Graduating from Man-Guarding to Total Loss Prevention: Customer Expectations Regarding Multi Skilling of Private Securitadmin July 17, 2013
Associate Dean, College of Justice and Safety Professor, Department of Safety, Security and Emergency Management Eastern Kentucky University, Former Fulbright Fellow, IISSM
I appreciate the invitation to be with you today and the opportunity to address this broad topic.
It will enable us, in Part I, to look back at the common origin of the security and to move forward to a few contemporary theories of loss prevention and risk management, and to propose, in Part II, a theoretical model, Determinants of Customer Expectations for Private Security Managers and Providers, for your consideration.
Part I: Graduating from Man-Guarding to Total Loss Prevention
The term “graduating” as used in the title of this speech implies the profession of security has moved well beyond old industry practices and customer perceptions that security is little more than a security officer standing post. Perhaps, but before we look at the destination of “total loss prevention” let us look at one of the fundamental cornerstones of even modem security: “man-guarding.”
We know from the life sciences the vast majority of all creatures are endowed with an instinct for self-preservation. Further, we know the species which survive are usually those which adapt best to the general environment and threats in the environment. Biological adaptations of survival include sensitive hearing, keen eyesight, sensitive smell, quick reflexes, speed, endurance, claws, body camouflage, toxic chemicals, and numerous other characteristics.
Early humans had to survive using the senses which they were born: sight, smell, hearing, touch and taste. If the individual was not a member of a group the individual had to man-guard self. As a member of a family and tribe the individual shared man-guarding with other group members. As mankind evolved and accumulated greater knowledge, developed tools and weapons, lived in increasingly larger social groups, and developed different trades, the providing of security was shifted from all to fewer and fewer percentages of people with the passage of time.
Man-guarding of self, in essence, is a natural part of our biological instinct of survival and the physical characteristics with which we were endowed. Man-guarding of others reflects both our biological roots and our social evolution from family to nations and perhaps beyond.
Today we continue to incorporate man-guarding into our security theories and practices. Why? One simple reason man-guarding remains a mainstay of security is it works today as it did in the past. If it did not, we would have abandoned it. But, humans are amazing in their capabilities and adaptabilities.
One model of security proposes there are four primary security controls or methods of protection: 1] Human, 2] Procedural, 3] Physical, and 4] Technical. Almost all protection today involves one or combination of these methods. As a side note, there will be minor exceptions to this model, such as the use geese and dogs to detect and/or respond to intruders. But, if you look about your organizations today the vast majority of your security measures involve these 4 primary categories of controls.
Knowing the primary methods or control is not enough in a modern organization of size. It is the role of security managers to oversee the implementation of the security controls in order to create protection systems that are both effective and cost effective. But, what are the backgrounds of successful security managers and what are the theoretical foundations for their decisions?
The majority of security managers traditionally have from other disciplines aligned with security. In the years after World War II the first wave of managers came from the military. Military officers were educated, trained and disciplined. They had operated in an environment of duty, accountability and chain of command. Military solders too knew how to man-guard, follow orders and achieve the mission. Industrial security in the post war era followed the military model which placed a heavy emphasis upon perimeter, area protection, object protection and personnel security classification.
Around the 1960s a new group began to migrate into security. Law enforcement personnel came from quasi-military organizations which reflected values similar to the military. Many also had experiences working alone on the streets, adapting and making decisions with little supervision, and training in law, use of force, criminal investigations, first aid, and other skills. Their law enforcement skills added value to security because of the extra services that could be provided beyond traditional perimeter protection and access control. The backgrounds of the military and law enforcement managers complimented each other.
In the late 1980s a small wave of different managers began to migrate into security. It is a trend that continues today. These individuals came with a business background. Many had not served in the military or public sector. They came with backgrounds in operations, human resources, logistics, accounting, and other business fields. They were more attuned to balance sheets and profit margins, and return on investment. They were sensitive to costs and operating efficiencies.
Around the same time persons with backgrounds in computer sciences and business management were being employed in information technology positions and being assigned responsibility for information and computer security. About the same time, perhaps a bit later, managers from safety, environmental health, loss prevention, risk management began to move into or assume security responsibilities. These trends will most likely continue in the foreseeable future due to the increasing role of technology in security, global competition in the marketplace, and trend towards total loss prevention.
The net effect of these migrations of non-security personnel into security was security profession borrowed concepts from general management, military management, law enforcement management, business management and other disciplines. Two major concepts to emerge include loss prevention and risk management models that were primarily adapted from insurance practices.
In general, a business loss prevention model or approach to security describes how security and other functions contribute to business profitability. In the 1980s Norman Bottom and John Kostanoski proposed the WAECUP theory of loss. They stated most losses in organizations could be traced to:
- Unethical Practices.
They also stated that the role of security was to enhance company profitability. While this may not sound radical today it was at that time. Using this theory as a foundation I often shared the following definitions and simple formula with my students:
- Business – individual or organization which provides goods and/or services to make a profit.
