefing senior executives.

x Evaluation would consist of periodically comparing performance metrics to the
department’s goals and objectives, identifying shortfalls, assessing any changes in the
assets protection environment, and recommending process improvements.

None of these functions should be neglected at the expense of the others. They should be
repeated in an ongoing cycle that results in up-to-date and appropriate assets protection
protocols, procedures, and practices.

4.4.3 SECURITY ORGANIZATION WITHIN THE ENTERPRISE

Although each organization is unique, some basic principles apply widely to organizational
structure and management. This discussion of the security organization within an enterprise
is influenced by well-respected, much recommended security textbooks by Sennewald
(2003), Dalton (2003), McCrie (2001), and Fischer & Green (2004).

The “span of control” principle suggests that a single person can supervise only a limited
number of staff members effectively. The specific number depends on such factors as the
nature of the work and type of organization, but as a general rule one manager can

Protection of Assets Ɣ Copyright © 2012 by ASIS International 87

INTRODUCTION TO ASSETS PROTECTION
4.4 Management of Assets Protection

effectively supervise up to 10 people. This principle may be in jeopardy. Some observers
believe that the introduction of IT infrastructures, use of current telecommunications
technology, and flattening of organizational pyramids may enable a person to supervise as
many as 100 people. In settings that emphasize self-directed, cross-functional teams and very
flat structures, span of control is less relevant. However, traditional, hierarchical organizational
structures, where span of control is important, are still common.

Unity of command dictates that an individual report to only one supervisor. It is based on
the concept that a person cannot effectively serve the interests two or more masters (that is,
managers). It is the supervisor’s responsibility to ensure the best performance from the unit he
or she manages. Some company structures make unity of command less important, but in
most settings employees still need a clear understanding of which policies they need to adhere
to (primarily) and who will provide day-to-day direction, quality control, and conflict
resolution.

Placement of the security department within an organizational structure can greatly affect
the assets protection manager’s ability to exert influence, remain informed, and garner
resources to support his or her programs and strategies. Assets protection managers, by the
nature of their expertise, must have functional authority within the organization and be
identified as part of the corporate management team. The rule of thumb is that the senior
security or assets protection professional should be placed as high as possible in the
structure of an enterprise and report directly to senior or executive management. A common
discussion today is whether security should be placed under the chief information officer), IT
security should be placed under a chief security officer, or some other arrangement should
be made. If the enterprise includes a chief risk officer, assets protection may be placed in his
or her division.

The following are some other important themes in organizational management:

x Lines of authority, responsibility, and communications should be as clear and direct as
possible.

x Individual and organizational responsibility should come with an appropriate level of
authority.

x Organizational alignments and structures should consider the interrelationships
among functions, roles, and responsibilities (with an eye on the overall mission).

x Communications channels should be structured to allow effective mission accomplish-
ment and interaction.

More information on the chief security officer’s role in organizational management can be
found in the Chief Security Officer Guideline, published by ASIS International (2004). It dis-
cusses roles and responsibilities, success factors, key competencies, organizational issues,
and strategy development.

88 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
4.5 Behavioral Issues in Assets Protection

4.5 BEHAVIORAL ISSUES IN ASSETS PROTECTION

Behavioral science, the study of people and their relationships to each other, is important in
assets protection for three key reasons:

x Many security risks are the result of human threats, and behavioral science can yield
insights into human threat sources.

x Security management requires effective interaction with other people, including
collaboration, education, influence, supervision, and the most important, excellent
communication skills.

x An effective security manager must also have trust in his or her staff members and have
the ability to delegate to them not only the responsibility but also the authority to act
within their functional area.

4.5.1 BEHAVIORAL SCIENCE THEORIES IN MANAGEMENT

The following theories in behavioral science are widely accepted as relevant and useful in
many management applications.

Maslow’s Hierarchy of Needs

Abraham Maslow’s theory, commonly known as the hierarchy of needs, asserts that people’s
behavior is driven by basic needs at different levels. It is often depicted as a pyramid, as
Figure 4-8 shows.

Self-
actualization

Esteem

Affiliation

Security

Physiological

Figure 4-8
Maslow’s Hierarchy of Needs

Protection of Assets Ɣ Copyright © 2012 by ASIS International 89

INTRODUCTION TO ASSETS PROTECTION
4.5 Behavioral Issues in Assets Protection

The levels of the hierarchy are:
x self-actualization need: self-fulfillment, realizing one’s full potential
x esteem or recognition needs: respect from others and self
x affiliation or love needs: affectionate social and family relationships
x security or safety needs: protection from perceived harm
x physiological or survival needs: food, drink, shelter

Basic or lower-level needs must be met before a person is motivated by the next higher level
of needs.

Maslow’s theory is still widely recommended to analyze individual employee motivation
strategies and establish tailored rewards, such as pay, recognition, advancement, and time
off (Buhler, 2003).

McGregor’s Theory X and Theory Y

Douglas McGregor holds that two worker models can be contrasted. Theory X contends that
workers are inherently lazy and tend to avoid work. They lack creative ambition, must be
goaded, require constant supervision, and are motivated by fear. Theory Y states that workers
are naturally motivated and want to work hard and do a good job. It assumes that workers are
thoughtful, eager to perform well, and willing to be guided and taught. McGregor stresses that
programs based on Theory Y are more successful than those based on Theory X.

Herzberg’s Motivation-Hygiene Theory

Frederick Herzberg’s motivation-hygiene theory is based on the premise that the opposite of
satisfaction is not dissatisfaction but simply no satisfaction. The theory maintains that two
sets of factors determine a worker’s motivation, attitude, and success (Buhler, 2003).

The first set is job content (motivators), such as achievement, recognition, responsibility,
and satisfaction derived from the work itself.

The second set is job context (hygienes), such as the surroundings, physical work conditions,
salary, coworkers, and other factors that are external to the work itself.

Hygiene factors (such as a fresh coat of paint on the wall) will be able to move an individual
from a state of dissatisfaction to no satisfaction, but only motivation factors can move that
person from no satisfaction to satisfaction.

The lesson is that managers should avoid quick fixes. Manipulating hygiene factors may
alleviate dissatisfaction but will not result in a state of satisfaction. Allowing an individual to
reach a state of satisfaction requires changes in the work content itself, such as increased
autonomy or responsibility (Buhler, 2003).

90 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
4.5 Behavioral Issues in Assets Protection

4.5.2 APPLICATIONS OF BEHAVIORAL STUDIES IN ASSETS PROTECTION

An assets protection program will not succeed unless it cultivates the willing cooperation of
those affected by it and meshes its goals with the personal goals of the workforce. Following
are some examples of how lessons from behavioral science might be employed in assets
protection.

Crime Prevention and Reaction

Behavioral science has long been involved in criminology with the goal of developing better
crime prevention strategies. Through mutual cooperation, private security can play a major
role in the prevention of crime while law enforcement focuses on crime control. Continuing
study is needed, as is better communication between behavioral scientists, criminologists,
and security and law enforcement practitioners. Many questions in criminology remain
unanswered in this area, but we are seeing a major move by law enforcement to have private
security more involved in crime prevention.

Incident Management

Motivation theories may be useful in developing emergency plans, business continuity
plans, and incident response plans. A major factor in any incident is how people will react—
those directly involved in the incident, bystanders, indirectly affected persons, security forces,
and first responders.

Some data can be gathered from exercises and drills through documentation and after-
action reports. Interpreted through human motivation theories, that information may aid in
the development of plans and procedures that will help ensure a smooth response to a real
incident.

Motivation theories should also be considered when developing larger-scale incident
management plans. Such theories may help in predicting how people will react when they
are ordered to shelter in place at the workplace or school—for example, whether they will
accept their separation from their family or instead evacuate immediately, regardless of the
directions given.

Security Personnel Management

In supervising security officers, heading an executive protection team, staffing a security
operations center, serving as a facility security officer, performing architecture and design
functions, or administering a global assets protection program, one needs to understand
what motivates people and what demotivates them.

Motivation theory can contribute to the planning and development of a QA/QC program, a
department organizational structure, an advancement plan, assessment or evaluation criteria,
awards programs, discipline procedures, communications venues, and even dress codes.
Behavioral science plays a role in almost every aspect of personnel management.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 91

INTRODUCTION TO ASSETS PROTECTION
4.5 Behavioral Issues in Assets Protection

Employee Training and Awareness

Early security training and awareness programs were based on top-down management
directives, passive compliance, and an attitude of “we do it this way because the book says
we do it this way.” The modern workforce is more sophisticated, highly educated, and
independent, and security training and awareness strategies must be designed accordingly.

Behavioral theories can guide both content and delivery methods for security training and
awareness, which has been recognized as one of the most cost-effective assets protection
tools (Webster University, 2006). In addition, security training and awareness efforts should
take account of adult learning styles and current instructional design methods. When
employees can relate to the information presented and the way it is presented, the training is
more effective. Managers need to set direction and establish a professional setting, but
through training they need to avoid making operating decisions that should be made by their
supervisors and officers. As an example, when a subordinate requests advice about a routine
operational problem, the supervisor should avoid giving a specific solution, opting instead to
guide the subordinate, through an open exchange of information, toward identifying the
solution himself or herself.

Corporate Ethics

One of the first questions that comes to mind after a large-scale corporate scandal is “What
could have possibly motivated those people to do that?” Behavioral science theories may
help answer that question. They can be applied to help prevent, respond to, and recover
from major white-collar crime incidents and can also contribute to programs that address
smaller-scale, everyday ethical lapses.

