0 evaluări0% au considerat acest document util (0 voturi)
253 vizualizări24 pagini
A corporation is defined as any organization that employs a number of people. Security is a 'necessary evil (and they) really have no choice' some security decisions appear to be made after a breach of security has occurred. Others are made when it is feared business will be lost if security is not in place.
Descriere originală:
Titlu original
The Handbook of Security [Sample Pages 586-609 Corporate Security by Dennis Challinger]
A corporation is defined as any organization that employs a number of people. Security is a 'necessary evil (and they) really have no choice' some security decisions appear to be made after a breach of security has occurred. Others are made when it is feared business will be lost if security is not in place.
A corporation is defined as any organization that employs a number of people. Security is a 'necessary evil (and they) really have no choice' some security decisions appear to be made after a breach of security has occurred. Others are made when it is feared business will be lost if security is not in place.
to the Bottom Line? Dennis Challinger 1 Security a given in the corporate world Every business corporation understands that security is an inevitable expense the fact that they all keep their premises physically secure is evidence of that. However not every corporation would embrace Daltons recent view that security management is not an odd-but-necessary back-lot function, but is instead a vital business function that is essential to any organisations contin- ued viability (Dalton, 2003: xii). More likely they would agree that security is a necessary evil (and they) really have no choice (Kovacich and Halibozek, 2003: 63). In this chapter, a corporation is dened as any organization that employs a number of people to achieve a common purpose, whether as a commercial company or a government instrumentality. The word corporation therefore sub- sumes retailers, manufacturers, banks and hotels as well as hospitals, schools, universities and public transport, etc. While quite different in output, all these corporations must operate in a nan- cially responsible way and obviously that includes protecting their assets. In this chapter it will be assumed that is done through what will be called a corporate security department (although in practice a small corporation may not need a separate department). At a minimum, the corporate security department will implement measures to physically secure business premises and assets. However any further security measures that may be implemented within a corporation will usually result from further internal corporate decision-making. Regrettably, internal decision-making about security may lack the careful con- sideration that is taken when other issues most notably income-generating activities are considered. Some security decisions appear to be made after a breach of security has occurred. Some are made when it is simplistically assumed that continued security is no longer needed. Some are made when it is feared that business will be lost if security is not in place to reassure customers or clients. Some may be made when management observe that a competitor has some security equipment in place that they do not have. And fortunately, some are made on the recommendation of the head of corporate security. 586 In some corporations the head of corporate security does not have a lot of inuence. However there are others where the role of corporate security is openly acknowledged. One example of the latter is Wal-Mart, the worlds largest retailer, where the head of their corporate security department the Vice President of loss prevention reports directly to the CEO. As the CEO has put it: Politics being what they are, its too easy for decisions (about security) to be misguided when you allow internal politics to enter in. With loss prevention reporting to me, that allows me to set the tone, the discipline, about what effective loss prevention is. (Lee, 2002: 17) However in general much corporate decision-making about security does not appear to be soundly or evidence-based. That is not sensible as corporate management should want to ensure their security is the best possible for their corporation. The difculty is that some corporate managers still hold entrenched views regarding security, its funding and its impact. There are also problems appreciat- ing what a corporate security department does, what it is capable of, and how it contributes to the corporations bottom line. These are the topics which will be discussed in this chapter. 2 Deciding the best security for a corporation The best security keeps all the corporations assets secure and therein lies a paradox. The success of corporate security is measured by the absence of activi- ties which would have negative effects on the corporation if they occurred. Put another way, a highly-effective security manager may become the victim of his or her own success. It can be hard for the head of corporate security to acquire further necessary funds within the corporation because, if the department has been doing a really good job, its achievements are effectively invisible and a need for more resources seems unwarranted. On the other hand, if the security has been poor and there have been many incidents causing loss to the company, a stronger case can be made for more funds to prevent further losses (that is, if the head of corporate security withstands the accusations that he or she is a bad performer). Within a corporation there are other departments that also measure fewer inci- dents as signs of success. Occupational Health and Safety is seen as successful when there are reductions in workplace accidents and fewer workers compensa- tion claims. Facilities managers are doing a great job when there are no losses due to res because re prevention equipment is installed and working. However each of those departments has an advantage over security in that there is generally legislation in place requiring their continued existence. By law, workplace environments must be made safe and buildings must have the correct re ghting equipment in place. Dennis Challinger 587 In general then security is not legally mandated. However the absence of work- place sabotage or workplace theft is as benecial to the corporation as, or even more benecial than, an absence of workplace accidents. The difculty is that the absence of thefts is based on an assumption that many (more) would have occurred if security measures had not been in place. Long-time security consultant Dalton has stated that: (the security) profession is largely based on assumptions. We make manage- ment and nancial decisions based on a great number of unproven assump- tions. Ours is a profession that is both uncodied and largely unproven. We assume that security ofcers provide some deterrent value. We assume that state-of-the-art technologies are effective in preventing loss of assets and life (Dalton, 2003: xxviii) If corporate decision makers do not also accept assumptions such as these then there is plainly going to be problems deciding on the best security. If for instance they do not accept the assumption that internal thefts are a likely activity then their view of what may be the best security is not going to accord with the views of their corporate security head. They may end up making decisions based on views about corporate security that are simply wrong. 