Risk Management: Systematic Approach

An overview

Eventually most companies will be faced with some form of major loss, which is apart from normal business risks. Unless a contingency plan has been prepared the peril of escalation of the loss cannot be avoided. Before embarking on the preparation of a contingency plan or plans the potential risks must be evaluated and a full audit of the company's facilities undertaken. Some industries have a higher risk potential than others, some present special risks, some have to comply with legislative conditions.

To cover the whole spectrum of risks would involve detailed analysis of every industry and this Manual can only offer general guidelines that are common to most industries and businesses. Whether the evaluation is carried out as an "in house" exercise, or whether an outside consultant is employed, is a matter for debate. Whilst the "insider" has detailed knowledge of the particular company the "outsider" will probably identify risk areas overlooked by the "insider".  

The evaluation

Losses may be grouped under two generic headings, those of Direct Loss and Indirect Loss. To many security officers, loss represents theft and possibly fire loss but little else. In reality there is often a "domino effect" that can be felt in areas of the company remote from the centre of loss and removed in time from the loss.

Direct Loss

These losses are the most obvious ones, theft of cash, tools, equipment, materials etc. but there are also some intangible losses such as loss of information.

Indirect loss

The indirect loss is more difficult to define but would include such things as loss of customer confidence, loss of goodwill between staff and management, loss of production due to theft of material or plant etc. Having identified the possible areas of risk the next consideration is how to avoid the loss or minimize the effects of loss.

Exclude the risk

Various precautionary measures can be designed to reduce the risk to acceptable levels - no risk surveyor would guarantee 100% exclusion - but some of these precautions may prove almost as costly as the loss. Some would be unacceptable eith3r to management or the workforce. Any precautions seen as unnecessary, or inconvenient, would be circumvented. The whole question of risk exclusion must be considered within the framework of budget, practicability, feasibility, workability, and ability to monitor the results.

Offset the risk

To offset the effect of a loss a company or an individual will take out insurance but, the insurance company will require measures to be taken that almost totally exclude the risk and charge a hefty premium into the bargain. Increasingly companies are spending capital on risk exclusion and offsetting the outlay by not insuring. There are however areas where this must be considered poor policy. A better approach is to exclude as many risks as are practical - risks that can be considered virtually totally excluded - and take insurance cover for risks of less total exclusion.

Transfer the risk

Some risks, cash transfer, transportation of goods and raw materials etc. can be put out to specialist contractors who will bear the losses but as with insurance the premium may be unacceptably high.

Minimize the effect

If a company accepts that there is a residual element of risk after applying one or more of these sections attention should be paid to minimizing the possible consequences if the risk materializes. Depending on the risk being considered this may mean standby facilities, as for computer suites, (see Guideline No. 27) or contingency plans for evacuation to another factory within a group etc. Salvage of reusable materials and plant should not be overlooked.

The risk survey

The first stage in forming a risk management policy is to carry out a full survey of the potential risks and any responses that can be expected. All areas of a company's activity must come under scrutiny. The losses may occur anywhere and whenever and for a variety of reasons. Far too many managers fail to comprehend the seriousness of a major loss incident and equally fail to appreciate what local steps can be taken to minimize the effect. In broad terms risks occur in one of the following groups.

Environmental risks

Forming a contingency plan for this group is the most difficult. They are the natural hazards such as Flood - lightning strike ­Subsidence - Storm damage - and in some countries Earthquake damage. Often secondary effects - mainly fire - will follow. The results of one or more of the above will depend on severity, location, and type of business carried out. It is obvious that a manufacturer of pharmaceutical chemicals would be more affected by flooding than a warehouse holding cast iron pipes. Similarly premises located on high ground are unlikely to be affected by flooding but could suffer storm damage from high winds. Whatever risk within this group is envisaged the contingency plan should make provision for essential actions that would be common to all risks. The following questions, if answered, will form the basic contingency plan.

• In assessing the risk can any action be taken if forewarned e.g. protect large areas of glass if strong winds are forecast etc.
• In the event of damage is there a Possibility of secondary damage e.g. flooding from broken mains, fire, gas leaks etc.

·    Can arrangements be made to effect first aid repairs?

• Is there Labour available, within the company, to affect immediate remedial work to minimize losses?
• If salvage is contemplated is there space to store the salvaged material or goods.
• Is there provision for shutting down part of the premises without affecting all the operations?
• Is there sufficient security staff available to protect any goods, materials, or plant that may have become vulnerable to theft as a result of the risk occurring? 