Liaison and Leveraging Other Organizations

Because assets protection is a multidisciplinary venture, liaison and collaboration with a
wide variety of people, organizations, agencies, specialties, and professions is essential.
Behavioral theory can help in establishing and maintaining relationships with a network of
professional contacts, both inside and outside the assets protection manager’s organization.

Collaboration is especially valuable and challenging in a global environment that includes a
wide range of cultures, customs, and perspectives (Buhler, 2003):

The diversity of today’s workforce has further complicated an already complex phenomenon.
The differences among workers are greater than ever before. To be more successful in
motivating a diverse workforce requires, then, an understanding of the differences among
people and what makes them tick …

To become a more effective motivator, then, managers must understand as much as possible
about [motivation theory] and then pick and choose what best fits with which individuals.
The bigger the bag of motivational tools, the more likely the manager will be able to
understand employees’ needs and tailor rewards to better meet them. [This] enables
managers to get more done through others.

92 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Management Tool

APPENDIX A

INSURANCE AS A RISK MANAGEMENT TOOL

In many organizations, a current trend is the integration of insurance management into a broader
assets protection program. Therefore, this appendix describes the types and uses of insurance,
primarily in the corporate setting. Further information is available through resources listed at the end.

Most risk management tools are either proactive or reactive, but insurance is a combination of the
two. From a proactive stance, it is the best-known form of risk transfer and is actually considered
an asset of the organization. It is also reactive in that the insurance benefits are not used until after
a loss occurs.

Insurance is a formal undertaking between two parties—the insurer and the insured—under
which the insurer agrees to indemnify or compensate the insured for specified losses from
specified perils. Insurance is “a formal social device for reducing risk by transferring the risks of
several individual entities to an insurer. The insurer agrees, for a consideration, to assume, to a
specified extent, the losses suffered by the insured.”1

Insurance is no replacement for security, of course. Compared to insurance, protection techniques
like risk reduction and risk spreading are preferable for several reasons:

x Loss control is a more satisfactory approach than after-the-fact indemnity.
x Loss prevention has become highly effective.
x Commercial insurers decline to cover some kinds of risks.
x The balanced scheme of protection is more cost-effective.

In most cases, it is impossible to be fully compensated for a loss, regardless of how much
insurance coverage an enterprise has. Modern management is now more interested in preventing
losses than in trying to buy insurance to cover every possible risk.

In the insurance world, the portfolio theory involves a comprehensive analysis of business risks and
pure risks. A risk model might analyze movements in exchange rates, changes in raw material prices,
and downtime caused by a catastrophic event. This model would produce an aggregate loss
distribution to estimate the likelihood and effect of several events occurring simultaneously. By
treating the risks as parts of a single portfolio, separate insurance policies for each risk can be
eliminated. The theory is that by managing risks, little or no outside insurance is required.

1 Glossary of Insurance Terms, University of Calgary, Canada, 1998, http://wcmprodlb.ucalgary.ca/haskayneundergrad/rminlinks/glossary.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 93

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Assessment Tool

INSURANCE OVERVIEW

Insurance is often divided into two general categories: property and liability. Property coverage
includes building and equipment damage or loss, as well as items like cash and negotiable
instruments of all kinds. Liability coverage encompasses all employee risks and includes workers’
compensation and non-occupational coverage, as well as coverage for losses affecting the general
public, such as automobile liability, product liability, landlord liability, contractor liability, and
environmental liability.

The basis for coverage is the insurance policy, the written contract between the insurer and the
insured. Many insurance contracts or policies have been standardized; however, they are not all
alike in coverage. For that reason, each policy must be carefully examined to determine the
coverage offered. Contracts of insurance are seldom read in detail by the owners until a loss occurs.
To determine the protection offered by a policy, the following questions must be asked:

x What perils are covered?
x What property is covered?
x What losses are covered?
x What people are covered?
x What locations are covered?
x What time period is covered?
x What hazards are excluded or what conditions suspend coverage?

Defining the Peril

Peril has been defined as “the cause of a possible loss.”2 Typical insurable perils include fire,
windstorm, explosion, burglary, negligence, collision, disability, and death. An insurance contract
may cover one or more perils. Some policies, called “named perils contracts,” specify the perils
that are covered in the contract. Other contracts, called “all risk contracts,” cover all perils except
those that are specifically excluded. Perils may also be covered only in part—for example, not all
unfriendly fires under a fire policy or not all negligence under a liability policy.

A policy may limit coverage by defining which part of the peril is covered or which part is not
covered. For example, a fire policy states the hazards not covered. The standard policy form
excludes fire losses resulting from action taken by military, naval, or air forces in an actual or
immediately impending enemy attack, invasion, insurrection, rebellion, revolution, civil war, or
usurped power. It also excludes fire losses resulting from neglect of the insured to use reasonable

2 Glossary of Insurance Terms.

94 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Management Tool

means to protect his or her property, along with losses caused by order of civil authority (except
destruction of property to prevent the spread of a fire that did not originate from an excluded peril).

It is important to understand the terms burglary and robbery as they are used in insurance
policies. Burglary is generally defined as felonious abstraction of insured property by any
individual or individuals gaining entry to the premises by force.3 There must be visible marks on
the exterior of the premises at the place of entry, such as evidence of the use of tools, explosives,
electricity, or chemicals.

Robbery is usually defined as the felonious and forcible taking of property by violence inflicted
upon a custodian or messenger, either by putting the person in fear of violence or by an overt act
committed against the custodian or messenger who was cognizant of the act. Sneak thievery,
pickpocketing, confidence games, and other forms of swindling are not included in robbery
coverage.

A burglary contract does not cover robbery. Similarly, a robbery policy does not cover burglary.
Neither policy covers losses resulting from the felonious taking of property where there are no
visible marks of entry and where there has been no violence or threat of violence. A theft or larceny
policy is required to obtain coverage for such losses.

Defining the Property Covered

A standard insurance policy does not cover every piece of property owned by the insured, but it
usually describes the type of property covered. Also, a contract may specify certain property that is
excluded.

Some reasons for property exclusions in a policy are as follows:

x The specific property excluded may be more easily covered under other forms of insurance.
x The moral hazard—a condition of the insured’s personal habits that increases the proba-

bility of loss—may be prohibitive.
x The property may be subjected to hazards that should be specially rated.
x The property might be so uncommon to the average insured that the rate for the standard

policy should not include it.

3 In law, burglary is forced entry or exit with intention to commit a crime. The abstraction of property is actually a larceny. But
insurance policies combine the forceful entry and the taking or abstraction under the single term burglary.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 95

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Assessment Tool

Defining the Losses Covered

The next step in analyzing coverage is to find out what losses are covered. Generally, losses may be
classified as:

x direct loss, such as the physical loss of or damage to the object concerned
x loss of use, such as the reduction of net income due to loss of use of the damaged or destroyed

object
x extra-expense losses, such as the costs of defending a liability suit and paying judgment or

hospital and medical expenses following a personal accident

Most policies cover direct losses only. Some may, in addition, cover a few forms of indirect losses.
For example, a standard fire insurance policy usually covers only the actual cash value of the
property at the time of the loss. Actual cash value is the cost to replace or restore the property at
prices prevailing at the time and place of the loss, less depreciation.4 It will not offer compensation
for additional expenses of rebuilding required by ordinances regulating construction or repair, and
it will not cover the loss of use while the property is being replaced. In addition, it will not pay for
the loss of income, such as loss of rent, while a building is being rebuilt.

Defining the Period of Coverage

Formerly, a loss that occurred during the period the policy was in force would be covered no
matter when the occurrence was discovered, even after the policy expired. The term for this is an
occurrence loss.

Insurance carriers encountered difficulties matching premiums with losses that could still be
covered years after occurrence. As a result, a new form of contract was developed. This form,
known as the claims-made type, provides coverage only for losses that are reported during the
period the policy is in force.

If an insured with a claims-made policy leaves one carrier in favor of another, the new carrier will
probably not cover losses occurring before its own first contract date, even if the claim is made
during the contract period. This tends to lock insureds in with a single carrier. It also raises issues of
later endorsements to reduce coverage, the need for an insured to solicit claims against itself in order
to pass them to the carrier in a timely way, and the uncertainty of coverage or its cost when seeking
to terminate the contract. The solution to this problem is usually called “tail cover”—retrospective
coverage for events that occurred during a prior policy period but are raised during the tail period.
To change carriers, it is normally necessary to purchase tail cover from the prior carrier.

4 Glossary of Insurance Terms. Protection of Assets Ɣ Copyright © 2012 by ASIS International
96

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Management Tool

Defining the People Covered

Some policies cover only the named insured and representatives while others cover additional
individuals. The first page of a standard fire policy states clearly that the contract insures only the
named insured or insureds and legal representatives. The insured’s executors or heirs under a will
and receivers in bankruptcy would also be covered. Many property policies allow a space for
indicating the name of the lender who holds a financial interest in the property, and such lenders
are considered additional insureds. An endorsement must be added to afford protection to any
others. A frequent technique to extend one party’s coverage to protect another is to have the other
individual designated as a named insured in the policy. Named insureds, however, are subject to
the same policy conditions as the original insured. In some cases, this may not achieve the security
objective of the additional named insured.