3 Corporate managements view of security Management has a number of views of corporate security that are generally erro- neous and which can be said to place the security function at a disadvantage. They include the following: Security is not a major corporate priority The bulk of effort in most corporations goes to generating more business to make more prot. That can mean that insufcient time is given to consideration of security requirements and they are not as rigorously considered as they should be. Yates (2003) points out: many organizations have not integrated security into their culture. For many, it has been addressed by simplistic measures such as employing a former police ofcer as a security guard or putting out a memo. Specically there has been a major failure to enhance security rather than simply overlaying security onto existing practices to identify and incorporate best security practice of visible CEO leadership on security to implement reinforcing behaviour in organizations such as regular secu- rity updates, security education and reward system for security conscious behaviour 588 The Handbook of Security to provide security training, education and competence to prepare the groundwork for effective local law enforcement co-operation (Yates, 2003: 75) Security is not worth doing There are some activities conducted by the corporate security department which may not be seen by other parts of the corporation as necessary or worth doing. One pointed example of this is the matter of internal theft or fraud which some management may not see as issues for them, still believing myths about the prevalence of that behaviour (Albrecht and Searcy, 2001). On the other hand, some corporations may consider employee theft as an unpreventable, unpleasant situation which is part of doing business (and) expect employees to steal (Oliphant and Oliphant, 2001: 443). But because the extent of employee theft is unknown, management cannot decide which costs are greater to catch a thief or accept it as the inevitable (ibid.: 443). If then they accept the inevitability of internal theft tantamount to an encouragement for staff to steal it follows that they do not wish corporate security to pursue such deviance. In their opinion that would not be worthwhile, however that position would simply condone theft by workers. Security is a nuisance Some management view security as an impediment to good business and efciency. If for instance a business meeting is delayed because of security requirements to access a particular part of a building, then security may be said to be jeopardizing business. The fact that the security requirements are well publicized and the majority of corporation staff have no trouble orga- nizing their schedules around those requirements may be disregarded by a complainer. Security procedures may also require that accurate and current records are kept of corporate assets so that, in the event of theft, an investigation will be expe- dited. But if those requirements are seen as onerous, or just a nuisance, they too may be ignored. The alleged nuisance value of security is sometimes used by staff who develop a mindset that causes them to go out of their way to not abide by security require- ments they may decline to wear their corporation ID badge, or argue about signing in a visitor. Support for corporate security from senior management is vital to create a security-aware workplace. Security is the enemy In some cases a view may be held by part of the workforce that the security department is their enemy. Such sentiments may arise when the result of security activity has been to identify some staff engaging in inappropriate behaviour that has led to their being disciplined (or even dismissed). This can particularly arise where management sends mixed messages about behaviour as illustrated by the discussion of internal theft above. Dennis Challinger 589 The situation may be made even more difcult in instances where undercover security operatives may have been employed to deal with dishonesty amongst staff. The use of an undercover operative posing as a patient in a hospital to iden- tify the staff member stealing patients money is an example. (Healthcare Risk Management, 2002). It might be thought that honest staff would not be at all concerned at this practice given that it removes a thief from the workplace but this approach by the security department may be seen by them as underhand and acting in a way that doubts the honesty and trustworthiness of all staff (Ironically the undercover staff who were used in the cited example also had roles in auditing and monitoring the security staff to ensure they were perform- ing effectively). Even the implementation of security systems aimed at protecting staff can be seen as invasive and conrming that corporate security is the enemy. An example of this is the radio frequency-based tracking systems that can locate any worker at a corporations facility. As an example, one such system has been installed in a Las Vegas hospital to ensure the safety of hospital staff and to keep out intruders and prevent infant abductions (Taylor, 2002). However because the system is also capable of logging in when employees arrive for work and leave the hospital as well as tracking when they go into a restroom or step out for a smoke (some staff) fear the intrusion of an unseen Big Brother (Taylor, 2002: 14). Such attitudes could possibly lead to those staff adopting a negative stance towards security in general. Security is an unskilled occupation Many in a corporation appear to believe that anyone can do security and that it needs no particular training or aptitude. It is therefore seen as a corporate func- tion of no great merit. This view probably comes from observations or interac- tions with base-grade, often uniformed, security staff who operate access points or guard property. It is plainly inappropriate to judge the security function on those staff alone but they are the front line for the corporate security department. The reality is that those staff may be lowly paid and may sometimes be unimpressive. But they have issues to deal with that others may nd exceedingly uncomfortable and be unwilling to do. For instance, Button (2003) reports high levels of verbal abuse and threats of violence experienced by security staff at a British shopping and leisure complex where 40 per cent had experienced assault (slight bruising/ bleeding) in the past year (Button, 2003: 235). It is a credit to those who train, or skill-up, these staff that major problems arise only infrequently. Correcting management misunderstandings The above clearly indicate possible sources of real strain between security and others in the corporation. Many managers do not seem to understand the value of, or con- 590 The Handbook of Security tribution to the corporation from the security department. They see security as a burden or a cost. However such managers should think about the consequences there might be for the corporation if it did not have a sound level of security. On the other hand, the corporate security department must ensure that the reasons for the various security requirements are explained. Somerson (2003) puts this elegantly with respect to access control, employees need to be told that the ID card is not intended to unduly inhibit their ingress or egress, nor is it intended to identify their presence or other- wise invade their privacy. Instead, the purpose of the ID card is to signify clearly that staff is authorized to be at the facility and to discourage anyone else from entering. (Somerson, 2003: 158) The corporate security department must change the corporations mindset about security and remove any lack of understanding of the role and activities of the department. It may be that at present, many security professionals are not good communicators, or lack the commercial awareness to see that they need to sell their function. 4 What corporate security does The corporate security smorgasbord The range of activities undertaken by corporate security varies from corporation to corporation a typical list appears in Kovacich and Halibozek (2003: 161). However the only real exposure to security for many staff relates to access control and ID passes, and those activities can lead to strains if not aggravation, as catalogued above. While not a complete list, the following outlines many of the activities that a corporate security department undertakes in a typical corporation. controlling ID pass issue and access (including reward programmes for staff compliance) managing a security control room monitoring CCTV and alarms recommending and managing physical security hardware for corporation sites managing on-site parking (including after-hours escorts and citations) managing uniformed manpower (including after-hours patrols) co-ordinating emergency evacuations responding to on-site incidents writing and publishing corporate security policies developing and delivering security awareness programmes for employees developing workplace violence prevention procedures developing and maintaining fraud prevention strategies providing executive protection services for management (including travel briengs) implementing security at residences of senior executives Dennis Challinger 591 providing personal and domestic security guides for staff overseeing security for off-site events such as AGMs dealing with public demonstrations impacting on corporation sites collaborating with Information Technology security counterparts collaborating with Occupational Health and Safety practitioners dealing with information leaks investigating criminal incidents (including thefts by and from staff) investigating harmful external activities like product counterfeiting maintaining and analysing incident and intelligence databases liaising with local law enforcement (when necessary) This