Created by George Campbell, Security Executive Council Emeritus Faculty member.
Risks become avoidable when we put effective safeguards in place to counter them. They become inevitable when we fail to do our jobs — that is, when we disable or fail to enable essential security measures. Let’s look at a large retail chain as one example.
This retail chain has for several years been aggressively acquiring smaller regional competitors while shedding internal business units in favor of outsourced service vendors and suppliers. Every effort is being taken to cut costs and increase profitability to position the company for acquisition.
Over the past 24 months, the company has been experiencing increasingly serious inventory losses across its distribution facilities, as well as a notable increase in internal fraud and misconduct. The security program is assigned to the Facilities Manager, who has outsourced what he sees as security to multiple guard vendors assigned to local cost centers.
At the Board’s urging, the CEO has tasked the Chief Risk Officer to probe and identify the factors contributing to these loss trends. An outside firm is used to conduct a risk assessment, and they conduct an employee survey that asks about perceptions of security policy and practices.
This survey obtains responses from more than 2,200 employees at all levels across the company’s North American operations. A few key results are seen in the chart above, but what is behind these numbers is compelling.
First, it is not surprising that those respondents with less than a year’s tenure have the highest levels of confidence and lowest perception of problems. After all, that HR and Loss Prevention pitch on how seriously the company takes its security procedures and the consequence of wrongdoing is still fresh in their minds. But look what happens as the veterans influence behavior and learning sets in. Cost cutting, performance pressure and rule bending combine to create an environment that tacitly encourages employees to look the other way while looking out for Number One.
Take the question on employee commitment to share responsibility for asset protection. In a more controlled setting, this is a question that typically focuses on security awareness and related ownership. But in this environment, it is merely a reflection of the way the company behaves. Why should employees share in a process that they clearly see management failing to articulate and acknowledge as an expectation? The trend line sums it up beautifully: “The longer I’ve worked here, the more clearly I see that our bosses could care less, so I’ll be darned if I’m going to do my part!”
Actually, the problem runs much deeper than that. It is so clear that management is disengaged and the controls are so turned off that, given the motive, the opportunity to “take what I want” is almost advertised on the break room walls. Not only is management not seen as welcoming suggestions for improved security, management is viewed as not even caring if anything is secure! Thus, there is no surprise at the fairly quick failure of confidence in security controls and practices. What few security procedures they do have are virtually meaningless.
Ethics and expectations are not visible on management’s slate of commitments. The few indicators we see here are likely just the first level of darker issues bubbling in the offices along mahogany row.