• Is there a designated Damage Control Centre and a designated Co-coordinator? 

• Is there a prepared list of actions to be taken by key personnel? E.g. turn off power, shut fuel line valves etc.

·    Is there a list of key personnel? E.g. Heads of Departments etc.

·    Is there a system of calling in key personnel!?

Detailed safeguards are to be found under various sections in this and other Guidelines of this Manual.

Machine or plant failure

This risk group is considerably easier to assess than the previous one. Much of the assessment will be the province of the Head of the Engineering or Plant Department. Provided routine maintenance of the plant and machinery is carried out the potential for loss will be much reduced. Routine replacement of worn parts would not normally be included in a contingency plan but irregular stoppages should. These could include damage as a result of an environmental risk occurring, deliberate sabotage, accidental damage, power failure or power surge, fire, fracture of fuel lines etc. Mostly the questions in Guideline 3.9 would cover machine or plant failure with the addition of -

• Are there adequate spares available?
• Is there skilled staff to carry out the repair work?
• Can the machine/plant be isolated without affecting adjacent plant?
• Will the stoppage cause a bottleneck and can it be by- passed?
• Depending on the type of machinery other points will become obvious.

Man made risks - deliberate or accidental

This last group of risks will include most of the daily work of the security department and is probably the one group that can be reliably assessed for preventive measures to minimize the effect. To fully assess the risks an overview of the type of risks can be taken. They fall into one or more of the following and would apply in most situations to a greater or lesser extent.

• Theft including Industrial Espionage
• Burglary
• Robbery
• Fire including arson
• Vandalism
• Fraud
• Terrorist or politically motivated attack

Some industries/premises may attract one or more of these risks - some may, attract a particular risk but these risks are generally to be found in the commercial and industrial environment today. As mentioned in Section 3.9 detailed safeguards are to be found in various sections of this and other Guidelines of the Manual. Theft in all its forms is probably the most common general risk and protection against this crime will, usually, provide protection against the other risks mentioned.

Areas of high risk

Many areas within a company will be considered particularly vulnerable and these will require special attention in any survey.

Wages offices and Cashiers offices

Another area of high risk and the defensive measures are to be found in Guideline No. 33.

Administrative Areas

Whilst most paperwork found in an administrative area is fairly innocuous some sensitive documents do appear from time to time. Other areas that may handle such information would include the Secretaries offices, Directors offices, Marketing offices, Personnel offices, Contracts offices, Research departments etc. The handling and safeguarding of sensitive and confidential documents is covered in Guideline No. 25.

Transport

Once goods have passed to the Transport department of a company, ­additional risks are liable to occur. The security of vehicles and loads is to be found in Guideline No. 30.

Stores and Production Department

The safeguarding of storage and production areas is covered in this module in various sections.

Retail Department

In a retail business the customer is invited to enter and inspect the goods, Often these goods are readily portable and desirable leading to a high risk of theft. Thieves from retail premises do not see their crime as theft and refer to "shoplifting" as if it were a separate and minor offence. This leads to the retail area of a business being of especially high risk. 

Industrial Espionage

This is not a department within a company but is a risk that can affect most departments and therefore is dealt with in some detail in Guideline No. 35,

"Positive" Departments

Some departments in a business organization can be a positive help in minimizing risks. Such departments should be considered as part of the risk exclusion exercise and measures to enhance their potential, effected. These departments would include Personnel, Accountancy, Credit Control, Works Services, and of course the Security Department. All can help to exclude or reduce risks by the normal practice of their function.

Personnel

The careful selection of staff for various posts can be of great help in preventing many risks for materializing.

Accountancy

The Accountants audit all transactions and should be encouraged to bring to the attention of the security department any early indications of discrepancies or frauds.

Credit Control

Customer frauds are often detected at an early stage by careful ‘follow-up of customer credit ratings.

Works Services

If a Works department or Maintenance department is included in the departments of the company they can be of great assistance when planning physical security measures, when undertaking alterations, and for examination of potentially weak areas of the fabric of the buildings.

Presenting the evaluation

Having prepared a contingency plan the next task is to present it to management for approval - unless the scheme was initiated from higher level this may be a difficult matter. Various attitudes to security and risk management can be found amongst senior staff and managers. They vary from willing acceptance to downright rejection - depending on their perception of risk - and some typical attitudes are illustrated below.