Defining the Locations Covered

Some policies cover one location, while others include several locations. The standard fire
insurance contract covers property only while it is located as described in the policy, with one
exception—the contract covers property pro rata for five days at each proper place to which any of
the property is necessarily removed for protection against the perils insured against in the policy.

Defining the Time of Coverage

Policies vary as to the exact time of day they go into effect. Fire insurance policy coverage usually
starts at noon, standard time, on the day the policy is dated and at the place the risk is located. The
coverage will ordinarily continue in force until noon, standard time, on the day of expiration.
Other policies go into effect and expire at 12:01 a.m., standard time.

Conditions that Suspend Coverage (Exclusions)

Insurance policies commonly contain provisions that suspend coverage when a risk increases to
such a degree that the insurance company is no longer willing to offer protection. It is possible to
eliminate the conditions by adding endorsements, which may result in increased premiums.

The limiting provisions may be either “while” clauses or “if” clauses. That is, coverage is
suspended while certain conditions exist or if defined situations exist. The fraud and concealment
clause found in many contracts is a typical “if” clause. It states that coverage is void if, either before
or after a loss, any material fact or circumstance concerning the insurance has been willfully
concealed or misrepresented. An example of a “while” clause would be a statement that the
insurance company will not be liable for loss while the hazard is increased by any method within
the control or knowledge of the insured. Another common example would be the vacancy clause,
which suspends coverage while a property stands vacant beyond a specified period.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 97

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Assessment Tool

In fidelity coverage, it is customary to exclude from coverage any person the insured knows to have
committed any fraudulent or dishonest act, in the insured’s service or otherwise. The exclusion
usually dates from the time the insured became aware of the fraudulent or dishonest act. The
insurance carrier may grant case-by-case exemptions to the exclusion. For example, should a
person be hired despite a minor dishonest act revealed in a preemployment investigation, an
exemption to the exclusion should be requested.

Endorsements

Insurance policies have been standardized by custom, law, or inter-company agreements.
Standard policies may be modified by endorsements—sometimes called riders—to increase or
decrease the coverage of the standard policy. Standard endorsements are available, but if they are
not adequate for the coverage desired, special endorsements may be written and added to the
standard policy. When in conflict with the standard policy, the endorsement governs unless it is
illegal.

Endorsements are added to:
x add perils
x add property
x include more covered individuals
x adjust rates
x add, increase, reduce, or delete deductibles
x add or eliminate exclusions
x increase or decrease amounts of coverage
x record address changes
x correct errors

Crime Coverage

Crime insurance is written to protect the insured against loss by burglary, robbery, theft, forgery,
embezzlement, and other dishonest acts. Two types of bonds may be used for protection: fidelity
and surety. Fidelity coverage is written to protect the employer from the dishonesty of employees.
Surety coverage is intended to guarantee the credit or performance of some obligation by an
individual.

Insurance coverage against crime may be obtained by purchasing a standard crime policy, then
adding the necessary endorsements. It is essential to understand the meaning of each criminal
term used by the insurance company in order to ensure that adequate protection is obtained.
Policies may exclude certain items or may not include certain crimes.

98 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Management Tool

The comprehensive 3D policy is a combination fidelity crime insurance policy designed to offer
the widest possible protection. The standard form contains five insuring agreements. The insured
may select as many as needed and specify the amount of coverage on each. The following are the
basic coverages offered:

Coverage I an employee dishonesty bond
Coverage II money and securities coverage inside the premises
Coverage III money and securities coverage outside the premises
Coverage IV money order and counterfeit paper currency coverage
Coverage V depositors’ forgery coverage

Twelve additional endorsements are available:
x incoming check forgery
x burglary coverage on merchandise
x paymaster robbery coverage inside and outside premises
x broad-form payroll inside and outside premises
x broad-form inside premises only
x burglary and theft coverage on merchandise
x forgery of warehouse receipts
x securities of lessees of safe-deposit box coverage
x burglary coverage on office equipment
x theft coverage on office equipment
x paymaster robbery coverage inside premises
x credit card forgery

Assets protection managers should consider an endorsement for IT equipment and data if they are
not adequately covered in the policy. In determining whether coverage is adequate, the following
questions should be asked:

x Is all equipment completely covered for any loss?
x Does the coverage include the loss of recorded data as well as the cost of new hardware?
x Does the coverage include reconstruction of data?
x Will the coverage pay for temporary operation at an alternate location?
x Does business interruption coverage protect against forced shutdown of equipment?

Protection of Assets Ɣ Copyright © 2012 by ASIS International 99

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Assessment Tool

Business Interruption

Business interruption insurance offers a number of coverage choices. For example, coverage can
be written on a named peril or all-risk basis. If a building or machine sustains physical damage,
there will usually be at least an interruption of production or sales, resulting in financial loss. Other
incidents may not damage the physical facilities but may nevertheless cause a shutdown. For
example, a subcontractor might be required to shut down if the plant of the prime contractor is
destroyed, or a factory across from a chemical plant might be forced to lose a day’s production
because of noxious fumes from the chemical plant. These types of risks can be covered with
endorsements known as contingent business interruption loss forms.

A business that might not return to normal for some time after reopening following a shutdown
could consider another type of coverage: the endorsement extending the period of indemnity. An
example of a business requiring such coverage would be a bowling alley. A fire just prior to the
opening of a bowling season might cause league business to go elsewhere for the full season. Even
if the establishment is able to reopen in two months, it might not recover its normal business until
the following year. With standard business interruption insurance, the coverage would stop once
the facility was restored to operating condition. With the endorsement extending the period of
indemnity, the coverage would be extended for the amount of additional time purchased.

Valuation is a factor to consider in planning for business interruption. An actual-loss-sustained
method or a valued-loss method may be selected. With actual-loss coverage, the insured must
prove the claim according to policy provisions. On the other hand, the valued endorsement usually
stipulates the amount payable per day of shutdown and specifies the number of days for which
coverage is provided. The amount selected for the daily indemnity must be certified by an
accountant as being the approximate amount that will actually be lost. This certification is done
before the loss occurs.

Another type of business interruption insurance is the business interruption and extra expense
endorsement. While the basic business interruption forms include coverage for normal extra
expenses, other expenses may be incurred. Such expenses may be incurred to keep a product on
the market regardless of cost or, for a bank, to function regardless of expense. When the situation is
not a clear-cut case of either loss of earnings or incurring extra expense, a combined endorsement
may offer good protection.

Liability Endorsements

Liability coverage in recent years has become increasingly important because of cases in which
organizations have been held liable for property damage and for injury to victims. Under tort law,
injury victims are entitled to collect for losses and mental anguish from anyone they can prove
responsible for intentionally or negligently injuring them or damaging their property.

100 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Management Tool

Liability litigation is widespread, and the number of liability cases continues to rise. Products are
challenged as unsafe or badly designed, and such actions frequently result in large damage awards.
Professional liability suits against engineers, architects, physicians, and lawyers have multiplied,
and the cost of liability insurance for some professionals is enough to cause them to abandon their
practice.

In the security field, too, liability litigation has exploded, resulting in many large damage awards
against security personnel, contract security agencies, and employers or client companies.

A commercial general liability policy—the standard policy offering liability coverage—is less
comprehensive than generally assumed. As a result, to ensure the necessary coverage, several
endorsements should be added, such as those below.

Liability of Officers and Directors

A liability endorsement to protect officers and directors against legal actions brought by
stockholders and others has become increasingly popular because of the publicity given to such
suits. Coverage should be carefully examined to ensure that it is adequate. For example, a policy
may specify that protection is offered for individuals “while acting within the scope of their
duties.” This provision could lead to questions as to duties of individuals and whether they were
acting within the scope of those duties. An endorsement providing for coverage while “acting in
behalf” of the enterprise would eliminate such a dispute. Such a change can usually be made
without any increase in premium.

Employee Practices Liability Insurance (EPLI)

This relatively new type of insurance is a specialized coverage for employers who become the
targets of work-related lawsuits. EPLI covers a business for employee-related actions, such as the
following:

x discrimination x wrongful discipline
x sexual harassment
x wrongful termination x deprivation of career opportunity
x breach of employment contract
x negligent evaluation x wrongful infliction of emotional
x failure to employ or promote distress

x mismanagement of employee benefit
plans

EPLI covers defense costs, judgments, and settlements but may not cover punitive damages, fines,
or penalties. Workers’ compensation, bodily injury, and property damage, and any liability
covered specifically in another policy are generally not covered. EPLI usually covers the corporate
entity, employees, former employees, directors, and officers. Some policies also cover volunteers.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 101

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Assessment Tool

Product Liability

Product liability insurance is sold to manufacturers and dealers of goods. Protection is offered for
damage claims arising from the consumption or use of articles manufactured, sold, handled, or
distributed by the insured, if the damage occurs after possession of the goods or products has been
relinquished to others and if the damage occurs away from the insured’s premises. An exception
exists for organizations that serve food on the premises, for which special coverage is necessary.

Product liability suits may be based on either the tort theory of negligence or the contract theory of
breach of warranty. Since it is easier to prove breach of warranty than negligence, most claims
involving products are based on a breach of an express warranty or an implied warranty that the
product sold is reasonably fit for the particular purpose for which it was bought. Liability coverage
must be examined carefully to ensure that breach of warranty is included. If not, an endorsement
should be added for this protection.

