During interviews for a feature article in an upcoming issue of LP Magazine, asset protection executives and retail security consultants identified the security survey as a central and valuable tool in protecting retail stores after-hours. Alongside operational oversight and investigations, they said periodic audits play a key role in assessing store compliance with security standards and for identifying vulnerabilities.
A former director of LP for a major department store chain explained their approach to compliance. Each store had a security manager who had to verify every report, and there was a report on just about everything that the store did.
Each one would then go to the regional security office, which would read the reports and okay them, as would the divisional office.
“Most anything a store security department did required a report and then went up the chain so it got two or three reviews in terms of whether it reflected adherence to the law and company policy,” he said. “Anytime there was a report or complaint of something not being done properly, we would do an investigation, sometimes openly, sometimes undercover.” Oversight and investigations, then, were two important points on the compliance triangle. And audits/surveys was the third.
There are many types of security surveys, of course. From those narrowly focused to a specific issue or threat, such as a physical security review against the threat of an active shooter; investigative surveys conducted after a significant incident; and data collection for a full-blown vulnerability assessment and auditing of security operations. Big or small, however, these reviews—while critical—can be resource intensive. So it’s worth asking: Could you spend less to do a security survey—and then get more from it?
There are obvious ways to reduce the cost of security audits—piggybacking on other store audits, for example. But how else might retailers receive better value from store security reviews? And how can a retailer be sure that audits are driving improvements and not merely rubber-stamping compliance with internal standards, which is then used to justify a demand to provide more from fewer resources?
Below are ideas suggested by LP executives, retail security consultants, and other security experts.
Prioritize. The Department of Homeland Security uses about 75 protective security advisors to conduct security surveys and vulnerability assessments of the nation’s critical infrastructure and key resources (CIKR). It’s a substantial force but not enough to easily keep pace with need for assessments, so the DHS uses a prioritization program to categorize CIKR at levels based on the consequence to the nation of an attack on the asset. For time-crunched LP departments, the program provides a good model, according to one consultant. Retailers might benefit from using a tiered approach to conducting security surveys so that the most significant business assets undergo more frequent and/or more exhaustive security audits.
Normalize. Make sure data is always collected in the same manner for easier and more meaningful analysis. Security survey data—to conduct searches and analysis on it—depends on the consistency of terms and data fields used during data collection.
Measure. Make your security survey program is subject to project management best practices. Security audits provide more value when they follow a structured approach and the process is subject to continuous review, say experts. A road map can help direct how the program will be managed, including timelines with milestone dates and goals and metrics to measure progress.
Whatever goals are driving store security surveys, they should be written, realistic, and measurable. The use of performance measures—including establishing goals and objectives with specific outcomes or performance targets–is a critical step. Regarding outcomes, it’s also important to measure more than, say, “percentage of problems addressed” or “recommendations implemented” at stores. Corporate LP teams should also measure the extent to which implemented changes have enhanced asset protection and resilience over time.
Deliver. Responsibility for heeding lessons from store audits may rest on the shoulders of local managers but corporate asset protection teams can boost cooperation by providing their deliverables identified in surveys in a timely manner, such as if corporate identifies the need to add bollards to protect storefronts from a vehicle attack. In a similar way, corporate teams may need to take responsibility for certain problems identified in assessments. For example, if a certain piece of security technology is not being used, or used improperly, the fault may not be at the store level. It might indicate that training on the system or device was insufficient at the time of installation.
Acknowledge. Companies can fall into the trap of using companywide compliance reviews to obscure uncomfortable truths-something that can afflict retail security departments as well. LP leaders need to examine the extent to which its internal compliance procedures permit those who report to the corporate team to provide solely the information they know is being sought.
It’s the natural tendency of people to provide answers that a questioner wants, and “yes and no” auditing allows it to happen, warned one expert. For example, a security review of store’s violence prevention effort might ask: “Have store associates been reminded of workplace violence response protocols during the last 12 months? Yes or No?”
Such cursory auditing is just a way to be told what you want to hear, the consultant suggested. Instead, a security survey should examine activities by asking open and directed questions. For example: “When was the workplace violence plan last discussed with store staff? What store staff was involved? Who led the discussion? What aspects were discussed?”
Only store auditing that is truly designed and committed to finding security flaws can result in positive change.