Every time I watch the news or read the paper I can’t but notice the growing need for professional safety and security services with each new day. Here in our region of the continent the prevailing political, military and socio economic issues have created opportunity for life threatening hostility into the core of daily concerns. Good security like a good wine will cost you in its acquisition. Generally speaking for the adequate deterrence and or containment of dangerous situations, both public and private sector institutions will require state of the art security systems in order to properly mitigate the threats they face. That having been said it is important to note that security services and products as others in different sector vary in cost and quality. The most appropriate set is always dependant on what is being protected and from what threat it is being protected from. The threat of cell phone tampering by a 3 year old only requires the application of a pin code, not so for a Westgate mall kind of terror attack. This provision of a complete and cost effective solution is often over looked where decision makers fail to ask themselves the right questions or where security falls victim to budgetary constraints. Only when the unexpected security breech occurs do people begin counting the cost. Safety like security is often one to suffer the same fate as was recently the case at the JKIA airport fire incident. In order to avoid some of these common pitfalls the following captioned guidelines will serve to help in decision making:
Mission & Money
· Always keep in mind Security supports the company’s mission, not the other way around;
· Because of the likely high expenses for good security, protect the most critical assets, those that if compromised, are likely to have the most serious consequences for your organization;
· At all times relate security objectives to how they improve the business position of the company
· “Security is always too much, until it is not enough” don’t rely on a crisis to gain resources to deliver on expectations.
Risk Management vs. Risk Avoidance
Since there is never a 100% security situation, all credit to the ingenuity of the human mind. The security manager must have strategy and design in the measures he chooses to implement in order to protect what must be protected while managing the rest. Part of that strategy will include your security design criteria (those specific reasons as to why a certain security system was installed in place of another, and/or why security devices such as cameras and access control readers were placed at certain locations and not at other points within a facility). This way whatever funds are available can be used to maximum protective effect.
Return on Security Investment (ROSI)
· Having selected a strategy based on the overall corporate mission and risk posed to it the security manager can then employ ROSI to further determine the plans viability. ROSI is a performance measure used to evaluate the efficiency of a security investment or to compare the efficiency of a number of different investments. Executive decision-makers don't really care whether firewalls or rocket propelled canines protect their company's assets. Rather, they want to know the impact security is having on the bottom line. In order to know how much they should spend on security, their interest and what they need to know is as below:
ü How much is the lack of security costing the business?
ü What impact is lack of security having on productivity?
ü What impact would a catastrophic security breach have?
ü What are the most cost-effective solutions?
ü What impact will the solutions have on productivity?
· Before spending money on a product or service, decision makers want to know that the investment is financially justified. A simple formula for calculating the security return on investment (ROSI) is as follows:
(Risk Exposure x % Risk Mitigated) - Solution Cost = ROSI
An imaginary example to how this equation works can be gotten by looking at the ROSI profile for acquisition of an explosive detector. Top Mall situated in a Nairobi suburb 4 IED incidents a year. The management estimates that the average cost in damages and lost sales due to a single bomb incident is KES 25,000. The mall expects to stop at least 3 of the 4 attempts every year by acquiring and using a KES 25,000 explosive vapor detector.
Risk Exposure: KES 25,000, 4x every year totaling to KES 100,000
Solution Cost: KES 25,000
Proportion of Risk Mitigated: 75%
ROSI = (KES 100,000 x 75%) – KES 25,000 = 50%
Do Your Homework
Research thoroughly, identify the right threat level: It is important for an organization to understand who one should be protecting themselves from. There is a significant difference, both financially and manpower-wise between protecting facilities from state sponsored terrorists as opposed to dealing with theft, or a disgruntled employee intent on making a statement against their employers. Your suppliers can also be the source of great expense and probably further unwillingness to provision security. Undertaking proper due diligence on them will help you avoid costly surprises later when you realize the supplier doesn’t match up to his written profile.
The absence of an adequate legal contract document is also an expensive pit fall. The contract should include a monitoring and evaluation close with clearly stipulated performance measures and /or after sales services like maintenance work, for the proposed supplier. There should be an escape route commonly termed as an exit close to protect you in the event you desire a quick termination of the arrangement. Finally all charges for the initial service/ product any other incidental cost and any future increments must also be inserted before the signing and later provision of the agreed work.
Budget Your Security
In view of all the above now prepare a budget, defend it and later manage the cost of security. In addition make a successful case for investing in your chosen security strategy by including some non-traditional areas of argument to those that we as security managers regularly revolve around. Explore the issue of customer confidence to the provision of reliable and well protected services and or products. With the help of the marketing department an argument you could use is that the improved security system will be communicated to customers as further reason for them to have the utmost confidence in your organization. Loss of public confidence with any organization can have very serious consequences, and is a major terrorist goal in itself. Another relatively new area is the issue of counter liability. In the event of a security incident there may be law suits following alleged gross negligence charges. The inability of an organization to demonstrate that they had taken the right measures using qualified personnel is likely to be seen as an immediate example of the failing of the organization. Common high cost of security dockets include continuous staff training programs, equipment purchase especially the IT based type which becomes redundant almost on an annual basis due to the rapid pace of innovation and development of newer improved versions, salaries and benefits mostly where the security is increasingly manpower based, specialized consultancy services in areas like ballistics, forensics, IT security among others and finally a major draw on the cost of security is the occurrence of a severe security incident. As is often witnessed, failing to prepare adequately is the most expensive docket of them all, one incident can easily crash a major company as happened in the December 1988 Lockerbie bombing of Pan-Am which was the largest airline worldwide at the time or the distraction of the Twin Towers in the US in September 2001 completely removing the building from existence. Expensive contemporary episodes may also include targeted cyber attacks and or a major loss of corporate reputation.
Avenues as those discussed in this last chapter can be calculated using the ROSI formula, coupling that with the other guidelines will greatly add to a security managers’ defense of the proposed expenditure.