·   It is not required our staff are honest

·   We can't stop stealing - its part of the job

·   It will be too difficult and will interfere with routine

• It will cost too much
• Do it despite cost
• The Unions won't like it
• We are at risk - is this the best reasonable solution?

Staff co-operation

If the risk management proposal is acceptable to senior managers there is every chance that junior managers, supervisors and foremen will be willing to co-operation but some form of training would be necessary. All supervisory staff can play a major part in reducing the prime risk - that of theft - whether it is called pilfering, perks, or whatever. A simple short training session, pointing out the dangers and outcomes of uncontrolled theft, with some ways that a supervisor can help, will pay dividends. Points to include in such a course would be -

• Don't let stealing start. Once it is seen that theft is easy more and more will want to take advantage of a lax system. Check all losses and make it known that you are doing so.
• Don't create or allow to develop an environment where stealing becomes easy.
• Don't allow broken packages to go unnoticed.
• Don't leave small attractive items available. Keep them locked up.
• Don't encourage visitors from other departments to enter your sphere of influence without first reporting to you.
• Frequently check your stores list of small valuable or attractive items.
• Don't encourage borrowing even where a company permits employees to borrow tools etc. Ensure this is done against signature.
• Don't be afraid to have a look at ­and for - potential hiding places where 'loot" may be concealed for later pick up.
• Ask questions if you have doubts about any packages or parcels.
• Control access to stores.
• Watch for suspicious behavior in employees. Ask security for assistance if surveillance is necessary.
• Don't issue consumable items without a signature. Make them hard to get and that will reduce waste and misuse. If anyone uses or requires excessive amounts query why.
• Follow company policy concerning theft and other disciplinary matters.

The human element

As shown in Section 3.11, the human element is the widest risk grouping and a few comments on the potential perpetrator will not go amiss. An organization with a clearly defined policy that militates against employee theft and with a high chance of detection will suffer far less theft and have a better staff relationship than an organization that has little or no such policy. Whilst it is erroneous to talk of a "criminal type" there are certain factors that may influence the integrity of an employee. Some of them are listed below -

• An attitude of "they can afford it" towards the employer
• Revenge on the employer or his representatives
• Accessibility to the property coupled with lax supervision 
• Being poorly paid 
• Little job satisfaction 
• Financial problems 
• A belief that "everyone does it 
• Environmental background

Policy weaknesses

Any risk management policy can be nullified by a failure in any of several areas. Most are due to management shortcomings and should not be allowed to pass unchallenged. The principal failings are -­

·   Failure to start enquiries at an early stage.

·   Failing to investigate all aspects of a discrepancy.

• Failing to learn from the losses of other companies in a like situation.
• Failing to ensure that changes in procedure etc. do not create loopholes and cause additional areas of risk.
• Failing to recognize the potential value of scrap or salvage.
• Failing to pursue losses in transit or other insured losses and allowing them to become acceptable.
• Failing to demand that staff references are followed up.
• Failing to accept that crime lacks class barriers.
• Failing to follow a policy of deterring crime in the workplace.
• Failing to include security requirements e.g. searching etc. in Conditions of Employment.
• Failing to accept that security is a specialized task that cannot be given to a manager on a "part time" basis.
• Failing to have a company policy on dismissal for dishonesty.

 Mutual Aid

Where several industrial units are contained in a close area such as an industrial estate, a mutual aid scheme can be of great assistance and support. Many such sites have only one patrol per unit at night plus a visiting supervisor. The mutual aid scheme provides a more frequent check, to ensure patrols have not met with an accident, been taken ill or been attacked. In operation it is simple. A patrol officer at unit A contacts unit B at a pre arranged time. B contacts C and so on until the last contacts A, thus completing the circle. If a unit does not respond there would be a pause of 10 minutes then a repeat call. If there were still no response a pre arranged course of action is initiated to investigate the reason. Similarly if a call is not received within 10 minutes of the expected time the unit expecting the call will call the unit who should be making the call. If no response then the requisite action is taken. These 'rounds of contact" are repeated at pre arranged intervals depending on the number of, units involved. The method of contact' will depend on the equipment available at the various units. Another form of mutual aid that has evolved is the retail trade watch scheme sometimes known as Stopwatch or similar names. In effect it is a reporting system to advise other participants in the scheme that a risk situation is or has developed at retail premises. If, for example, shop A identifies a group of shoplifters, check or credit card fraudsters, they telephone the next shop on a list that in turn passes the information to the next on the list and so on until all are alerted to the possibility of a visit from the criminals.

