Small and medium businesses such as event organizers, consultancy firms, law firms, restaurants, child-care centers, cafes and provision stores etc., often do not invest sufficient time and resources into loss prevention and corporate security planning. As a result, these businesses are often left vulnerable to threats affecting business continuity.
Business operators must develop a strong loss prevention plan in order to ensure that business operations are secured against crime, protected from vulnerability and that employees/business operations in general are not exposed to undue risk during day to day activities.
The 4 main sources of risk that a loss prevention plan should aim to address are:
1. External Crime Elements
Whether business owners run operations in quiet neighborhoods, out of rented units in industrial buildings or even in a corner of a crowded shopping complex, many have the wrong impression that their businesses are “too small” to become a target for fraud or sabotage. This results in operators taking unnecessarily dangerous risks in day- to- day business operations without even realizing it and sometimes paying a heavy price for this complacency. External crime elements include theft, robbery, acts of vandalism and anarchy.
2. Internal Crime Elements
Statistics have shown that in some industries up to 80% of losses from theft are actually perpetuated by employees. Improper processes with inadequate internal checks and balances, coupled with overly trusting and empowering employees with authority, can result in systemic abuse of blind spots in a company’s business operations. This is especially the case if delegation and supervision of work is not properly managed.
3. Negligence & Ignorance Elements
A safety supervisor can choose to ignore safety procedures when conducting high pressure testing in a fabrication yard resulting in the deaths of technicians should the equipment fail unexpectedly. An inexperienced clerk in a freight forwarding company may process paperwork for the export of controlled cargo and by doing so, directly contravene export control regimes endorsed by the country he/she is working in. Business operators themselves can also be negligent in ensuring proper systems are in place to address any possible natural disasters or by failing to establish the necessary safety procedures in their companies. Cost cutting by hiring incompetent staff who demand low salaries but do not have the necessary knowledge or experience to perform a job function properly, can easily expose the company to risk from negligence and ignorance.
4. Poorly Designed Processes
Processes within business operations are not always well managed and this can lead to severe impact on business operations, such as when proper processes are not drawn up for the handing and taking over of duties post resignation. This can lead to a sudden loss of critical technical and intrinsic knowledge.
Why a Loss Prevention Plan is necessary for ALL businesses
A failed or non-existent loss prevention plan can lead to the following incidents which can severely damage a company’s reputation, ability to do business or even cause a business to fold.
All the scenarios presented below are based on true incidents.
Scenario A: A financially strapped employee working in a small restaurant diverted and re-sold a portion of the restaurant’s daily raw supplies to a competitor at heavily discounted prices. The employee managed to do this successfully for nearly half a year before the crime was discovered.
Diversion of supplies occurs for a large variety of products, especially perishable goods. Goods that are periodically re-stocked will lend themselves well to this threat, such as foodstuffs, beverages and medical supplies.
Scenario B: In order to save costs, an import/export company hired a college intern to maintain a database of customers. The information in the database included names, addresses, contact numbers and company registration numbers of clients, suppliers, customers and cargo declaring agents. The intern had saved the database information in his personal laptop in order to work from home. Several months after the internship had concluded he lent the laptop to a relative who was selling corporate insurance. The relative chanced upon the database in the laptop and made a copy of it for himself. He then started cold calling the possible leads in the database. When customers found out that their names were leaked to a cold calling insurance agent by a business that they had patronized, their first impression was that the information had been sold without their consent.
Leaked databases of personal information can lead to expensive law suits and irreparable damage to a company’s reputation.
Scenario C: A clerk in a human resource firm was given full access to a floating fund in the office. The employee helped herself to small amount of cash from the fund on a daily basis by chalking it up to “miscellaneous” expenses such as restocking of printer toner cartridges, stationery and pest control fees. As the amount taken on a daily basis was very small and well camouflaged within a long list of legitimate claims, the manager for the firm would sign off on the claims on a weekly basis without question or checks. An audit check revealed that over the span of 1 year, she had siphoned nearly $2000 from the floating fund.
Petty theft from the company float fund is a common occurrence, due to the normally easy access to the funds and lack of controls. Left unchecked, the pilferage over time can run into a large amount.
Scenario D: A company hired a Human Resource manager who was fresh out of school. Having little understanding of the minimum wage laws, the new manager started offering contracts that had salary packages well below the required minimum wage. A routine inspection by the labor inspectorate uncovered the contravention and investigations were initiated against the company.
In some countries, employment laws can hold the Director of a company (or the person signing off on the employment forms and declarations) liable for regulatory infringements.
Scenario E: A lorry driver for a cargo forwarding company used the company vehicle after office hours to deliver controlled narcotics. Eventually the driver was caught and the vehicle was seized as evidence.
In some countries, laws allow the Court to order that vehicles used in the commission of offences to be forfeited to the State. This means that the company will have to write off the loss of the vehicle and buy a replacement. The company can also be liable for storage costs incurred prior to forfeiture.
Scenario F: A financial clerk in a law firm was required to collect and issue checks on a weekly basis. Being in need of money for personal projects, she started forging signatures and issuing checks to her own name. Her crime was only found out when some checks were returned by the bank due to discrepancies.