The recall of products, which is excluded in standard liability coverage, can create an expensive
problem. Frequently, manufacturers are required to recall automobiles, television sets, food
products, or pharmaceuticals. The manufacturer is normally required to assume responsibility for
removing the defective item from the possession of all wholesalers and retailers.

Product recall coverage can be obtained by adding an endorsement to the comprehensive liability
policy. This coverage is known as product recall or product withdrawal expense. The coverage may
be written to cover recall of products only if bodily harm is threatened, or it may cover products
that threaten only property damage. The loss of the product itself is not covered.

Insurance Providers

Regardless of the type of insurance provider, customers should be able to expect rapid
compensation for losses incurred. As in any other business relationship, due diligence must be
exercised when selecting an insurance provider. The financial stability and claims settlement
record of the provider is critical to timely reimbursement of a loss. Most organizations select an
insurance provider and settle into a long-term business relationship without subsequent review of
the financial condition of the provider, but ongoing due diligence is necessary.

Insurance can be obtained through these means:
x dealing directly with an insurance company
x dealing with an insurance broker that may represent several companies
x buying an insurance company, known as a captive carrier
x buying an interest in a mutual insurance organization called a risk retention group

The size of the enterprise and its insurance needs typically suggest the type of provider that will be
most cost-effective. Small organizations tend to deal directly with the insurance company or use a

102 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Management Tool

broker. Mid-size organizations have the same options but may also join a risk retention group.
Large organizations have all four of the options listed above. The four different sources of
insurance are discussed below.

Insurance Companies

The large number of insurance companies and the wide variety of policies they offer ensures that
coverage can be found for virtually any risk. In essence, uninsurable risk is only heretofore
uninsured risk. Many organizations merely select an insurance carrier with a good name, accept
the coverage that the representative suggests, and pay the policy premiums. Sound management
principles demand more.

A financially weak carrier tends not to pay claims in a timely manner. If the carrier becomes
insolvent, claimants can turn to the state guarantee trust fund for partial recovery. This is a lengthy
process, and claimants are limited to a certain dollar amount. In essence, choosing the wrong
insurance company can, in itself, be a high risk. The financial stability of the insurance carrier
should be reviewed before entering a contractual relationship, and subsequent reviews should be
conducted at least annually.

The financial stability of insurance carriers is rated by a number of rating services. Each service
uses a different formula, and the rating of a specific insurance company may vary among the
rating services. Prudent managers consult more than one rating service. A significant difference in
the ratings of a company should be a red flag denoting the need for further investigation. Rating
services measure the financial condition of the insurance carrier but do not measure the speed of
claims payments.

Government insurance departments are also valuable sources of information. In the United States,
in each state insurance companies are authorized to do business in, they must file annual financial
statements with the state insurance department. Other pertinent information includes the number
of complaints filed against the company and any disciplinary action taken against the company.

Insurance Brokers

Insurance brokers are marketing specialists who represent buyers of property and liability
insurance and who deal with either agents or companies in arranging for the coverage required by
the customer.5 Insurance brokers deal with more than one insurance company and can suggest the
company best suited to provide a specific type of policy. The expertise and responsiveness of a
broker should be verified by contacting other clients. A good broker keeps abreast of the financial
stability of the insurance companies with which insurance is placed. The broker who arranges
insurance coverage with an insurance company that becomes insolvent may become a defendant
in a civil action.

5 Glossary of Insurance Terms.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 103

INTRODUCTION TO ASSETS PROTECTION
Appendix A: Insurance as a Risk Assessment Tool

Risk Retention Groups

Smaller firms and organizations may form risk retention groups (RRGs), which are corporate
bodies authorized under the laws of some states as liability insurance companies. Such groups
must be owned by entities within the membership of the group that obtain liability insurance from
the group. RRGs are generally exempt from the laws of other states.

RRGs typically market their liability policies to purchasing groups (PGs), which consist of
organizations that have similar liability insurance needs because of the nature of their business. In
the security field, PGs have consisted of guard and investigations concerns. The PG can acquire
liability insurance for its members from the RRG. Typically, the attraction of such an approach has
been the availability of liability coverage and lower premiums. Some RRGs have experienced
funding or other difficulties and have either abandoned the field or otherwise caused problems for
the PG insureds. Overall, the RRG is a viable alternative to high premiums and the difficulty of
obtaining special coverage; however, the particular group and its track record should be studied
carefully.

Captive Carriers

One of the problems of liability insurance has been the high premium cost when using carriers
conventionally licensed within each state where they offer the coverage. One solution is the
captive insurer—a separate, wholly or principally owned firm, usually organized offshore, used to
write the insurance for the owning company. Sometimes a captive insurer is owned by an
association of two or more firms with common insuring interests. When appropriate, a captive
insurance carrier can make it easier to insure risks not acceptable to conventional carriers, can
help make a more favorable expense ratio, and can open reinsurance resources not otherwise
available. However, the captive carrier is generally a technique of larger firms.

INSURANCE RESOURCES

Business Insurance magazine and online resources, www.businessinsurance.com

Insurance Information Institute, www.iii.org

Risk Insurance and Management Society, www.rims.org

The smart approach to protecting your business: Managing your risk, The Hartford in association
with the U.S. Small Business Administration, www.thehartford.com/corporate/losscontrol/SBA/
TIPS/2009/Product%20Liability%2019295.pdf

104 Protection of Assets Ɣ Copyright © 2012 by ASIS International

INTRODUCTION TO ASSETS PROTECTION
References

REFERENCES

ASIS International. (2004). Chief security officer guideline. Alexandria, VA: ASIS International.

ASIS International. (2005). Scope and emerging trends: Executive summary. Alexandria, VA: ASIS
International.

Buhler, P. M. (2003, December). Managing in the new millennium: Understanding the manager’s
motivational tool bag. Supervision.

Dalton, D. R. (2003). Rethinking corporate security in the post 9/11 era. Burlington, MA:
Butterworth-Heinemann.

Drucker, P. F. (1974). Management tasks, responsibilities, practices. New York, NY: Harper and Row.

Duffy, G. (2006, September 23). Vice President, American Society for Quality, www.asq.org.
Unpublished document.

Fennelly, L. J. (2004). Handbook of loss prevention and crime prevention (4th ed.). Burlington, MA:
Elsevier Butterworth-Heinemann.

Fischer, R. J., & Green, G. (2004). Introduction to security (7th ed.). Burlington, MA: Butterworth-
Heinemann.

Glassman, C. A. (2006, June 8). Complexity in financial reporting and disclosure regulation.
Presentation at the Security and Exchange Commission and Financial Reporting Institute
Conference, Pasadena, CA.

Heffernan, R. J., CPP. (2006, September 25). 2006 trends in proprietary information loss survey
results: An overview. Presentation at the ASIS International Seminar & Exhibits, San Diego, CA.

McCrie, R. D. (2001). Security operations management. Burlington, MA: Butterworth-Heinemann.

Naisbitt, J., Naisbit, N., & Phillips, D. (1999). High tech/high touch. New York, NY: Broadway Books.

Naisbitt, N. (2006, June 22). Founder and executive director, The Pinhead Institute, Telluride, CO.
Personal interview.

National Institute for Standards and Technology, Computer Security Resource Center. (2006).
History of computer security. Available: http://csrc.nist.gov/publications/history [2006, July
28].

Securitas. (2006). History. Available: http://www.pinkertons.com [2006, July 28].

Sennewald, C. A., CPP. (2003). Effective security management (4th ed.). Burlington, MA: Butter-
worth-Heinemann.

Webster University. (2006). Business assets protection. Course materials for Business and
Organizational Security Management Program. Washington, DC: Webster University.

Wilson, T. R. (2002). Global threats and challenges. Statement to the U.S. Senate Armed Services
Committee by the Director of the Defense Intelligence Agency, March 19, 2002.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 105



CHAPTER 5

COST-EFFECTIVENESS AND
LOSS REPORTING

5.1 UNDERSTANDING THE PROBLEM

Asset protection must be cost-effective. An organization should not spend $1,000 to protect a
$10 asset. Except for certain high-value, irreplaceable items, an organization should base its
protection strategies on a realistic, cost-effective rationale. As the security industry matures
and incorporates business fundamentals into its repertoire of strategies, several business
tactics are being ingrained into standard security management practices. These include
return-on-investment strategies, metrics management, data capture and analysis, and cost-
benefit analysis. As part of asset protection, security is best described as the implementation
of standards and principles that, when constantly applied, control loss.

5.2 WHAT COST-EFFECTIVENESS MEANS

Cost-effectiveness means producing good results for the money spent. To senior management,
cost-effectiveness is the primary factor in determining the size or existence of the asset
protection program. Anecdotal evidence of the efficiency of an asset protection program is
interesting, but in the final analysis the program must be measurable in financial terms.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 107

COST-EFFECTIVENESS AND LOSS REPORTING
5.3 Elements of Cost-Effectiveness

To maximize cost-effectiveness, a security manager should do the following:
x Ensure that the operations are conducted in the least expensive, but cost effective way.
x Maintain the lowest costs consistent with required operational results.
x Ensure that the amount of money spent generates the highest return.

Cost-effectiveness in asset protection requires balancing expenditures against results and
revising the plan as needed. It also requires critical judgment based on a complete
understanding of the enterprise operations, a broad knowledge of state-of-the-art security,
and the recognition that some elements of the security program may take several years to
implement. Often overlooked as asset protection tools, procedural controls are the least
expensive countermeasures one can employ. Simply by changing the way things are done,
revised procedures can enhance security while improving the bottom line for the enterprise.

