A survey by LPM/SDR finds that 29.4 percent of US retailers use a general security committee—comprised of representatives from several departments or functional areas—to occasionally meet and discuss operational security issues, challenges, and solutions. The use of security committees is somewhat more common in other industries, 38.8 percent, according to the nationwide survey of security executives.
Security committees can be useful to loss prevention departments by formalizing the role that staff plays in preventing theft and promoting security. The strategy may also broaden responsibility for asset protection and integrate it into everyday store operations. In this way, retailers can use security committees to strengthen its security culture.
If You Have a Security Committee
For retailers with security committees, research studies have identified common problems and best practices for addressing them. One central advice to corporate teams is to give security committees and store managers the tools they need to be effective.
It’s often the case that corporate teams will conduct security audits and make recommendations for local personnel to follow. For such an approach to work, however, research suggests that site personnel need the structure and authority to carry out recommendations. In some cases, research has found that security committees operate without guidelines, policies, or procedures outlining how they should operate, make decisions, or establish accountability.
It is especially important to develop clear agreement on who is the final arbiter or accountable for final decisions regarding the implementation of security recommendations; for the level of security knowledge of security committees to be commensurate with their level of responsibility; and for local personnel to understand the rationale for corporate LP decisions that they are expected to carry out.
Research also indicates best practices in the areas of:
Roles and responsibilities. Require each location to specifically identify who is responsible–be it a store manager, LP officers, safety committee, or others—for which aspects of the retail security plan.
Information gathering and reporting. Specify, for each site security committee or manager, the specific aspects of security they should track and report on to the corporate asset protection team. Conversely, corporate LP teams should review the data and information it currently shares with individual locations and identify whether there is additional information available to help site security committees or local personnel to better carry out their security responsibilities.
Improvement activities. Security committees are generally responsible for carrying out corporate security recommendations and policy, but they should also be asked to identify ideas for improving security to the corporate asset protection team. This helps encourage store personnel to think proactively about security.
If You Don’t Have a Security Committee
Security committees can help promote a security culture—but it’s not the only way. A recent book on security culture makes the point that even when organizations are proactive about physical and IT security, they are typically not proactive in relation to how people behave.
Security culture captures the values, attitudes, and behaviors that impact the security of an organization—whether the security of assets, information, or people. Security culture is also what makes or breaks a security operation, according to author Hilary Walton, an organizational psychologist, Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organization.
“It is not enough that organizations have good physical and IT security procedures in place to maintain the integrity of the system,” according to Walton. “If the people in the organization don’t think about security as they go about their work—and don’t consider how they can protect the organization’s information, people, and assets—then technical controls will not be enough.”
There are countless examples of how poor security behavior can subvert technical controls, such as failing to lock valuable storage areas, sharing passwords, not challenging people who aren’t wearing security IDs, and being careless with sensitive materials. Because of the risk, organizations need to be proactive about the security culture to help security messages stick, get people to comply with policies and procedures, reduce security complacency, and change employee attitudes toward security.
Fording a more robust security culture “is about motivating employees to respect common values and standards regarding security,” said Walton.
Develop ‘people risk’ measures. Organizations can’t think of security measures solely in terms of thwarting the intentions of adversaries. People risk measures are needed to manage the risk of employees or contractors making mistakes or exploiting their legitimate access to premises, information, and personnel for unauthorized purposes.
“Although many organizations regard people risk as an issue resolved during the recruitment process, it is a discipline that needs to be maintained throughout the employment cycle through appraisals, communication programs, incentive schemes, and even management attitudes and relationships,” advised Walton. “When consistently applied, people risk measures not only reduce operational vulnerabilities, they can also help to build a hugely beneficial security culture at every level of an organization.”
Coordinate training to spread security ownership. Low ownership of security issues among employees is a common problem. To address it, partner with the human resources, IT, and corporate training departments to incorporate security responsibility into functional training programs, says Walton. It’s also important to establish security’s importance from day one, say experts, by including LP training in the employee orientation process—and explaining to new employees that security is part of your company’s DNA.
Frame security messages strategically. Employees need to think that following LP procedures in their best interest, and listing do’s and don’ts rarely motivates or has a lasting impact. Instead: Devise awareness strategies that drive home for employees the link between LP policies and procedures, the company’s performance, and their jobs.
Walton says managers are critical allies in shaping a positive security culture. “Managers should be encouraged to talk to staff about security,” she says. “Ideally, managers should participate in security conversations and updates, or even introduce security training sessions more often. This shows they visibly support the security functions.” Having managers visibly carry the LP banner is a powerful way to influence employees and inspire a shared vision of security, she suggests.