list more than adequately demonstrates the considerable contribution that corporate security makes to the corporation. Yet the list is not, and should not be, static. Indeed it should change as potential threats to the corporation change. For instance, since the 9/11 terrorist attack in New York, corporate security departments in many corporations have been tasked with developing particular plans for dealing with the risk of random and targeted acts of terrorism. Such plans should result from continuous assessment of security risk, the other main activity of corporate security. Security risk assessment Any corporate security department should be procient at undertaking security risk assessments so that they can target their activities to address the greatest risks to the interests of the corporation. Having identied the risks to the corpo- ration it is necessary to develop countermeasures or options to mitigate them. They include reducing the risk (for instance by installing security equipment or implementing new policies), transferring the risk (for instance by insuring against it or contracting others to manage it), or simply accepting the risk as a cost of doing business (ASIS International, 2003: 14). Security risk assessment comprises a particularly important contribution to the corporation from the corporate security department. The risk assessment process provides a way of prioritizing threats faced by the corporation. That requires some necessarily subjective qualitative judgements to be made of the likelihood of the threat and its impact on the corporation if it were to occur. The corporate security manager is clearly in the best position to make those judgements as they belong to the corporation and in their day-to-day working life are exposed to the range of the corporations activities. Those managers have a real advantage over an outside security consultant who may, and in practice often does, recommend a broad raft of security solutions that may be unneces- sary because they are geared towards problems that the corporation does not have, or which are relatively unimportant. The standard risk assessment approach has long been used in nancial manage- ment (e.g. by banks in assessing foreign exchange trading) and engineering (e.g. 592 The Handbook of Security assessing the level of reinforcement needed in a high-rise building) but in many respects is in its infancy in the (corporate) security area (but see Chapter 22). Arguably 9/11 has much to do with this new focus on the risk assessment process. Now corporations are aware that security risks must be part of their future risk assessment activities and that good security is essential. In the US corporate risk assessment has actually been mandated by the Sarbanes Oxley Act of 2002 which was a legislative response to the accounting scandals caused by the fall of some publicly held companies like Enron and WorldCom. The Act requires compliance with a comprehensive reform of accounting procedures for publicly held corporations to promote and improve the quality and transparency of nancial reporting by both internal and external independent auditors. The Act aims to minimize the risk of corporate malfeasance, but there are several links between Sarbanes-Oxley requirements and a companys security program. They include: ensuring appropriate awareness of company security policies and commitment by management; designing and implement- ing appropriate security controls; and documenting and auditing security poli- cies and making sure they are understood by management and end-users. (Williams, 2003). 5 Impact of good corporate security Commercial impact The immediate impact of good security on the commercial health of a corpora- tion is that it keeps the corporations assets secure. The assets are therefore able to be utilized, the additional expenses involved in replacing them are avoided, and the possibly greater losses through loss of business or inability to service clients are forestalled. Good security may actually increase business opportunities for a corporation. For instance a shopping mall which is known to have good security in place can actually attract customers from other malls where customers may feel less safe. These intangible sorts of benets are picked up by Yates (2003) with what he has termed the security dividend. The concept of a security dividend As Yates puts it (t)he key to making security sustainable is to ensure that all stakeholders get a dividend for their security investment (Yates, 2003: 100). Yates is an engineer who has reviewed the issue of security of Australias critical infrastructure. His concern is seeing security embedded more formally in busi- ness operations, and for that to happen he suggests there needs to be a good return on any investment in security. Good corporate security will deliver a divi- dend for all stakeholders, in this case particularly the corporation and its staff and customers (who are part of the public at large). Dennis Challinger 593 The security dividend for the corporation The security dividend from good security in a corporation includes the following (adapted from Yates, 2003: 101) The corporations business efciency increases because good security is geared towards preventing incidents that may cause loss. Indeed the change of title in retailing from security to loss prevention was to emphasize the focus on pre- venting bad events occurring a far more desirable outcome than addressing the results of those bad events later on. The corporation becomes more attractive to customers leading to an increase in business. The converse of this is the loss of business that can occur in the absence of security. In one English city it was estimated that 650 jobs were lost within the retail and leisure sectors and turnover was reduced by 24 million (in 1990) as a result of avoidance behaviour which was caused by the publics concern about crime in that city (Holden and Stafford, 1997: 5). Indeed the impact of crime on shopping habits can be profound and include postponement of purchases, less recreational shopping, and less shopping at night (see Halverson, 1996). The corporation increases its employee retention rate because people prefer to work in a safe workplace. The nancial benet of reducing employee turnover in a corporation cannot be understated. One study in 2000 found that the annual cost of employee turnover in the supermarket industry exceeds indus- try prots by more than 40% (Meyer, 2000: 40) so increased retention in that industry would be most benecial. The corporation demonstrates that it is a good corporate citizen, partly because its investment in security reduces the demand on police services allowing them to deal with more urgent matters. In a time when corporate citizenship and ethical investing are becoming important considerations, such a corporation becomes more attractive to investors and may increase its shareholder loyalty. The corporations exposure to legal liability claims is reduced when it is able to show that it had taken care to incorporate appropriate security measures into its business practices. The security dividend for the public at large The security dividend for the public from good corporate security takes a number of forms but is very much related to the way in which that security impinges on the public sphere. The use of attractive planter boxes on paths at the local shop- ping centre as security against ram raids can contribute to the amenity of the area. The installation of grafti-proof surfacing on new buildings can ensure a more pleasant environment and greater use by the public while creating less attractive sites for offenders. The re-design, installation of security lighting and employment of attendants in public carparks have been shown to reassure users and deter thieves (Oc and Tiesdell, 1998). And the employment of uniformed 594 The Handbook of Security safety ofcers on public transport has been shown to make an important contribution to cutting petty crime (van Andel, 1989: 55). However, there is always the possibility that somehow introduced security measures will lead to a negative public reaction, and therefore a negative security dividend. For instance, the widespread use of opaque roll-down security shutters can turn a strip shopping centre into a hostile environment and can convey a message that the area is prone to crime (Beck and Willis, 1995: 206). And recent research concerning young people in public places noted that the cumulative impact of adverse interactions with police, security guards or teachers can leave youth with a sense of betrayal by adults and powerless to challenge such behaviour it may be that the long-term price of aggressive policing and other forms of surveillance is a less cohesive community (Fine et al., 2003: 155, emphasis added). In turn that could lead to negative attitudes towards CCTV, at least from this section of the public. When a head of corporate security installs some surveillance at their workplace which does overlook a public area, they would not normally consider the poss- ibility that it would add to the cumulative impact mentioned above. They would be even more unlikely to consider their security approach as possibly contribut- ing to a less cohesive community in the future. The impact of private security on the community at large is seriously discussed by Zedner (2003) who writes whilst security is posited as a public good, its pursuit is inimical to the good society (Zedner, 2003: 171). This is not the place to deal with that argument but it is obviously important to consider the possibil- ity of deleterious effects on the public from corporate security initiatives. Apart from anything else, not being sensitive to the local community could lead to the corporation losing business. 