The authors had the privilege of working for a relatively small “blue ocean” beverage company called Starbucks Coffee in the nineties. A key strategic question often posed by then CEO and Chairman of the Board Howard Schultz was, “How do you get big but stay small?” Starbucks then was the darling of retail having compounded consecutive incremental annual sales and revenue growth that proved generational. In 2017 the company reported that original investors have seen 18,000 percent in shareholder returns from the first public offering of 25 years ago.
Schultz often demurred that he was “no big brain” when others credited him solely for Starbucks’ successes. Instead, he typically credited passionate cross-functional team play. Insiders often observed that the operating partnership of Howard Schultz (visionary), Howard Behar (operations), and Orin Smith (finance) was the magic elixir of Starbucks’ success. “H2O” became the shorthand reference for that high-performance leadership team aligned by values, vision, and mission.
Those of us inside Starbucks who grew up in loss prevention were challenged to provide our brand additional all-hazards risk resilience. We evolved to better understand the changing cross-functional, enterprise-wide requirements for risk resilience as well as operational excellence. It was not by accident that Starbucks partners (the internal term for employees) and contracted solution providers transformed a small loss prevention department into a global asset protection organization. It was a stakeholder imperative.
The protection portfolio expanded from retail loss prevention to include food manufacturing, information, employee, special events, and supply-chain protection programs to meet 20 percent per year growth. By 2007 the AP organization was forecasting net contribution (gross profit contribution over global expense) in the range of $26 million per year.
The AP services grew organically leveraging subject-matter risk experts and retail operational talent. Like many others in the retail security world of that time, we were schooled by the catastrophes that included the 9/11 terrorist attacks and subsequent anthrax attacks, the Boxing Day Tsunami that killed hundreds of thousands along the Indian Ocean, Hurricane Katrina and the aftermath along the Gulf of Mexico, the Nisqually earthquake in the Northwest US region, and several workplace homicides that took the lives of Starbucks partners. Add to these a couple of multimillion-dollar internal breaches that were sufficiently mitigated to preclude material loss.
All these critical events were gut-wrenching. All were relatively predictable. Insiders committed some directly under the nose of the AP organization. All prompted incremental protection-in-depth improvements. Most were leveraged for service growth, culturally aligned with value priorities beginning with people protection and ending with profit assurance.
The post-event learnings spurred innovation, protection investment, stakeholder engagement, and measured-risk outcome improvements, paving the way for the persuasive net-contribution story. There were a few small failures along the way, including introduction of network-capable security systems in a dial-up environment. That required a next-generation innovation improvement for ongoing return on investment. Despite momentary setbacks, the AP organization learned from the shortfalls to stay on a path for continuous improvement.
The approach today has matured. As faculty members of the Security Executive Council (SEC), the authors are now well-instructed by other all-hazard risk-mitigation programs plus fifteen years of SEC research, including strategic operational proven practices in 26 vertical business sectors. Contributing to the research results are SEC board members, C-suite executives, and distributed subject-matter experts who collaboratively evaluate and revise the all-hazards risk-mitigation and resilience value propositions.
Why Risk Resilience and Why Now?
Several trends are converging to influence future protection opportunities. Businesses are continuing to grow and becoming increasingly competitive even in relatively hostile markets where they are soft targets. According to a recent BusinessWire report titled Overview & Evolution of the Global Retail Industry, “The global retail sector is estimated to have achieved revenues of US$22.6 trillion in 2015 and should continue to rise to US$28 trillion by 2019.”
Associate, customer, and partner care is key to brand reputation growth and stickiness. Pollsters learned early on that engagement and loyalty scores relevantly depend on whether the stakeholder believes that management cares for them. As brands in all business sectors are reexamining their business-risk appetites against evolving compliance requirements, costs, market conditions, and mitigation capabilities, customer-care perception remains the prize.
Stakeholders, goods, information, services, and supply chains require in-depth protection strategies from corporate headquarters to the farthest reach of the brand. People and assets, both physical and logical, require care and protection whether at rest or travelling through trusted networks. Persistent integrity assurance will likely become a service-level agreement objective of the future for many.
In the interim most business operators will continue to seek cost optimization if not operational excellence. Protection-in-depth may be a crawl, walk, run process within a more mature operational excellence framework. Reactive risk mitigation will give way to proactively designed risk-intelligence capabilities. Loss prevention and asset protection professionals can anticipate persistent questions regarding protection-service offerings and their related operational value propositions. The good news is that there are several fast-forming paths for continuous improvement to all-hazard risk resilience that will incrementally contribute to brand equity.