Systematic abuse through fraud perpetrated by employees can sometimes be very difficult to detect, as the employee would have intimate knowledge of the checks and balances in a company’s operations and hence be able to work around these easily for an extended period of time.
Scenario G: A runner in an illegal betting syndicate used a company’s fax, corporate phone account and computers to co-ordinate bets and payments. Eventually he was implicated by other members of the syndicate after they were arrested. Authorities visited the company premises and seized the computers in the company to conduct digital forensic examinations.
Authorities can sometimes seize assets used in the commission of an offence. These seized items can sometimes be subsequently forfeited, severely affecting business operations.
Scenario H: A project management business was unable to communicate with clients (via email) for two days due to network failures. Several prospective customers took their money elsewhere over this short period as they did not get replies to their queries and proposals.
In a highly connected economy, being cut-off from the Internet for even a short period can damage business operations significantly.
Scenario I: An employee of an engineering firm suddenly resigned from work and failed to hand over duties and responsibilities during the period where he was serving out his resignation. On his last day at work, the disgruntled employee re-formatted his computer and erased everything from his computer’s hard disk and external hard drives. His replacement was not able to retrieve copies of engineering designs, complicated CAD schematics and proprietary, project specific maintenance programs and testing procedures. Several clients immediately terminated existing contracts and invoked liquefied damage clauses when they realized that the company would not be able to meet agreed upon service standards.
In today’s dynamic workforce, with individuals being able to secure jobs across borders easily, high turnover is common in many companies. If not properly managed, expertise, intrinsic knowledge, experience and core competencies can be eroded or lost completely over a short period of time.
This list is obviously not exhaustive. While there is no such thing as being 100% secure or crime proof, there are effective, affordable and reasonable measures that a small business operator can adopt to protect his bottom line against crimes such as fraud, theft and sabotage (intentional or otherwise).
Loss Prevention Planning for Small & Medium Businesses
Any good loss prevention plan must be dynamic and comprehensive enough to cover all aspects of business operations, while always being able to respond to changing threats and new risks that may present themselves. A well-developed plan helps prevent damage to business continuity by ensuring that the business operation is reasonably secured against various kinds of threats.
Creating checks and balances through processes meant to protect business operations from risk can often add a layer of inconvenience to business operations. Hence, a loss prevention plan must take productivity into account and strike a clean balance between business efficiency and vulnerability.
A loss prevention plan once implemented must be reviewed on a regular basis in order to maintain its effectiveness.
Who/What Brings Risk to Business Operations?
Threats to business continuity from insecure operational practices can be caused by anyone, intentionally or otherwise. This includes existing and former employees, cleaning service providers, customers, suppliers, changes in technology and natural/man-made disasters.
Some individuals who can cause threats to business continuity are:
- Disgruntled ex-staff with a bone to pick or a score to settle.
- Business competitors seeking an unfair advantage into a market, no matter how small it may be.
- Thrill seekers looking to get away with a “high” on a committing crime.
- Smugglers attempting to use legitimate business operations to cover their tracks or launder money.
- Employees who want to use company assets for crime such as company vehicles, fax machines and warehouse spaces.
Some factors that threaten business are:
- Unreliable infrastructure supporting networks
- Unreliable public services such as an unreliable power grid
- Natural disasters
- Fires and other man -made hazards
- Internal processes prone to abuse
- Lack of competence in staff
Corporate security failures are not always about someone trying to find a shortcut to financial gain and hence the notion of “being” too small to be a target is greatly flawed. Far from being unattractive to fraudsters, small and medium businesses can present themselves as easy targets, as criminals know they can systemically abuse the security gaps in these businesses since many such businesses do not to implement robust security measures.
Hence, even if the expected reward from criminal activity is small; a small risk of getting caught presents an attractive risk: reward ratio for criminal activity.
While the best practices in this book will present a comprehensive overview of some basic operational best practices; when designing a loss prevention plan, it should be kept in mind that some business operations are more vulnerable to risk due to the unique nature of their business or industry, the specific location they operate out of or the infrastructure available in their country. When designing a loss prevention plan, business operators must take into consideration the unique nature of their businesses and adapt the best practices accordingly.
Managing Corporate Security Concerns
The following 10 key areas of corporate security concern in business operations have been identified:
- Document & File Handling
- Human Resource
- Information Communications Technology
- Operational Assets
- Handling Payments & Money
- Third Party Human Elements
- Employee Access Control
- Risk in Procedures & Practices
- Work Place Design
- Maintaining a Security Awareness Mind Set
Best Practices and Loss Prevention Planning
The adoption of best practices in business operations in a well-designed Loss Prevention Plan creates layers of defense by:
- Injecting predictability, as any deviation from the norm become obvious to audit checks and other employees
- Removing a significant level of uncertainty and risk by defining boundaries of actions that employees must adhere to
- Complementing a system of hierarchy in authoritative decision making
- Establishing accountability of employees’ actions
- Defining limits of liberties employees can take in specific areas of operations.
At a basic level many best practices cost nothing to implement. However, business operators should identify the practices applicable to their business operations and complement them with available technology such as GPS trackers and encryption software.
After having implemented basic loss prevention planning for their businesses, the business operator must keep himself updated to the latest trends in corporate crime in order to keep the plan effective and comprehensive enough to deal to any emerging threats.