6 Impact of bad corporate security The impact of bad security on a corporation can be swift, immediate and telling and can arise in the following three ways. Direct losses The direct losses that affect the corporation commence with the nancial costs associated with an incident, however even they may not be accurately counted. Consider the burglary of a warehouse on a rainy night. The thieves remove roong and drive off with stolen products in a corporation truck. Management in many corporations would record the losses from that incident as comprising the cost of the stolen product, the truck and repairs to the roof. However the costs are considerably more than that, and it is incumbent on corporate security to ensure that management appreciates the full extent of damage to the corporation. The full costs are even more important to report Dennis Challinger 595 accurately and completely when it is time to consider nancial measures relating to corporate security (to be discussed later). In the above burglary, the losses to the corporation do of course commence with the value of the stock, the truck, and repairing the damages. In addition there is: the cost of lost business because (the stolen) stock cannot be provided to customers (who then go elsewhere); the value of stock damaged by being left exposed to rain coming through the hole in the roof the burglars left; the cost of hiring a truck to enable deliveries to continue; the cost of employee and management time spent clearing up, dealing with the police, ordering replacement stock, etc instead of performing their usual duties; the cost of buying a new truck and tting it out in the corporations livery; and so on. Over and above the immediate costs resulting from a criminal incident, there are other sources of increased costs. First, there are costs for increased security as invariably management will decide to increase security at the site of the incident (and sometimes adopt recommendations from corporate securitys earlier secu- rity risk review of the site). And further direct costs may arise when the corpora- tions insurance premiums are increased after a claim is lodged for the incident. Indirect losses The most serious indirect losses occur because of damage to the corporations image or reputation. Plainly a hotel that is known to be frequented by drug dealers and is the scene of drug overdoses will become unpopular. A hospital which has suffered (even) one infant abduction, or has a record of thefts from patients, will not be the rst choice for many patients. A shopping centre which was the scene of an armed robbery where bystanders were shot may well be avoided by many shoppers. The negative media coverage that such incidents attract can fuel a long-term negative consumer perception of the corporation and its brand. That can lead to considerable public relations costs by the corporation in an effort to overcome poor image problems. But apart from the public, the corporations employees can also be gravely affected by incidents occurring as a result of failed security. Stress or trauma- related workers compensation claims may be made, and morale (thus productiv- ity) may drop. Staff turnover may increase and industrial action may involve strikes or working-to-rule, possibly generating even more damaging publicity. It might also be necessary to offer higher wages in order to attract future employees because of general negative perceptions of the workplace. Legal action against the corporation Corporations get involved in more than their fair share of litigation and bad security can add to that burden. Public or premises liability cases are a major 596 The Handbook of Security source of cost for corporations. 1 While investigations by corporate security iden- tify some of these as fraudulent slip-and-fall cases in supermarkets are a good example expensive payouts do occur, often due to a lack of duty of care. Retailing corporations in particular are fairly frequent recipients of liability writs. Some years ago it was said that the moment a retailer invites a customer to park his car and enter their doors, that they are essentially creating entrapment, and are therefore liable in case something happens to that shopper (Cockerham, 1994: 38). Today, the courts throughout North America have made it clear that property and business owners have a duty to provide appropriate security and safety mea- sures at each site. Because we live in a strong data-centric economic and busi- ness environment, demonstrating this due regard almost invariably requires providing credible documentation (Dalton, 2003: 580). Most importantly, that documentation has to show that reasonable measures to keep people safe and secure had been implemented by the defendant corporation. To ensure that the measures are reasonable, the corporation needs profes- sional advice from its corporate security department. It is not only incumbent on the department to do that, it should be an objective of theirs to substan- tially limit general liability exposure and the associated cost of premises liability litigation (Figlio, 2002: 57). Figlio suggests that this is the second major objec- tive of a corporate security department after the establishment of a good return on investment for the corporation (an issue to be discussed later). Even with good security in place some litigants will try it on in the hope that the corporation might fold and settle, rather than run the risk of bad publicity. If the security in place is bad they always stand a chance. That is why it is essen- tial that corporate security provide the very best advice and their operatives always conduct themselves efciently. Of course there will always be bizarre liability claims. One was initiated in con- nection with the rape of an American hospital patient, a 44-year-old woman suf- fering from cerebral palsy, in hospital for chemotherapy and unable to defend herself. The rapist was sentenced to ten years imprisonment. But he is now suing the hospital for $2 million for its inadequate security in protecting visitors as well as their patients, as that caused him pain and suffering. 2 Liability matters aside, another raft of litigation arises from defective security practices. Most notable are false arrest or false imprisonment cases that result from members of the public being erroneously apprehended for shoplifting. A recent survey of 235 such lawsuits found that nearly all the suits were led for justiable reasons (Patrick and Gabbidon, 2004: 49). Many large judgements have been made to false-arrest plaintiffs who have been inappropriately dealt with, or in some cases have actually died, after what is often appalling behaviour by store security staff. There is not a better example of the necessity for security operatives to be comprehensively trained and to comply with the corporations security policy and procedures. Dennis Challinger 597 A nal area of litigation is action for defamation. A recent Australian case involved two contractors who were dismissed for stealing from a corporation which incidentally had listed its impeccable reputation on its website as a key value for success. 3 After dismissing the men, notices had been posted at corpo- ration locations saying they had been dismissed for stealing. The notice also read in part theft of any kind is unacceptable, is deemed serious conduct (sic) and will result in instant dismissal. The men had not faced any criminal action. A jury found they had been defamed and they were awarded $500,000. 