Developing A Loss Prevention / Security Culture In Your Organisation

shutterstock_141454240The security / loss prevention department in an organisation is one of the few departments that regularly has its value measured by what does not happen rather than what does. Due to this fact, coupled with the ever ongoing problem security professionals face, of tangibly showing senior management a clear return on investment in funding the department, security / loss prevention departments can quite often be resourced to the bare minimum with a small handful of people.

So with only having access to minimum resources, how can an organisation ensure their loss prevention strategy is truly effective?

My initial response to this would be that most companies maintain that every staff member is involved in the sales process in one way or another – whether it is the sales executives in the field, the account management staff back at the office or the receptionist answering the incoming calls. It needs to be the same with the security / loss prevention culture.

Each and every staff member in a company needs to play their part in the loss prevention program. The easiest way to ensure this occurs is to intertwine a security / loss prevention focus at all stages of their employment. Security-based questions and focus need to be part of an initial interview process and then continue on through induction, orientation, and ongoing training and development to prop up the learning curve. By continuing this focus, it sets the stage for all staff focussing on reducing losses through prevention strategies.

To ensure this occurs, there needs to be solid support from senior management. This would ideally be supported by devising specific metrics to show how the security / loss prevention department is contributing to the company profits through reducing (or eliminating) preventable losses.

Another key aspect of maintaining effective loss prevention strategies is ensuring there is not a silo approach in the organisation. For example, management, administration and the HR department should all work hand in glove with the loss prevention department. This helps ensure there is not a duplication of duties and it also helps to reiterate the needed organisation-wide loss prevention focus. Standard tasks of the security department may normally include items such as company property monitoring, access control, key storage and issuance, and specific elements of business continuity planning. However, to help support the needed culture, companies should be involving the security / loss prevention department in duties such as: recruitment background vetting, supplier due diligence reviews, developing the security modules of the company induction program and orientation programs, and then physically conducting the training with staff for it.

Having the initial focus and all of our ducks in a line with the recruitment, induction and ongoing training programs for staff is a great start. However, to manage the ongoing identification of organisational vulnerabilities and to ensure that appropriate treatments are underpinned with operational effectiveness, you need the use of cross functional or multi-departmental teams. Any changes in systems need to be tested for their impact on company operations which can then be weighed against the benefit of implementation. Each individual department in an organisation is aware of its own specific risks and idiosyncrasies, and to ensure all of this knowledge is captured and utilised effectively in the planning processes, regular scheduled loss prevention focussed meetings should occur. Having key representatives from each department in an organisation attend and contribute will not only ensure all necessary information is captured, it will also assist in driving the follow up communication with their individual department staff, thus helping reiterate the loss prevention focus we are seeking.

From the involvement of various departments in the security / loss prevention meetings, greater information sharing between departments occurs and this may also provide different perspectives on individual department issues. Having the IT department assist with providing solutions on controlling the information sharing of specific stock levels held or product delivery routes would be one example of this and another clear example would be the security department working with the procurement and legal departments to draft external supplier vetting procedures and standards and ongoing codes of conduct underpinned with key security requirements.

The data produced through the collation of these ‘team built’ solutions can be used to update (or commence) an organisation security awareness program that should be applied across all divisions of an organisation. This program can also be replicated to all business partners to build awareness of the proper protocols with anyone working with or for the organisation and it sends a very strong message reinforcing the organisation’s loss prevention focus and helps enforce a consistent approach.

The training should be clearly documented and heavily supported by procedural programs where each department can be audited against the agreed standards that focus on prevention strategies. These are ‘living’ documents that should be revisited regularly after the loss prevention team meetings and updated accordingly as new issues and information come to light.

Besides the multi-department representation at the security loss prevention meetings, it can also be extremely beneficial to use external specialist resources for specific individual tasks. One of the reasons this may be effective is due to what is sometimes called ‘store blindness’. Day-to-day vulnerabilities in an organisation can be overlooked or not recognised due to them being previously accepted or overlooked for so long.

I have been personally involved in two examples of such accepted or overlooked vulnerabilities. With the first one, I was conducting a gap analysis on a company that was suffering unexplained theft of some of their products. Upon attending the site, within approximately 10 minutes of conducting an external walk around, I asked the designated company contact how long the large hole had been there for in the chain wire fence separating the loading dock area and staff car park. His response was “as long as I can remember”. I am relatively confident you can draw the logical conclusion for yourself.

The second example was for a multinational corporate who had a control room onsite. I simply used their company website to obtain a senior manager’s name onsite (We will call him “XYZ”) and arrived just before 9:00am. I made sure I was dressed in a nice suit and was carrying a nice shiny brief case. Upon arriving onsite, I noticed that a back door was slightly ajar with a brick inside it and an ashtray next to it. From this, I deduced that this was where the staff exited for a quick smoke break so I walked directly towards that door. After waiting two minutes, a staff member emerged and I said “I am here to see XYZ for an urgent meeting and I am just running a bit late”. As I was not dressed like a standard criminal, had a nice shiny briefcase and used the name of a senior management member, the response was “yeah just go through here, do you know where you are going mate”. This same response happened while I walked around the first three levels of the building, leaving my business card in multiple locations. You would be amazed at some of the areas I was able to gain access to. After approximately 40 minutes, I walked to reception and asked for the designated representative I was supposed to meet with and explained that approximately 30 of my business cards would be turning up throughout the company building so I would suggest following up with the team as to where they find them as that is where I was able to gain access to.

In summary, as has been stated countless times before, security and loss prevention is about protecting all of a company’s assets (People, Property, Information and Reputation) and it is my opinion that the development of a proactive and unified security / loss prevention culture throughout an organisation supported by regular communication, structured ongoing training and multi-department represented improvement meetings will provide any organisation its best chance at minimising or eliminating preventable losses.

Scott Taylor
Scott Taylor CPP is Managing Director of Praesidium Group and CEO of International Security Training Academy. He has over 24 years experience in the security services industry. It would be hard to find a better credentialed security specialist in Australia. Scott is a frequent media commentator and also Expert Witness when security related issues surface in the public arena. For more information, please contact him on 0416 167 761.