- Expenses – a necessary cost of doing business which produces a return on investment
- Loss – an unnecessary cost which does not produce a return on investment
- Income – the revenue a business receives for providing goods and/or services
- Traditional View: Profit = Income – Expenses
- New View: Profit = Income – [Expenses and Losses]
While simplistic this explanation helps non-business students understand how security contributes to the bottom line of business profits. But, there is more. How does one measure “cost effective” security.
There are two simple answers:
- Cost effective security is bringing the risk of loss to an acceptable level at an acceptable cost to the organization.
- Cost effective security is reducing losses more than the cost of security.
The concepts of risk and loss have also worked their way into security management literature.
- Loss: is an unplanned negative outcome
- Risk: is the chance of loss
- Speculative risk: chance of either a gain or loss
- Pure risk: chance of no gain or loss
Based upon these concepts another model that has become a cornerstone of security theory and practice is the risk management model which includes the following steps:
The Risk Management Process
- Identify the risks
- Assess the risks
- Manage the risks: only 4 ways to manage risk
- Evaluate the risk management programs
- Cost effective
- Update and modify risk management programs
- Repeat cycle
Under emerging management theory and practice security is viewed as one component of a broader risk management program designed to prevent, reduce and mitigate losses from many different sources (Total Loss Prevention), including security breaches, internal theft, employee misconduct, accidents, natural disasters, and others.
Part II: Customer Expectations of Multi Skilling of Private Security
There, is no doubt that customer expectations for security can range from very basic “man-guarding” to comprehensive loss prevention and risk management programs. But what factors determine the expectations of customers. I believe it is best addressed by our constructing a theoretical hybrid business-security model.
The model seeks to explain the major variables that drive users’ expectations of the appropriate type and level of security services to be provided by private security providers. It attempts to construct a universal framework for analyzing users’ expectations. It may be used by security users and security providers; by security officials working in government and private sectors regardless of the specific industry or government agency; and by security practitioners in developed and developing countries. This model also describes the relationship between a proprietary security program and the company.
A model that proposes to be universal across countries and across sub-specialties of the security industry must be both consistent and elastic. The major variables affecting user expectations of security providers should be consistent, whereas, the significance or level influence assigned to each variable must be elastic, it can be expanded and collapsed in response to the other variables.
It is important to note that the purpose of this model is to test it against the reality of our experiences and professional knowledge. As we go through this presentation, I ask that you test it against your experiences. At the end, when the floor is open for questions and answers, please share your thoughts.
I propose the following model for your consideration.
What variables influence users’ expectations of appropriate types and levels of security to be obtained from private security providers? There are five primary variables that drive users’ security expectations of private security providers: (*) Perceived or Actual Risk; (*) Government Regulation and Oversight; (3) User Security Culture; (4) User Financial Capacity; and (5) Technology.
- Perceived Risk Vulnerability & Assessment
The user’s perceived risk vulnerability and potential loss is a major factor that influences a user’s expectation of the appropriate types and levels of security services to be obtained.
- Government Oversight/Influence
The level of government oversight can be a major determinant in setting user’s expectations. Those expectations may vary depending upon the level of government engagement. The expectations may be well defined in law and regulations if security standards are mandated, audited for compliance, and consequences are incurred if the user is out of compliance
- User’s Security Culture
A user’s security culture refers to awareness, knowledge and commitment. Users that have high security awareness, professional knowledge and Commitment are far more likely to have specific expectations than clients with little knowledge and awareness.
- User Financial Capacity
Financial capacity of users will in part determine their expectations of providers. The greater the capacity the higher the expectations may be demanded of providers. The less financial capacity the less the user’s ability to require more types, levels and quality of service.
Technology creates risks and creates controls for risks. Changes in technology may increase or decrease vulnerability depending upon the business reliance and/or exposure to the technology.
Elasticity is a fundamental principle of this model. For example, if finance becomes the dominant factor it can override risk. If risk is the dominant factor it can override finance. Similarly, if a corporate security culture becomes hyper-sensitive the perceived risk can drive expectations beyond reasonable cost analysis. The key here is security managers and providers need to be alert for changes in any of these areas and to determine how those changes will affect security and how to proactively respond.
Summary and Conclusion
In this presentation I have proposed that man-guarding is a valid security control today that is biological based in our survival instinct and physical capabilities and a result of our evolution. While man-guarding is still a cornerstone of many security programs as a whole, the security industry is migrating to the concepts of enterprise risk management, wherein security is one type of risk to be cost effectively managed. Further, I proposed that expectations of security customers will constantly change based upon perceived risk, vulnerability, government regulations and enforcement, corporate culture, technology and financial capacity.
Private security managers and providers must remain sensitive to these forces as their ability to foresee these changes will enable them to more timely and effectively respond to the organizations needs. A security manager or provider who ignores these forces is significantly less likely to be successful in meeting customer expectations.