7 How can corporate security demonstrate its value? The above sections have given a good indication of the extent of corporate securitys activities and outlined why it is important that they engage in good practices. But measuring the corporate security departments actual value to the whole corporation is not straightforward. Separating out securitys impact In many corporate settings, separating out the impact of security is difcult. As an example consider a factory where the theft of workers personal property has dropped over the past year. While corporate security had introduced awareness programmes and had new lockers installed for staff, those actions alone may not explain the drop. It may be that new staff rosters had been introduced along with a new time-keeping system which could accurately list workers on-site at any time. Perhaps an employee assistance programme with counselling for drug abuse and gambling had been commenced. And the new factory manager with his habit of walking around the factory daily may have had particular impact. It would have to be said that at best corporate security could claim only some of the credit. Worse, if workers in that factory had decided to stop reporting personal thefts because they simply did not want to draw more management attention to them- selves, the actual number of thefts may not even have dropped. This illustrates how difcult it is to measure the very thing that corporate security is trying to address. The retail sector provides the best example of being able to measure the effect of security on its operations. Regular six-monthly stocktakes provide a measure of losses the retail corporation has suffered. But as with the above example, cor- porate security cannot claim all the credit, though invariably they are blamed for any increase in shrinkage that might have occurred. A further complication arises if security decisions are actually made by others. DiLonardos (1997) study of the use of electronic article surveillance (EAS) systems in retail stores provides a good example. It shows that reductions in store shrinkage occurred when EAS was introduced and sustained. It also shows the experience in stores where, after shrinkage had reduced, management decided to remove the EAS systems because the shrinkage had been achieved (and they wanted to put the equipment in other stores which now had greater shrinkage). It is an important nding that shrinkage in those stores increased after the EAS equipment was removed, and reduced again when the equipment was re-installed. 598 The Handbook of Security That episode also proved that the security measure did work and although the decisions to withdraw it were not made by the security department, at the end of the day the result reected well on them. Evaluating corporate securitys preventive impact It is a central tenet of corporate security that many of the security solutions it implements will prevent incidents from occurring. But in broad terms there is a paucity of hard data to support that belief. Take one of the mainstays of corporate security, the uniformed security opera- tive, found on corporation reception counters or access points worldwide. Dalton wonders (w)hat, if any, is the crime prevention value of a uniformed security ofcer? Preventative value has been a long-standing issue, even in law enforcement. From studies that have been done, it would appear that the presence of uniformed personnel has little deterrent value (Dalton, 2003: 284). This is perhaps a little harsh (see Gill, 2004). Intuitively, some people trying to enter a corporations ofces without authority are going to be unsettled by a uniformed operative who they must pass. Not that in reality that operative is necessarily going to physically attempt to stop them, the mere presence of the operative may cause the potential intruder to leave. It is interesting that even without rm validation of the impact of uniformed staff, one of the knee-jerk reactions to intruder problems is often for manage- ment to insist on more uniformed operatives being deployed. It may well be that uniformed or private security staff have an even wider impact on the public. One recent study by econometricians found that private security does produce some general deterrence impact on the incidence of crime in the community at large, but statistically only for rape (Benson and Mast, 2001: 741). That research does however caution that obvious uniformed security guards, signs and noticeable video cameras may simply displace some crime, leading to a fall in the local crime statistics. Mainstream research into crime prevention is not all that more convincing. In one review of 13 physically-based (or situational) crime prevention programmes Welsh and Farrington (1999) found that only eight of them returned clear-cut benet-cost ratios. That is, the value of such activities as surveillance or target- hardening was able to be demonstrated in some cases. Note however that pro- grammes aimed at employee theft, fraud or shoplifting were excluded from their review because the primary victim was a business, not a person or household (Welsh and Farrington, 1999: 346). Value to government In discussion of the security dividend it was pointed out that government received a benet from the presence of corporate security because it could free up police resources for more serious or urgent matters. That would certainly arise when there was a risk of a corporation being subject to some sort of political Dennis Challinger 599 protest and minimal police resources were necessary to complement private secu- rity resources on-site. This demonstrates the value of corporate security in a broader sense. The complementary nature of the relationship between police and corporate security is also apparent when police take advantage of corporate assets, for instance using a corporations security cameras to monitor activity on a public street outside their premises. This relationship between police and corporate security might be expected to ourish in the future because as Sarre and Prenzler (1999) point out traditional police (are now) very much secondary players in responding to crime because security resources in most western countries outnumber traditional police by at least two to one (Sarre and Prenzler, 1999: 17). 8 Funding corporate security The return on investment (ROI) in corporate security According to Figlio the rst fundamental objective of a loss prevention programme is to demonstrate convincingly the return on investment of the organisations security programs. (Figlio, 2002: 57) This is achievable when a particular security solution is to be assessed for dealing with a particular problem, even though that may still require acceptance of the sort of assumptions referred to earlier. As a case in point, PricewaterhouseCoopers established that EAS systems installed in retail stores to lower shrinkage, have a sound ROI. But that was based on acceptance of inventory shortage gures as a sound and reliable measure of in-store thefts (DiLonardo, 2003). Demonstrating a sound ROI for a total corporate security department with all the activities listed in section 4 is however a real challenge. It also sits awkwardly with the measure of a successful corporate security department the absence of problems. Figlio is right however, modern management requires return on investment (ROI) gures or some such to allocate funding within the corporation. Ultimately all departments receive funding on the basis of that sort of nancial evaluation, but the corporate security department is at a real disadvantage. What the department has to do is to somehow convert the previously described security dividend into dollars and then use them in its ROI calculation. Once again that will require acceptance of a number of assumptions. If those assumptions are not accepted by management, it is well nigh imposs- ible to present a ROI for most of the security departments activities. Consider the access control system which has successfully prevented strangers from enter- ing the corporations premises. Assumptions would have to be made about the number of intruders there would have been without that access control. And further assumptions would have to be made about what those intruders would have done while they were on corporation premises. Would they have stolen cor- poration assets or worse, assaulted corporation workers? And what would the value of the losses to the corporation have likely been? 600 The Handbook of Security Or what of the fact that no burglaries have occurred on the corporations premises, surely a clear sign that the security in place was effective. Here at least there may be local police statistics showing the numbers of similar buildings