What does good look like from an operational all-hazards planning perspective? The SEC has found some common denominator considerations. These may serve as a starting point for protection-in-depth consolidation, expansion, governance, or organization of future rebranding (see Global All-Hazard Risk Continuum Considerations chart).
Brand Growth and Supply-Chain Extensions Face Increasing Global Physical, Logical, and Natural Risks
The World Economic Forum and others have made the persuasive business case that man-made and natural risks are linked and impose substantial risk to global business. The pace of global change promises both fast-forming opportunities and risks for retail. Preparedness for all-hazard conditions will be required to win hearts and minds.
Based on current SEC research, researchers observe that most major brands will legitimately need and want more from loss prevention executives and their risk-mitigation peers in the future to meet the enterprise’s strategic objectives. All signs point to continued uncertainty and the need to be more prepared. LP’s ability to anticipate, report, respond, and mitigate with improved speed of service and better outcomes is timely for the business value case that likely will play competitively in a higher-risk global environment.
Risk Perceptions Continue to Drive Enterprise-Wide, Board-Level Risk Compliance Confidence and Organizations of the Future That Can Meet or Exceed All-Hazard Unified Risk Oversight Expectations
Board members and C-suite officers find the Unified Risk Oversight illustration particularly helpful for conceiving a leadership framework for risk resilience. Brand protection-in-depth depends on cross-functional risk mitigation to contain the diverse hazards represented by the red attackers. Environmental, physical, and logical hazards are pervasive. Executive risk-communication recipients are represented in the green overarching superstructure. Unified communications processes at mid-level aggregate individual contributor and departmental data drawn from the cross-functional departments represented by the blue pillars. Aggregated acumen, tools, and strategic solution partners are leveraged for situational risk intelligence that informs critical-incident decision-making and governance.
Next-Generation Solutions and Talent Will Require Innovation Change Management Rigor and Governance
Regional and global risk and security operations centers (GROCs and GSOCs, respectively) now supervise enterprise-wide operational core process dependencies, including access control, alarms, cameras, cold chain, critical facility systems, communications, first-responder dispatch, and risk intelligence from network hygiene to anomalous hazard conditions for critical facilities, people, and supply chains. Integration is often arduous and sometimes haphazard, but proven practice documentation is underway, including Global Security Operations Centers as a contracted service.
Privacy and security/safety interests will wax and wane with public safety and institutional security confidence. Nevertheless, risk-mitigation monitoring capabilities ought to reasonably advance, qualified by guardrail compliance including institutional acceptable-use and conduct governance, statutory laws, regulations, and international treaties.
The industry will anticipate, pilot, test, improve, and proof innovations at a greater pace, including artificial intelligence and analytical capability extensions related to autonomous vehicles, drones, robotics, and smarter peripherals, such as image and audio authenticators to assist situational risk-intelligence officers for 24/7/365 hazard detection globally. Informed by corroborated social media and other intelligence inputs, physical and logical breaches will be detected in near real time.
Collaborative integration of old knowledge and new knowledge—including analytics, intelligence, network, and systems administrators—will supplement better educated, equipped, paid, and trained first responders, critical-incident managers, and forensic investigators who can mitigate diverse risk situations for cost and loss avoidance or prosecutorial accountability.
Diverse multigenerational talent will be required. Due to the well-publicized, ever-present risks and threats of today and tomorrow, this continuous monitoring and response to all-hazards risks to brands is what employees, customers, and all stakeholders will come to expect.
SIDEBAR: Benchmarking the Next Generation of LP Professionals
The Security Executive Council (SEC) is a leading research and advisory firm focused on corporate security risk-mitigation solutions. The SEC began to recognize unprecedented changes and opportunities in all-hazards operational risk management in 2010, when they took an initial look at a 2020 all-hazard risk-resilience strategy (see “Security 2020—Identifying the Store of the Future,” January–February 2011).
Amidst unprecedented global business risk and rapidly changing retail and corporate climates, identifying professional leadership opportunities for evolving to meet new loss prevention and security demands is the subject of this article as well as ongoing SEC research. To assist in this research, the SEC wants readers of LP Magazine at all levels of the organization to participate in a benchmarking study to develop a next-generation leadership baseline to facilitate industry dialogue.
The authors encourage loss prevention and asset protection professionals, other risk managers, and contracted solutions providers to complete the SEC’s survey “LP in Transformation—What Is the Next Generation of You?” Results will be shared in a future article in this magazine. To access the survey, visit securityexecutivecouncil.com/lpsec2017.