A historic, continuing problem is the inability to demonstrate that asset protection expendi-
tures lead to tangible, more valuable goals—in other words, to justify the cost of an asset
protection program to enterprise management.

5.3 ELEMENTS OF COST-EFFECTIVENESS

The question that senior management wants answered is this: Does the asset protection
function accomplish anything that can be quantified and that justifies its cost?

One way to view the issue is to consider a business with gross annual sales of $250 million
and an asset protection operation costing $1 million annually. At that level, asset protection
constitutes 0.4 percent of sales. Senior management will want to know why $1 million should
be spent on asset protection rather than on something else. The “something else” could even
be a short-term investment in financial instruments. At a modest 4.5 percent annual return,
$1 million would earn $45,000 in a year. Thus, the $1 million expenditure actually costs the
enterprise $1,045,000 in a year. That cost must be weighed against the consequences of not
having a security program. Cost-effectiveness also applies within the asset protection
operation itself. An expense budget allocates monetary value to a department’s activities.
The security manager must consider whether a given resource is the most effective one
available at the stated cost. For example, if $30 padlocks are used to secure loaded semi-
trailers in the company lot, the security manager should attempt to answer these questions:

x Is a padlock the appropriate countermeasure in this situation?
x If so, is this particular padlock at $30 best suited for the purpose?

108 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.3 Elements of Cost-Effectiveness

In general, the second question is harder to answer than the first.

Senior management will inevitably view all operations from a financial perspective, because
the department that plays a direct role in the generation of revenue is a profit center. A
security professional lacking this perspective will be unable to justify continued funding of
the security program, especially if the enterprise is emphasizing financial austerity. The three
main expense categories that security professionals must consider when developing a budget
are salaries, operational expenses, and capital expenditures. An essential step in developing a
department budget is to review the organization’s overall strategy and goals to determine
how the security budget fits in. Is it in line or does it exceed what would be realistic and
acceptable to senior management?

Necessary protection programs are often substantially cut because, in the intense
competition for scarce funds, no persuasive argument is made for them. However, the
increased losses that might follow a security cutback could easily and greatly exceed the
presumed saving. The following are various financial concepts that can be used to show
value for money.

5.3.1 RETURN ON INVESTMENT

Return on investment (ROI) is a standard profitability ratio that measures how much net
income the business earns for each dollar invested by its owners. Also called return on
equity, ROI is used to gauge management’s overall effectiveness in generating profits.
Kitteringham and McQuate (2003, p. 121) observe:

ROI can be measured in time saved, improved efficiency, reduced manpower, reduced losses,
lower liability or insurance payments, or greater customer satisfaction. It all translates into an
improved bottom line over time.

The expectation is that security measures should not merely be efficient but should provide a
positive return on investment. For example, security awareness programs may be judged as
effective when benefits are either commensurate with cost or exceed cost estimates. The return
varies in different organizations but may include increased customer satisfaction, happier,
more secure employees, increased productivity, reduced employee turnover, cost savings,
actual revenue, reduced false alarms, saved lives, or anything else that can be quantified.

However, many organizations do not make ROI calculations when judging security spending;
they merely adopt a budget based on historical experience or future estimates. According to
an Ernst & Young study (2003) of the information security field:

Protection of Assets Ɣ Copyright © 2012 by ASIS International 109

COST-EFFECTIVENESS AND LOSS REPORTING
5.3 Elements of Cost-Effectiveness

Return on investment (ROI) is not valued as a measure of information security spending
effectiveness. This was evidenced by the nearly 60% of organizations that said they rarely or
never calculate ROI for information security spending.

One way to determine ROI is shown in Figure 5-1.

AL + R = ROI
CSP

AL = Avoided loss

R = Recoveries made

CSP = Cost of security program, including personnel expenses, administrative expenses, and capital costs

Figure 5-1
Return on Investment (ROI) Formula

Two examples of ROI calculation follow.

Nuisance Fire Alarms

Due to a high number of nuisance fire alarms, an organization decided to assess the data
collected in the normal course of security department incident report writing. The cost of
alarms was divided into hard costs and soft costs. Hard costs included lost productivity for
employees evacuating the building and for employees responding to the alarms, as well as
the cost of fire department fines. Soft costs included wear and tear on building mechanical
systems when alarms activated; the tendency for employees to learn to ignore alarms,
thereby placing themselves in jeopardy when legitimate alarms activate; the potential for
staff injuries during evacuations; and the frustration of the organization’s staff and fire
department personnel due to the high number of alarms. Lost productivity was quantified
with an average hourly salary figure from the organization’s human resources department,
and fire department fines were easy to tally. Soft costs were merely estimated.

The next step was to determine the causes of the alarms. There were three factors: the age of
some equipment, a lack of training and familiarity with the fire alarm system, and a lack of
communication between staff and contractors working in the building. Once these factors
were identified, replacement parts were installed, a training program was initiated, and a
formal communication program was implemented. All costs were captured and compared.

The annual costs of nuisance alarms in Year 1 were compared to the same costs in Year 2,
after nuisance alarms were reduced. Nuisance fire alarms were found to have cost the
organization $50,000 in Year 1, before the security program reduced nuisance alarms. In Year
2, following the nuisance alarm reduction initiative, alarm costs dropped to $10,000,

110 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.3 Elements of Cost-Effectiveness

resulting in an avoided loss of $40,000. The annual cost of the nuisance alarm reduction
initiative is $10,000. Hence, for an annual investment of $10,000, the organization saves
$40,000. In other words, for every $1 invested, the company saved $4.

Two-Way Radios

A company was using a trunk cellular two-way radio system. Staff complained of multiple
areas within the building where the radios did not work. The result was a waste of staff time
as they moved out of the dead spots to use their radios, an increase in staff risk when they
were out of radio range, and delayed responses to security, safety, and medical incidents.
Additionally, because of the radio system’s trunk cellular nature, the organization was paying
hard costs of $25,000 annually for air time. The soft costs were harder to quantify and were
left out of the equation. Prospective avoided losses (due to upgrading the radio system)
included possible lawsuits and workers’ compensation claims. Avoided losses were
estimated at $25,000 per year.

The length of the solution may alter the ROI calculation. One method of calculation would be
to multiply the savings by the number of years the original radio system would have been in
use before being replaced. For example, if the radio system had another 10 years in it, then
the annual savings can be multiplied by 10 to obtain the final figure.

A replacement system was researched and installed. The capital expenditure purchase and
installation of the system (cost of security program) was $60,000. Based on a single year, the
formula results in return of $0.41 for every dollar invested. Additionally, all other issues were
resolved to the satisfaction of staff and tenants, including delays in responding to incidents
where time was of the essence. If 10 years were factored into the formula, then the ROI would
be $4.10 for every dollar invested.

5.3.2 SECURITY METRICS

The term “security metrics” refers to security-related measurements. Kovacich and Halibozek
(2006) describe security metrics as the process of measuring an asset protection program’s
costs and benefits as well as its successes and failures. Security budgets and expenditures are
being scrutinized as never before, and security metrics can help in justifying those
expenditures. The first step in good security planning is performing an analysis of the
potential areas of loss, their probability, and their gravity or impact on the corporation. This
data, along with security metrics, provides the information needed to present a security
budget to senior management.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 111

COST-EFFECTIVENESS AND LOSS REPORTING
5.3 Elements of Cost-Effectiveness

Mainstream security management has been slow to adopt a metrics-based approach, but the
trend is changing. Through the application of metrics, security managers are better able to
show the cost-effectiveness of asset protection.

A loss prevention program can collect metrics on arrests made, recoveries per year,
recoveries per officer, arrests per shift, arrests per location, and other topics. Metrics in the
commercial high-rise industry can be gathered on the number of thefts occurring, costs per
square foot, number of fire alarms per year, number of incidents, doors found open, number
of undesirable persons, recoveries made, investigations conducted, etc. Shopping mall
security management can collect metrics on arrests made, number of people banned from
the property, interactions with the public, loss prevention seminars conducted with retailers,
patrols conducted, cars stolen from the parking lot, etc. Corporate security can collect
metrics on investigations conducted, recoveries made, risk assessments conducted, travel
briefings provided to staff, etc.

Once baseline data is collected, security managers can experiment with and fine-tune the
asset protection program to increase its effectiveness. Data analysis may also suggest
whether specific security measures are effective at all. It is up to the individual security
manager to determine what should be measured. Those metrics may help the security
manager answer the following questions:

x What am I trying to accomplish?
x How will I know if I am successful?
x What would convince me that I am not successful?
x What are my impediments to success?
x How much is it costing per unit to be successful?
x Is it worth the cost?
x How will I be able to collect and display the information in a meaningful format?
x What is the cost of success?
x What is the cost of failure?

Despite its importance, the security department must compete with other departments for
funding. From an engineering department perspective, if a piece of equipment will fail if not
repaired or replaced, the decision to spend money can be made easily. Other departments,
such as security and marketing, may find it harder to gain funds and should use ROI figures
to convince decision makers.