in the neighbourhood have been burgled. However any number of reasons could be put forward to explain why those police gures do not provide a suitable bench- mark those other buildings store different assets, they are unoccupied for longer periods, etc. And what of the factory burglary previously described? As discussed the total costs associated with it were far greater than the value of the stolen property and the damage done. If the corporate security department had faithfully costed all recent burglaries, how relevant would that data be as a basis for ROI calculations? What if the burglary had occurred on a ne rather than a rainy night? In all likelihood, the nance department would be reluctant to accept an ROI based on either the police statistics or detailed incident costs calculated by corpo- rate security. So a corporate security head might take refuge in mounting a scare campaign indicating the dire consequences that might follow if sufcient funding is not provided. This move is a double-edged sword insofar as manage- ment might see this as a sign of professional inability to protect corporate assets and look for another director. Even where relevant data is available there may be difculties using it to calcu- late an ROI. As described earlier, in retailing, the levels of shrinkage revealed after the six-monthly stocktake provide a metric that reects the activities of the secu- rity (or loss prevention) department. Even here, however, there are any number of internal and external factors that could have impacted upon the losses suf- fered in a store (the new store layout makes it harder for thieves to get out without payment, local police have clamped down on undesirable activity in the local shopping precinct, etc). But a greater difculty is that because the stocktakes are only conducted every six months, the security department is trying to prove the value of having done something six months previously. In the following months other things may have happened to mitigate the impact of the security team. It is not only the expenditure side of the ROI model where assumptions and predictions need to be made. The corporate security head may have to forecast changing patterns of offending against the corporation which will introduce new costs. For instance, it may be that an increase on attacks on un-reinforced vending machines on railway stations is predicted on the basis of recent target hardening of vending machines in shopping centres. The assumption that thieves will likely move to the soft targets, and that funds would therefore need to be available to prevent losses from that, makes sense to corporate security. However the nance department may again not be impressed by the lack of hard data. All is not lost however. The key thing is to make sure the corporation, and particu- larly its nance department, appreciate the range of activities undertaken by cor- porate security and appreciate the ways in which it makes sense to calculate benets. The ROI task is hard but can be achieved with goodwill and understanding. Dennis Challinger 601 Outsourcing corporate security Invariably corporations are looking for ways to reduce the costs of running their business. In particular they look at internal departments such as corporate secu- rity whose functions could be outsourced because that would be cheaper. But focusing on the issue of cost while ignoring performance is short-sighted. Security professionals are split on whether outsourced security operatives perform poorly. Dalton dispenses with myths about outsourced security staff, he says they come from the same labour pool (as internally employed staff), they can be loyal as loyalty is fostered by trust and acceptance, (and) higher turnover has not been proved (Dalton, 2003: 81). Nevertheless, if outsourced security staff are actually paid less and how else can they be cheaper? they may simply be disinclined or unwilling to do the job well. In practice it is usually base-grade security services that are outsourced. In their discussion of contract (outsourced) security Button and George (1998) focused on corporations use of contract static guards. They found that the majority of their small sample of British corporations did outsource guard ser- vices, but they also found that over four to ve years about 30 percent of the sample had changed their mix of in-house and contract guards over time. This indicates that continuous oversight of the performance and value of the contract guards is undertaken. The major hidden cost of outsourcing lies in the burden of managing the con- tract relating to those staff. Without close management, the contractor providing the security operatives can get away with providing a lesser service than that set down in the contractual agreement. The potential risk of a bad incident occurring as a result of that lesser service delivery is a real concern. If litigation were to arise as a result of that incident, the fact that the corporation had tolerated poor or sub-standard service delivery would be particularly damaging. The inclusion of performance-based payments and punitive clauses in a con- tract would assist in more rigorously dealing with shortfalls in performance. But that requires close contract management, and there is a direct cost to the corpo- ration in doing that. Indeed the costs of doing so may well be greater than any notional savings from using contract staff rather than in-house staff. At the end of the day, the decision about using contract security staff is not a simple matter of comparing costs. Hidden costs and risks need to be considered. But more importantly there is a judgement to be made about the sort of security resource that a corporation wants. A dedicated in-house security staff which is professional, well-managed and part of the corporations culture has an inherent value beyond the apparent cost-savings from using contract labour, however many corporations can best be served by an appropriate blend of full- and part-time and in-house and contract security personnel (Sennewald, 2003: 157). Re-organization of corporate security Another model for funding the corporate security department can be found where a corporation has made all of its departments independent but with each 602 The Handbook of Security charging the others for their services. This shared services model may be good in theory but in practice can lead to fragmentation of the corporate culture. Consider what might occur in practice. Senior executives from one of the busi- ness units in the corporation are going overseas and the corporation security policy requires them to receive a security travel brieng. When they learn that they have to pay (usually less than market) internal fees for this brieng, they decide to forego it because their expenses would increase if they did so. Now corporate security is faced with a policy breach, as well as their own budget shortfall. The business unit has acted in a way that is not in the best interests of the corporation as a whole. After all if those executives were to come to grief on their trip, the corporation might appear badly in the eyes of the public and would also have to meet any unbudgeted expenses. Another example of re-organizing corporate security is provided by the 5200 independently owned and operated Ace Hardware stores in the US. That group created a wholly owned subsidiary company to provide loss prevention services to their members it effectively privatized its corporate security department. The nine-person (subsidiary) staff offers Ace retailers a variety of security services on a voluntary fee-for-service basis. The program has succeeded not only in reducing shrinkage but also in generating revenues (Falk, 1996: 47). Again, the re-organization occurred to fund the operation of the corporate secu- rity department. It appears in the Ace case, member stores were keen to buy secu- rity expertise (and may have done so from a private supplier in the absence of their own subsidiary). The risk in a big and formalized corporation is that security will be relegated to nice-to-have rather than the essential service that it is. 9 Corporate security as a contributor to the bottom line The discussion to date has clearly indicated the many ways in which corporate security adds value to the corporation. Its actual contribution to the nancial bottom line are necessarily indirect. For example preventing losses avoids strip- ping money directly from the bottom line. And providing a secure and safe work- place which reduces staff turnover and minimizes poor (and unproductive) morale, averts unnecessary expenses for the corporation. However the challenge for corporate