Always it is essential that the local Police are aware of the existence of the scheme and are kept advised. Local Police liaison is most important if the full benefits are to be obtained. It cannot be too strongly emphasized that absolute secrecy must be maintained, regarding the details of any scheme, if it is to be effective. To provide additional protection to participants a form of duress code should be inbuilt into the reporting system.

Security of Buildings

Buildings are used to protect property either from deterioration by weathering or loss due to theft. To be effective the building must be suitable for the intended purpose, itself weatherproof and secure. Guidelines Nos. 6 & 7 cover Doors, Windows, Gates and Grilles that all form part of a building and the following sections will cover the remainder of the building envelope.

Prevention of damage to buildings

Much of the damage to any building is as a result of vandalism with accidental damage forming a smaller proportion. Many security measures will serve to combat this damage but some additional measures may be necessary. Windows are the most vulnerable areas for damage. A growing problem is graffiti sprayed onto walls. Various proprietary compounds are available to combat this menace. Specialist firms will apply the compound and, using special solvents, periodically clean off any graffiti that has been applied. Plastic rainwater pipes are commonplace today but in areas vulnerable to accidental damage they should be protected by metal guards or replaced with metal pipes, particularly at low levels. Walls at low level must be substantial if breaches are not to occur.

For security a wall must be at least the equivalent to 9" of brickwork in cement mortar. Many walls are thin skinned metal clad on steel frames and these are easily cut or damaged - some consideration to additional outer protection should be given if in a vandal prone area. For added security such walls should be reinforced on the inside and alarmed. Roofs are often overlooked in the security survey but they are a vulnerable area. Traditional tile or slate roofs are easily broken by stress thrown up from the ground. Access through such roofs is easy and some preventive measures against access should be considered. Barbed wire on metal supports at the roof edge is effective. Access to roofs from adjoining buildings should not be overlooked. Down pipes and waste pipes also provide a convenient means of access to a roof or upper floor window. This must be prevented by application of anti climb paint, metal guards, flaunching, or having the pipes recessed into the wall. To reduce further the risk of damage to buildings in vulnerable locations a suitable sized kerb should be used to prevent close contact by vehicles. Corners and overhangs are particularly at risk. Basements are often a risk area and some form of mesh covered frame should be secured over them. Such a cover will prevent rubbish being dumped into them and deny easy access to intruders. Basements often form a convenient hiding place for intruders to await the passing of a patrol and for goods to be hidden awaiting removal. Vegetation should be kept clear of buildings to provide a clear field of vision; waste bins should be stored in a mesh cage at a suitable distance from the building. Stacked waste bins can form a ladder to higher levels. They are also a useful cache for stolen property awaiting disposal. A good security officer will examine buildings not only to prevent intruder access but to prevent damage as this also constitutes a loss of company assets and profitability.

Design  for  Security

If a new building is to be designed or an old one refurnished the security officer should be consulted at an early stage. Security measures designed into a building are cheaper to carry out than any added as an afterthought. Not only can measures be designed in to, but potential security hazards can be designed out of, a building whilst still on the drawing board. This does imply that a security officer should have a rudimentary knowledge of buildings and be able to read an architectural drawing. Some points to look for are -

• Strength - does the envelope of the building follow the "secure box concept", are the breaches, doors and windows, etc. of adequate strength.
• Assessability - are there any easy routes to upper levels, down pipes, decorative features, window grilles, stepped levels of roofs etc. - these are an easy route to an agile person.
• Danger areas - do door or window recesses form hiding places? Are there any parts of the building hidden from view by angles, bends etc.? Can a passing patrol see all the face of the building?
• By passes - are there any ducts, partitions, ceilings etc. that may form a bypass to the secure box concept? Ensure they are either outside the secure line or else protected.
• Internal layout - is there adequate ducting for alarm cable runs etc.? Are vulnerable office areas of adequate strength? Are they located in a suitable part of the building? Will the floor carry the weight of a safe where required?

These and other questions that may come to mind can all be resolved at the planning stage for negligible cost but to change them after building work has started is very costly.