112 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.4 Boosting Cost-Effectiveness

5.4 BOOSTING COST-EFFECTIVENESS

5.4.1 BUDGET PROCESS

For organizations that generate income, it is customary to budget that income over the same
fiscal periods in which the costs necessary to produce it are incurred. Typically, a sales
forecast will project sales revenue for a quarter or a year. This forecast will then be the
baseline from which all expense budgets are built. In commercial operations, policy makers
will determine the profit that the enterprise must earn. Subtracting that amount from the
estimated revenues leaves the amount available to run the business. That amount is then
divided among the various elements of the business using budgeting techniques.

When expense budgets total more than the available funds, budget reviews are conducted.
Reductions are made by deleting planned expenditures—typically personnel and operating
expenses. After operations have commenced, periodic reports of actual results against bud-
geted results will indicate whether further expense reductions are required.

Management strives to maintain the margin between gross sales and expenses, even in the
face of reduced sales. Accordingly, the only way an operating function can justify continued
funding is to demonstrate that the real costs to the enterprise would be greater if the level of
support for the activity were reduced. If the contribution of the operating function cannot be
quantified or, when quantified, cannot be shown to result in greater net revenue than would
be possible without the function, sound management practices dictate that the function be
reduced or eliminated.

Preventing crime, closing investigations, and maintaining order are all legitimate and neces-
sary objectives of an asset protection program, but only for the purpose of helping the
enterprise achieve its basic goal. For commercial organizations, the goal is to make and
distribute products or render services so as to earn the planned profit. For public service or
not-for-profit organizations, the basic goal is to render services within the limits of the
available funds.

5.4.2 COST REDUCTION

Each element of the operation must be carefully examined for cost-effectiveness. The “we’ve
always done it this way” syndrome can significantly increase the cost of the operation. By
contrast, periodic reassessment of security solutions can lead to savings.

For example, if a company had earlier determined that $30 padlocks were the best solution
for a particular protection need, the company now should evaluate whether $20 padlocks
might provide the required protection. Purchasing 500 padlocks per year at $20 instead of
$30 leads to an annual savings of $5,000.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 113

COST-EFFECTIVENESS AND LOSS REPORTING
5.4 Boosting Cost-Effectiveness

Security departments can also examine whether it is more cost-effective to use a proprietary
security officer force or a contract force.

Another consideration might be the cost-effectiveness of maintenance contracts for security
systems. The warranty for a new system generally covers the first year of operation. A mainte-
nance contract for each subsequent year costs approximately 13 percent of the original
system cost. Thus, an annual maintenance contract for a $100,000 system might be $13,000.
An analysis of the maintenance history might reveal that the services would cost significantly
less if paid for on a time and materials basis. A countervailing issue is that system suppliers
normally give first priority to customers who have maintenance contracts. Thus, the system’s
age and criticality should also be factored into the calculation.

5.4.3 COST AVOIDANCE

One way to achieve cost-effectiveness is to avoid costs or expenses through the use of asset
protection resources. Following is a discussion of major areas in which cost avoidance is
possible.

Major Loss Prevention

An asset protection program would be cost-justified if it was established that probable real
losses would not occur if the proposed asset protection measures were adopted. Under that
approach, “cost avoidance” would be the total cost of probable security losses assumed to
have been prevented. The real test, of course, would be whether the actual losses were less
than the otherwise probable losses and whether the combined cost of the actual losses and
the cost of maintaining the asset protection organization were within the risk-assumption
boundaries accepted by management when approving the asset protection program.

Other Loss Prevention

Asset protection programs prevent other losses, including some that are rarely quantified. A
good example is the work of security patrols in observing and correcting maintenance or
housekeeping problems, while at the same time preventing hazards such as fires. The
following situations will be found in every operation. In those with security forces, the
security officer often takes the corrective action on patrol. Figure 5-2 lists several types of
issues that security officers may discover on their patrols.

114 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.4 Boosting Cost-Effectiveness

ITEM OR TOPIC CONDITION
Expensive tools or materials Not stored securely
Lights Improperly on or off
Machine Improperly running or not running
Doors or hatches Improperly closed or open
Temperatures Too high or too low
Pressures Too high or too low
Levels Too high or too low

Figure 5-2
Problems Discoverable on Security Officer Patrols

The least dramatic of these—the light left burning when it should have been extinguished—
could be resolved by motion sensors that turn off a light if no motion is detected within a
predetermined period. However if the organization does not use this technology, three
questions can be asked that will allow assessment of the value of the patrol action in turning
the light off:

1. If the security patrol had not turned off the light, how long would it probably have
remained on until discovered by someone else?

2. What is the expense to the enterprise for a light of that wattage burning for an hour or
a shift?

3. What cost has been avoided by turning off the light? (Item 1 multiplied by Item 2)

The savings for one light that might otherwise have burned needlessly for an hour will be
insignificant. But, over the course of a year, preventing hundreds of lights from burning
thousands of bulb-hours will result in significant cost savings. The same factors apply to
turning off machinery, where reduction of wear and tear is an additional benefit.

There could be far more serious consequences than energy expense. If a temperature is too
low or too high, a process could fail or a vessel rupture.

Taken individually, these housekeeping losses are not major items. However, a large facility
features many such items, so the cumulative effect of reducing them may be significant and
should be documented.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 115

COST-EFFECTIVENESS AND LOSS REPORTING
5.5 Data Capture

Other Strategies

Security managers can use several other means of identifying acceptable asset protection
strategies. For example:

x WAECUP (Waste, Accidents, Error, Crime, Unethical Practices) can be used as a
blueprint for developing security objectives.

x SWOT (Strengths, Weaknesses, Opportunities, and Threats) Analysis is a model for
analyzing proposed organizational projects. The concept is to analyze an issue or
proposal from each of the four points of view, thereby giving security management a
profile of potential issues to deal with. A goal of risk analysis is the recognition of
threats as they relate to company operations.

x The STEP (Social, Technological, Environmental, and Political) Model points out
potential sources of threats. The security manager can then conduct an analysis to
determine whether such threats are likely and where they could come from.

5.5 DATA CAPTURE

Collecting information is of paramount importance to security management, and the easier
it is to create security reports, the less staff will resist reporting incidents. Options include
pen and paper, electronic report writing at a work station, and portable input devices that
security officers can use on patrol to report their activities, including housekeeping and
maintenance loss avoidance. The screen can be configured to minimize keystrokes, and
information can be transmitted by radio frequency as it is gathered or can be uploaded to the
main database at the end of the tour.

The use of specially designed incident reporting forms also fosters easy data collection. One
approach to using such forms is as follows:

1. Design a good report form. Much time can be saved if the data fields are properly
designed. The minimum information to be captured should include date, time,
location, relevant names, name of officer, type of incident (light on, machine off, etc.),
and department affected by and responsible for the issue reported.

2. Teach security staff how to use it. All members of the asset protection organization
should be prepared to use and process these forms. Of course, the primary security
task—dealing with the incident, not just reporting it—must also be emphasized.

3. Promptly collect data and conduct initial analysis. Because report forms provide data
necessary for asset protection operations, they should be analyzed immediately by a
responsible supervisor. Software in portable data terminals can generate an immediate
report if any abnormal events or conditions require a prompt response. Routine
analysis should determine whether costs can be quantified and totaled.

116 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.5 Data Capture

4. Produce periodic management reports. The real value of cost-effectiveness data
gathering comes in making periodic cumulative reports to senior management. In
these reports, the number, frequency, distribution by type of incident, and location
can be shown, along with the individual and cumulative costs that were avoided. At
the end of any budget year (earlier if needed), all instances of cost avoidance through
security patrol action in housekeeping/maintenance situations can be totaled and
reported in summary form.

Gathering numbers is important, but considerable information can also be gathered from
personal interviews. For example, useful information on robbery and shoplifting has been
gathered from one-on-one interviews between researchers and prisoners. Surveys, too, can be
powerful tools for the security manager—for example, on a specific problem like laptop theft.

To validate information, security managers can conduct experiments. One method is to
gather statistics before and after implementation of a security measure to gauge whether it
was effective. Another method is to implement the new security measure in one company
site but not another and compare the results. Finally, direct observation can be used in some
less serious, nuisance-level situations to discover unknown aspects of the problem. Figure 5-
3 shows the main methods used in social science research. Security managers can apply
those same methods in the workplace.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 117

COST-EFFECTIVENESS AND LOSS REPORTING
5.5 Data Capture

RESEARCH METHOD STRENGTHS LIMITATIONS
Fieldwork
x Usually generates richer and x Can only be used to study
more in-depth information than relatively small groups or
other methods. communities.

x Provides flexibility for the x Findings might apply only to the
researcher to alter strategies groups or communities studied;
and follow up new leads. it is not easy to generalize on
the basis of a single field study.

Survey x Makes possible the efficient x Material gathered may be
Documentary collection of data on large superficial; important
Experiments numbers of individuals. differences between
respondents’ viewpoints may be
x Allows precise comparisons to glossed over.
be made between the answers
of respondents. x Responses may be what people
profess to believe rather than
x Can provide in-depth materials what they actually believe.
and data on large numbers of
subjects. x Depends on existing resources,
which may be partial.
x Is often essential when a study
is either wholly historical or has x Sources, such as official
a historical dimension. statistics, may be difficult to
interpret in terms of how far
x Influence of specific variables they represent real tendencies.
can be controlled by the
investigator. x Responses of those studied may
be affected by the experimental
x Experiments usually easier for situation.
subsequent researchers to
repeat.