security is presenting such contributions in a way that modern management accepts. The difculty in doing that in a nancial framework has been discussed in the context of establishing an ROI for the corporate security department as a whole. And it is from the nancial per- spective that the notion of corporate security being seen as a prot centre has emerged. The fundamental feature of a prot centre is that it is capable of generating revenue which exceeds its operating costs. This is not a traditional role of a secu- rity department and it would be a mistake to require it, as it could readily divert the department from its important role of preventing other revenue in the cor- poration from being lost. In any event, actual revenue generators in a corporate security setting are few. Dennis Challinger 603 One revenue generator could be the revenue from car-parking violations where it is the corporate security departments task to manage car-parking. Another could be the sale of access control tokens, especially replacement tokens for which a surcharge might apply. In each case the security department would be engaging in an unpopular enforcement-type role and it is plain that the damage that could be done to the standing of corporate security within the corporation could be substantial. It has been suggested that civil recovery could act as a revenue source, but that is a programme for the corporate victim of an offence to recoup some of the funds they expended in dealing with a particular offender. While most fre- quently used for shop thieves, civil recovery is also used by some corporations when dealing with internal thefts. While civil recovery procedures can contribute revenue to the organization they should never be used as a means of generating a prot. In any event as Bameld points out, the proper role of private prot in crime prevention and in dealing with offenders is a vexatious issue (Bameld, 1998: 263). In summary then, there are three positions impacting the bottom line that a corporate security department can adopt within a corporation. If corporate security remains as a department within the corporation charged with minimizing losses to the corporation as a whole, then it cannot operate as a prot centre. In strict terms it remains a cost centre but as Millwee has pointed out, (w)hat was once considered by some to be a cost center has become a business benet center, as the safety and security of our co-workers has redened the mission of security practitioners all over the world. (Millwee, 2002: 122). If corporate security becomes part of a shared service model, then by selling its services within the organization it becomes a cost-recovery department. It should not be expected to raise revenue over and above its actual costs, from its internal clients. Imagine the internal outcry if in order to increase its revenue stream the department increased the price of ID passes because that was one of the few revenue raising devices it had. If corporate security becomes an arms-length supplier of security advice to the corporation it would cease to be part of, or tied to, the corporation. The risk is that business units in the corporation might go elsewhere or decline to use its, or any other, services. The good news is that with the Ace Hardware example described above: Originally, the board of directors wanted to break even with the company, but the service has paid for itself over the past year and surpassed its nancial expectations (Falk, 1996: 47, emphasis added). Overall, corporate security must gain recognition for its contribution to the bottom line. It can do that if it can convince employees and executives that security matters to them, to the company, and to the community; that it helps to protect the bottom line and, thus, their jobs (Somerson, 2003: 158). 604 The Handbook of Security 10 Corporate security moving forward Embedding security in the corporation Corporate security in the past has often been seen as somehow separate from the rest of the corporation. In part this may have been caused by the enforcement role the department had. But often their role was unappreciated and their contri- bution to the scal value of the corporation was seen as a negative a cost. There is no doubt that security professionals have missed important opportun- ities to make security an integral part of the corporate team (Millwee, 1999: 118). And it is certainly true that the time is here for corporate security departments to break away from what has become the conventional approach to asset protection and seek new venues for value added contributions. (Dalton, 2003: xxvi). In some corporations, management are not aware, and do not consider, ways in which security might contribute to the business of the corporation. A ne exception to this is provided by American retailer Wal-Mart whose CEO states that the VP of loss prevention is required to sit in on every single management meeting that we have. They are a part of that management groups core decisions that are made about whats right for the business. They have to look at anything that were doing as the rst line of thought from a loss prevention standpoint, because most mer- chants and operators arent given to go there rst (Lee, 2002: 20). One example of where corporate security can make a valuable contribution relates to proposals for new business initiatives or new products. Corporate secu- rity is able to identify ways in which the new initiative might be compromised and lead to loss for the corporation. That would allow modications or safe- guards to be built into the proposal to prevent those losses from happening in the rst place. Playing that role can sometimes support and give weight to new proposals. For instance when an Australian supermarket corporation was planning to introduce EFTPOS facilities for customers, corporate security was able to point out that increasing the use of plastic card payment at store checkouts would have real security benets. Customers paying with plastic and being able to make cash withdrawals would reduce the amount of cash in checkout tills thus making them far less attractive targets for snatch thieves. Additionally the need for deliv- eries of cash to stores by armoured cars would reduce and the likelihood of armed robberies in and around stores would decrease. Both of these were strong points in favour of introduction of EFTPOS not foreseen by store operations. Corporate securitys involvement in mainstream corporate activities is most important. Joining with HR, safety teams and operations groups is part of that. But the key is to become a versatile player. (S)ecurity professionals must develop, rene and adopt a broader managerial outlook. They must practice the same managerial competencies required by general managers running their respective businesses. 4 Dennis Challinger 605 They must also become thoughtful and clever communicators to ensure that management understands the benets of security for the corporation. Cant measure cant manage The difculties of providing hard data that would be accepted by the corporation to justify funding corporate security have been discussed above. But of course having hard data also allows corporate security to make sensible decisions about its own activities. Figlio gives examples of the range of data that a retail loss pre- vention manager might use to make future data-driven decisions truly possible (Figlio, 2002: 57). He suggests that site-specic data is necessary including neigh- bourhood crime vulnerability, specic detailed shortage (shrinkage) data and details of security measures and programmes in use at the site. But not only should hard security-related data be collected where possible, it should not be kept hidden away. Yates suggests that corporations should report on their security performance in their Annual Reports in addition to the com- mentaries on their social, economic and environmental performance the com- monly referred to triple bottom line. He notes that the advantage of integrating security into the triple bottom line reporting approach is that security is seen in the context of the other main business drivers, rather than isolated and uncon- nected (Yates, 2003: 106). Yates also suggests that corporate security needs a suite of measuring devices including security impact statements, minimum security standards and other benchmarks. That would leave the way open for insurance companies to offer discounts off premiums for corporations whose security practices, especially those related to terrorism, meet the standards. The more corporate security can measure its activities the more it can illustrate its value to the corporation. But more than that, it can use the data it collects to better manage its day-to-day activities and to conrm that its security programmes are efcient and meeting the corporations needs. A new corporate security focus In his appraisal of the security world since 9/11 Dalton asks what is a corpora- tions most valuable asset? because obviously that should be the focus for corpo- rate security. Somewhat surprisingly he opts not for its employees or its customer base. He suggests: that in terms of the survivability of a corporation, the most valued asset is the companys intellectual property, that which positions them in the market- place and allows them to remain competitive. Employees serve as the catalyst for assuring that this asset intellectual property is developed, used and pro- tected. IP denes the organisations ability to stay protable Only with protability comes the assurance of continuity, which translates into job secu- rity Employees, including the most senior executives, are replaceable. This does not mean that they are not important, and perhaps even critical secu- ritys role is not to abandon the protection of people and tangible assets (Dalton, 2003: 72). 