Figure 5-3
Main Methods Used in Social Science Research

118 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.6 Data Analysis and Display

5.6 DATA ANALYSIS AND DISPLAY

Several software packages are commercially available in the security market, and a security
manager’s company can also write its own software. The key is to ensure that the software
aggregates the data for analysis. Analysis of aggregate data should lead the security manager
to discover trends, successes, failures, costs, losses, savings, recoveries, what works, and
what does not work, along with a host of other information.

Display of the aggregate data is just as important as the data itself. A security manager should
show information, such as the number of thefts per year, in a pie, bar, line, cone, scatter, or
other chart. One can also choose to display all thefts, both successful and unsuccessful, side
by side. People interpret information differently, so there is no one correct choice. Some
security managers may decide that information displayed in raw numbers will meet their
needs. However, there is truth in the saying that a picture is worth a thousand words.
Certainly, when presenting information to decision makers with limited time, graphical
display makes it easier to convey a security manager’s key points quickly.

The following are useful categories of security data analysis.

5.6.1 CLAIMS AVOIDED

Monetary claims against an employer include workers’ compensation, disability, accident,
and health issues. Many such claims are fraudulent or exaggerated. For example, a worker
might claim he was injured on the job and left unable to perform physical work. Medical
evaluation may not refute the claim. However, an investigation by the asset protection
department, complete with photographs and other evidence, may establish that the claimant
is regularly engaging in activities that would not be possible if the claim were legitimate. As a
result of the investigation, the claim may be disallowed and payments stopped. This is a
measurable cost avoidance provided by security, and its value should be calculated and
entered into the cost avoidance database for later reporting. The cost avoidance for denied
claims is often extended over a long period.

5.6.2 PROOFS OF LOSS

Insurance companies typically require proof of loss before making payments. In cases of
casualty coverage—particularly dishonesty or fidelity coverage—apparent losses may be dis-
puted by the carrier. For example, staff at a major electronics facility might find that a large
supply of components is missing from a storage container, which appears to have been
damaged by the thief as he or she tried to gain entry. It is not clear whether the thief was an
employee or a stranger. The distinction is important because the facility’s theft insurance for

Protection of Assets Ɣ Copyright © 2012 by ASIS International 119

COST-EFFECTIVENESS AND LOSS REPORTING
5.6 Data Analysis and Display

losses caused by outsiders has a much larger deductible than its insurance for insider theft
(fidelity coverage).

A security investigation might uncover evidence to persuade the carrier of two points:

x An outsider could not have gained access to the location of the theft during the period
when the theft occurred because of access controls then in effect.

x The missing materials were not simply purchased components but had been worked
on by the enterprise. The components therefore had a labor cost element in addition to
a purchase cost element at the time of the theft.

If the claim had been made under the external theft coverage, it would have been less than
the deductible. But, thanks to the asset protection investigation, the fidelity claim is allowed.
Therefore, the net amount of the claim can be added to the security database for later
reporting.

5.6.3 RECOVERED PHYSICAL ASSETS

The value of a physical asset can be calculated as the purchase price or acquisition cost, the
depreciated book value (acquisition cost less accumulated depreciation), or replacement
cost. If the asset is lost and security action leads to its recovery, then at least one and perhaps
two financial benefits will accrue to the enterprise. First, the net value of the asset will be
recovered—a security recovery expense reduction item. Second, if the lost asset would need
to have been replaced if not recovered, the cost of the replacement is avoided. Both cost
avoidances should be identified and stored in the database.

5.6.4 UNINSURED CLAIMS OR CAUSES OF ACTION

A security investigation often results in a formal statement by an individual confessing
responsibility or in some other way admitting financial obligation. Examples include
confessions by forgers of company checks and admissions by vendors that they delivered less
material than claimed.

Even more important are inculpatory statements by trade secret thieves. Such statements
may lead to actionable claims by the enterprise for financial recovery other than an
insurance claim. The net cash value of such claims should be assessed and the items
identified and added to the database. They, too, are asset increases or expense reductions
that would not exist without the asset protection effort. For litigation and future claims, the
amount may be postponed until collection.

120 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.6 Data Analysis and Display

5.6.5 OTHER ACTIONS

A review of other revenue losses within the enterprise may suggest security action that can
recover the revenue. For example, checks returned from the bank as nonnegotiable are
normally handled by the finance department. The sender of the check is notified that the
check is nonnegotiable and is advised to remit the funds within 10 days. If the payment is not
received, the account is referred to a collection agency, which charges a fee of 30 percent to
50 percent of the funds recovered.

If the matter were referred to security rather than to a collection agency, the funds might be
recovered more cost-effectively. Payment with a nonnegotiable check and failure to make
the check good is a criminal offense in most places. Security will normally be familiar with
the process of filing criminal complaints. Because there is no charge to file a criminal com-
plaint, the expense to the enterprise will be that of maintaining the records and the time of
the representative who files the case and attends the hearing. A copy of the letter requesting
payment, proof of receipt of the letter (postal receipt card), and the check will generally
provide a prima facie case. The court can then issue a restitution order. If the face value of
the check is $1,000, the collection agency fee would be $300 to $500. If the matter requires
three hours of a security representative’s time at a rate of $40 per hour, the cost of recovery
would be only $120.

This process should be periodically examined for cost-effectiveness. Nonnegotiable checks
with a face value of perhaps $500 or less would then be excluded from security action.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 121

COST-EFFECTIVENESS AND LOSS REPORTING
5.7 Systematic Incident Reporting

5.7 SYSTEMATIC INCIDENT REPORTING

An incident reporting system is needed so that all employees can report incidents and
security can track and analyze them.

A formal incident reporting system is essential if the full cost-effectiveness of asset protection
operations is to be achieved. An incident reporting system does two things that could not
otherwise be done:

x provides a history of events occurring to the organization
x provides a basis for professional efforts at asset recapture, recovery, or incident

reduction or termination

The company can decide which incidents are important enough to be reported. Shopping
malls, financial organizations, oil companies, commercial high-rise buildings, and
warehouses all have unique incident reporting requirements. Over time, security
departments may find that the types of incidents being reported become standard and
change infrequently. However, changes in legislation on health, safety, or privacy could
change the types of incidents that a company wants to track.

Once the company has established guidelines regarding which types of incidents must be
written up, all such incidents should be reported to a central point. It is also essential that the
right details be captured. It is better to know when and where certain items—such as hand
tools, small meters, fractional horsepower motors, flashlights, etc.—are disappearing from
than merely to know the gross value of the lost items. With the right information, the security
department is in a much better position to act to reduce losses.

For incident reporting to function, a statement of enterprise policy is needed. The policy
should do the following:

x Establish the program.
x Identify the kinds of incidents to be reported.
x Assign reporting responsibility to the persons accountable for the various types of inci-

dents. For example, building engineering would be responsible for health and safety
incidents.
x Prescribe the report format.
x Set a time within which reports are to be submitted.
x Identify to whom they should be submitted.
x Indicate the consequences of failure to make timely reports.

122 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.7 Systematic Incident Reporting

Appendix A presents a model incident reporting form. The form requests the time and
circumstances of the incident, the assets involved, and their value. Information on circum-
stances will go into incident profile and modus operandi files and will help in the
development of countermeasures or recovery efforts. The asset description and valuation
will go into the security vulnerability and cost-effectiveness files. The total number of reported
incidents may be used to establish, in part, the criticality of company exposure. The frequency
of incidents will help determine probability. These factors, in turn, are incorporated into the
overall estimate of event probability and criticality on which the asset protection program is
based.

It is efficient to create a blank electronic form so that employees can complete the form
electronically and transmit it to the asset protection organization. It may also be convenient
for employees to report incidents by telephone to asset protection clerical personnel for
entry directly into the incident reporting system.

Many asset protection organizations have automated their incident reporting systems by
providing a report form (in the form of a Web page) on the company network. Employees
can conveniently and securely key in the incident information and immediately route the
form to the security department. This process is easier than a manual system that requires
mailing and copying each report. These approaches encourage employees to make reports.

Appendix B includes a sample policy statement on incident reporting.

5.7.1 CREATING AN INCIDENT DATABASE

Security incident reporting provides a database from which to extract information on
multiple aspects of an asset loss incident. A well-developed database can be useful to all
company departments, not just security. For example, because theft can be attributed partly
to employee dissatisfaction, if the database shows that many employees at one location are
engaging in theft, there may be a larger management issue. If the database shows that a
particular operation is suffering from fraud, it may be that internal controls are inadequate.

In many organizations, incidents are reported not to a central location but to a variety of
departments, making tracking more difficult. The most common situation is to ignore the
incident or expense the actual or suspected losses within the department that incurred the
loss. That approach may conceal losses and, over time, may encourage the inclusion of
incidents or losses—many of which are preventable—in production or operating standards.
Also, if incidents are not reported to a central database, they may be seen as a series of
unique events when in reality they may be linked in some way and may be leading up to a
major loss event (Toft & Reynolds, 1999).

Protection of Assets Ɣ Copyright © 2012 by ASIS International 123

COST-EFFECTIVENESS AND LOSS REPORTING
5.7 Systematic Incident Reporting

If a manufacturing operation budgets a percentage allowance for the unaccounted difference
between actual finished goods and what should have been made from the material and labor
charged, that allowance becomes a floor. Losses or unaccounted shortages amounting to less
than the budget allowance will not be investigated and could well be caused by theft of
product or raw materials.