606 The Handbook of Security That position leads Dalton to suggest a new model for a global security function which would be largely advisory and have the following three pillars: 1 Business Risk analysis comprising: current business risks; new partner product and market due diligence; major fraud investigations; data security invest- igations; strategic fraud prevention; special request enquiries; competitive intelligence protection; intellectual property protection; e-commerce threat management and geo-political business proling. 2 Human Resource Security comprising: strategic partner qualication; security awareness and ownership; international HR security; new hire qualications and orientation; executive protection; workplace violence prevention; ethical business practices. 3 Global Operations support comprising: corporate policy development; secu- rity standards and guidelines; uniformed security services; site compliance and quality assurance; systems design and research; special projects management and special events management. (pp. 1745) The activities listed under those headings encompass the corporate security of old, but place them in a new perspective which may resonate with modern cor- poration management. This is an example of weaving corporate security into the corporation culture (Millwee, 1999). This does not overcome the difculty of making a nancial case for the corpo- rate security department. Nor does it overcome the need to develop metrics of success. However it does clearly indicate the valuable contribution that corporate security makes to the continued business success of any corporation. Notes 1 See Chapter 6 by Dan Kennedy. 2 What, me, responsible? (2002) The American Enterprise, JulyAugust, Vol. 13, No. 5, p. 10. 3 Employees Win $500,000 in Defamation Case (2003) The Age, 21 November, p. 4. 4 A Discontinuity in the Security Field (2002) POA Bulletin, August, pp. 15. Key readings For a good security text which canvasses the issues in an uncomplicated way see Kovacich, G.L. and Halibozek, E.P. (2003) The Managers Handbook For Corporate Security: Establishing and Managing a Successful Assets Protection Program, New York: Butterworth- Heinemann. For a good and accessible example of the sort of hard data needed to make a case for security, see Figlio, R. (2002) Using Data to Measure the Effectiveness of LP Programs and Limit Your Liability, LossPrevention, MayJune, pp. 578. A more academic piece demonstrat- ing reductions in employee theft has been written by Oliphant, B.J. and Oliphant, G.C. (2001) Using a Behavior-Based Method to Identify and Reduce Employee Theft, International Journal of Retail and Distribution Management, Vol. 29, No. 10, pp. 44251. While for a critique of security which should get most practitioners thinking see Zedner, L. (2003) Too Much Security, International Journal of the Sociology of Law, Vol. 31, No. 3, pp. 15584. References Albrecht, W.S. and Searcy, D. (2001) Top 10 Reasons Why Fraud is Increasing in the U.S., Strategic Finance, Vol. 82, No. 11, pp. 5861. Dennis Challinger 607 ASIS International (2003) General Security Risk Assessment Guideline, Alexandria Virginia. Bameld, J. (1998) Retail Civil Recovery: Filling a Decit in the Criminal Justice System, International Journal of Risk, Security and Crime Prevention, Vol. 2, No. 4, pp. 25767. Beck, A. and Willis, A. (1995) Crime and Security: Managing The Risk to Safe Shopping, Leicester: Perpetuity Press. Benson, B.L. and Mast, B.D. (2001) Privately Produced General Deterrence, Journal of Law and Economics, Vol. 44, No. 2(2), pp. 72546. Button, M. (2003) Private Security and the Policing of Quasi-Public Space, International Journal of the Sociology of Law, Vol. 31, No. 3, pp. 22737. Button, M. and George, B. (1998) Why Some Organisations Prefer Contract to In-House Security Staff, in M. Gill (ed.), Crime At Work Vol 2, Leicester: Perpetuity Press, pp. 20114. Cockerham, P.W. (1994) Safe Shopping, Stores, June, pp. 389. Dalton, D.R. (2003) Rethinking Corporate Security in the Post 9/11 Era, New York: Butterworth-Heinemann. DiLonardo, R.L. (1997) The Economic Benet of Electronic Article Surveillance, in R.V. Clarke (ed.), Situational Crime Prevention, New York: Harrow and Heston, pp. 12231. DiLonardo, R.L. (2003) The Economics of EAS: Rethinking Cost Justication for Apparel Retailers, LossPrevention, NovemberDecember, pp. 206. Falk, J.P. (1996) Nailing Down Hardware Store Security, Security Management, December, pp. 4651. Figlio, R. (2002) Using Data to Measure the Effectiveness of LP Programs and Limit Your Liability, LossPrevention, MayJune, pp. 578. Fine, M., Freudenberg, N., Payne, Y., Perkins, T., Smith, K. and Wanzer, K. (2003) Anything Can Happen With Police Around: Urban Youth Evaluate Strategies of Surveillance in Public Places, Journal of Social Issues, Vol. 59, No. 1, pp. 14158. Gill, M. (2004) Uniformed Retail Security Ofcers, Leicester: Perpetuity Research and Consultancy International. Halverson, R. (1996) Crime Steals Shoppers Condence, Discount Store News, Vol. 35, No. 9, pp. 70, 72. Holden, T. and Stafford, J. (1997) Safe And Secure Town Centres: A Good Practice Guide, Westminster: Association of Town Centre Management. Kovacich, G.L. and Halibozek, E.P. (2003) The Managers Handbook for Corporate Security: Establishing and Managing a Successful Assets Protection Program, New York: Butterworth- Heinemann. Lee, J. (2002) The View From The Top, LossPrevention, MarchApril, pp. 1720, 568. Meyer, S. (2000) Employee Turnover: Its BigIts There, MMR, March 20, p. 40. Millwee, S. (1999) How Can Security Get Inside the Door?, Security Management, December, pp. 11618. Millwee, S. (2002) Focus on ASIS, Security Management, February, p. 122. Oc, T. and Tiesdell, S. (1998) City Centre Management and Safer City Centres: Approaches in Coventry and Nottingham, Cities, Vol. 15, No. 2, pp. 85103. Oliphant, B.J. and Oliphant, G.C. (2001) Using a Behavior-Based Method to Identify and Reduce Employee Theft, International Journal of Retail and Distribution Management, Vol. 29, No. 10, pp. 44251. Patrick, P.A. and Gabbidon, S.L. (2004) Whats True About False Arrests, Security Management, October, pp. 4956. Private Security Firms Go Undercover in Your Hospital (2002) Healthcare Risk Management, June, pp. 678. Sarre, R. and Prenzler, T. (1999) The Regulation of Private Policing: Reviewing Mechanisms of Accountability, Crime Prevention and Community Safety, Vol. 1, No. 1, pp. 1728. Sennewald, C.A. (2003) Effective Security Management 4 th edn, New York: Butterworth- Heinemann. 608 The Handbook of Security Somerson, I.S. (2003) Are Security Awareness Programs Undervalued?, Security Management, August, pp. 1758. Taylor, M. (2002) Systems Help Hospitals Ensure Patient, Staff Security, Business Insurance, December 16, pp. 1416. van Andel, H. (1989) Crime Prevention That Works: The Case of Public Transport in the Netherlands, British Journal of Criminology, Vol. 29, No. 1, pp. 4756. Welsh, B.C. and Farrington, D.P. (1999) Value for Money? A Review of the Costs and Benets of Situational Crime Prevention, British Journal of Criminology, Vol. 39, No. 3, pp. 34568. Williams, F. (2003) Sarbanes, Oxley and You, CSO Magazine, October, at http:// www.csoonline.com/read/100103/counsel.html. Yates, A. (2003) Engineering a Safer Australia: Securing Critical Infrastructure and the Built Environment, Engineers Australia, Barton ACT. Zedner, L. (2003) Too Much Security, International Journal of the Sociology of Law, Vol. 31, No. 3, pp. 15584. Dennis Challinger 609