If manufacturing output amounts to $10 million per year, a 0.3 percent allowance for
shrinkage, variance, or some other write-off account amounts to a loss of $30,000. If the
business has a 15 percent profit margin, $200,000 in new sales would be needed to generate
the amount written off. For larger companies, the losses and necessary new sales are
commensurately greater. For example, 0.3 percent loss from a $100 million manufacturing
output would be $300,000.

Although those losses may not ruin the enterprise, preventing them would certainly improve
performance. An annual write-off of $300,000 would support the following:

x security director with a salary of $75,000 plus 30 percent for benefits (totaling $97,500)
x two investigators at $45,000 per year plus benefits (totaling $117,000)
x two clerical personnel for the security group at an estimated total cost of $50,000 per

year

It is axiomatic in asset protection that a competent corporate security staff pays for itself
many times over. Proper attention to the reduction of shrinkage or variance losses not only
provides integrity to the organization but also permits reallocation of resources to intensified
asset protection efforts.

5.7.2 FUNCTIONS OF AN INCIDENT REPORT

The purpose of an incident report is to provide the security manager with data on which to
base security decisions. The incident report should do the following:

x Provide a quick notification of an actual, suspected, or potential event.
x Allow staff to create comprehensive reports easily.
x Be standardized.
x Generate suitable information for building an incident profile/modus operandi file.
x Enable staff to tally incidents.
x Help establish accountability for incidents or indicate that no accountability control

exists.
x Provide information for reassessing operating budgets.
x Help executive management compel operating management to assume responsibility

for incidents and prompt reporting.
x Provide a basis for insurance claims or changes to self-insurance reserves.

124 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.7 Systematic Incident Reporting

5.7.3 BENEFITS OF INCIDENT REPORTING

In raw form, the information in incident reports has limited value. Once the information is
processed, however, the security manager can use it to do the following:

x Identify items targeted for theft—through high loss frequency.
x Determine which countermeasures were effective or ineffective—by observing which

countermeasure was or was not in use when incidents occurred.
x Classify events along the continuum from high probability/low criticality to low

probability/high criticality.
x Provide an overview of where security personnel are spending their time.
x Plot event trends—by amounts, frequencies, types of assets, day/time of loss, prime

incident locations, people involved, causes of occurrences, etc.
x Facilitate protection or recovery of assets and apprehension of thieves.

5.7.4 POLICY ON SUBMISSION OF INCIDENT REPORTS

The following practices are recommended when submitting loss reports:
x All employees must notify their immediate supervisors of any incidents or known or
suspected asset losses. This might be done informally or formally. All employees
should be made aware of their personal responsibility for such notification.
x First-line supervisors should be responsible for completing reports for losses within
their areas of responsibility. Supervisors then provide the reports to security personnel.
x The security manager is responsible for reviewing the report. Corrections or modifica-
tions, if any are required, can then be made.

Reports should be distributed to the following locations:
x asset protection or security department—all reports
x insurance department—reports of losses that are, or may be, insured or chargeable to
self-insurance reserves
x property accounting—reports involving depreciable or amortized assets or items for
which property accountability is maintained
x legal department—for reports involving slips and falls and other legally sensitive issues
x auditing department—all reports (to determine whether the loss is related to
noncompliance with existing procedures or lack of procedures)
x originator’s files—all reports filed by that originator (but the originator is not required
to archive the reports)

Protection of Assets Ɣ Copyright © 2012 by ASIS International 125

COST-EFFECTIVENESS AND LOSS REPORTING
5.7 Systematic Incident Reporting

5.7.5 INCIDENT DATABASE

The security department should maintain the incident report database. Each report should
be converted to a computer file and the permanent database maintained in that format.

The database should be designed to sort and retrieve data based on the following data fields:
x individual asset lost, or asset class, ranked by loss frequency
x value of the lost assets (to show distributions of asset values)
x time and date of the incident (actual or estimated)
x location of the incident, such as the city, facility or floor (to identify vulnerable
locations)
x person or department that reported the incident
x person or department in which the incident occurred
x countermeasures involved in the incident
x circumstances of the incident6
x character of the incident (for example, actual, near miss, commercially insured, unin-
sured, or self-insured)—this item may have to be added after the initial submission of
the report, as the character may not be known at that point

Information should also be searchable by various if/then parameters, such as whether an
asset was recovered, criminal prosecution was initiated, or any other action was taken
against the persons responsible.

5.7.6 MANAGEMENT REPORTING FROM THE DATABASE

As the incident database grows, so will management interest. The following are different
types of reports that security managers should distribute periodically to upper management.

General Management Distribution Report

This report is computer-generated and has incident information for the covered period
arranged in the following order:

1. ranked frequency by asset or class of asset
2. ranked frequency by date and time
3. ranked values by assets involved
4. ranked values by location of incident
5. total value of losses for the report period

6 Extra analysis may be required to determine modus operandi or other event characteristics. Examples of significant modus
operandi information would be a particular technique for defeating locks or the presence of unusual materials at the scene of
the incident. The security department should develop that information even if another department manages the files.

126 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.7 Systematic Incident Reporting

This type of report could be widely circulated to all members of senior management. It
would give them a current picture of the extent and type of actual or probable theft losses.

Corrective Action Report

This report is arranged as follows:
x by organizational unit responsible for the incidents
x by total loss value charged to that unit during the report period

This report would immediately alert units with unacceptable incident records to the need for
corrective management action.

Loss Status Report

This report is distributed to senior management on a less frequent basis and depicts the
following:

x total amount of losses incurred
x of total losses, the amounts

— reflected in actual asset recoveries
— of indemnity by way of insurance
— chargeable to self-insurance reserves
— chargeable to current operations as expenses to offset asset value reductions

If profit center managers do not recognize the benefit of submitting incident and loss
reports, they may fail to report such incidents. On the other hand, if losses are tracked to a
central reserve account instead of each manager’s account, they may be more likely to report
incidents and losses. It is better to identify and classify losses and to take any curative or
preventive action than to bury losses in a myriad of accounting ledgers.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 127

COST-EFFECTIVENESS AND LOSS REPORTING
5.8 Predictive Modeling by the Security Organization

5.8 PREDICTIVE MODELING BY THE SECURITY ORGANIZATION

The ultimate value of incident reporting lies in the opportunities it creates for avoiding
future incidents, events, and losses through planning, employee awareness training and
security enhancements. Therefore, the following categories of incidents should be tracked:

x most vulnerable assets, such as those susceptible to high-frequency losses
x time of loss occurrence
x locations in which losses occur, especially high-frequency loss locations
x countermeasures that were useful or ineffective
x losses representing the highest costs
x types of incidents
x slips, falls, and other incidents that expose the organization to lawsuits
x health and safety violations resulting in lost time, reduced productivity, and increased

workers’ compensation fees
x any incident type that costs the organization time, effort, or money
This information will enable the asset protection organization to allocate protective
resources cost-effectively. By tracking and analyzing incidents, the security manager can
gain insights into countermeasures that may prevent future losses. For example, if incident
reports show consistent losses of small, high-value items from a warehouse but no
significant losses from other warehouse stocks, special precautions limited to the target
items may suffice. The precautions might be as simple as installing a chain-link cage with a
reliable lock and interior space alarms. Other typical warehouse security measures—such as
intrusion alarms on doors and windows, security officer patrols, and closed-circuit television
surveillance—could then be dispensed with on the basis of incident report data.
The selection of countermeasures also depends on the return on investment. Each counter-
measure can be weighed against its likelihood of preventing losses, cost of implementation,
potential recoveries made, and value of avoided losses.

128 Protection of Assets Ɣ Copyright © 2012 by ASIS International

COST-EFFECTIVENESS AND LOSS REPORTING
5.9 Protection Planning without an Incident Database

5.9 PROTECTION PLANNING WITHOUT AN INCIDENT DATABASE

Organizations without incident databases can gain some of the benefits of a database by
developing an asset protection plan as follows:

x Form an asset protection committee. A group very familiar with the company’s
products, materials, tools, and resources should be formed. It is important for senior
management to set the organizational climate for security and loss prevention by
requiring this to be a formal process that includes inspections. Typically, members
would be senior managers or other experienced representatives from the following
departments:

— manufacturing
— engineering
— quality control
— security
— others—such as insurance, accounting, or marketing—depending on the nature

of the business
The committee may be managed by the business ethics or internal control department.
The committee evaluates losses from a number of perspectives.

x Determine the criteria for events and incidents. The committee should research the
cost of events and incidents as well as the effect of non-monetary losses, such as
damage to reputation.

x Identify vulnerable items. The asset protection committee should consider all the
items the organization handles and the activities it engages in. The committee should
then determine the potential risks to those items and activities.

x Develop a system for item tracking. Once the target items have been identified, a flow
chart should be prepared depicting the exact movement of each asset through the
organization. In manufacturing companies, for example, items may travel through pur-
chasing, incoming inspection, raw materials inventory, assembly, and distribution.

x Assess vulnerability. When the assets are identified and the flow or process is clear, the
asset protection manager can assess the vulnerability of each asset at each stage of the
process.

x Select countermeasures. Based on the vulnerability assessment, the asset protection
manager can select the appropriate countermeasures for each area of exposure.

x Cost-benefit model. Finally, the selected countermeasures can be justified in a cost-
benefit model using the costs of the target assets, the level of loss probability, and the
expected amount of risk reduction.

Protection of Assets Ɣ Copyright © 2012 by ASIS International 129


Click to View FlipBook Version