By Glen Kitteringham
With the downturn in the world economy, security managers should be embracing metrics. However, anecdotal discussions with many security practitioners indicate that the use of metrics is still in its infancy. Part of the problem may lie with the fact that in order to use metrics, data needs to be available for analysis.
By Glen Kitteringham
Despite some excellent resources available to assist security
practitioners in gathering and assessing data, there doesn’t seem to be
many people who are taking advantage of them. Another issue is that it
can be difficult at times to display complicated material in a graph or
numbers. The greatest challenge is finding the time to properly assess
and display information.
Metrics, as defined by Kovacich and Halibozek in their excellent 2006
book Security Metrics Management, is “a standard of measurement using
quantitative, statistical, and/or mathematical analysis.”
If you are one of those people whose eyes glaze over when you read
this, you should take heart. It is not nearly as boring as you think.
Or maybe it is to some of you, but in today’s business environment, it
is absolutely necessary to showing the value the security department
brings to an organization. The argument I use is through an analogy.
(For those who know this already, please indulge me.) Consider the
budget you work with a pie. Regardless of whether you work for a
government institution, a non-profit or NGO (non-government
organization), private business big or small, publicly traded or not,
there is a finite amount of money with which you have to work.
Additionally, you are competing for a slice of that pie along with
other departments, units, or people.
Now, except for some absolutes, such as paying for emergency
replacement parts and other annual reoccurring necessities, the group,
department or person who can show they will provide the greatest return
will typically get the money they are requesting. There are no
absolutes, especially in these trying economic times where absolutely
everything is subject to review. But those who are prepared to show the
value of their efforts through the use of metrics are much more likely
to get a larger piece of the pie.
I am not suggesting that in every case security practitioners must show
an economic return but there should be some kind of return that the
financial decision makers in the organization can use to see what they
are getting for their money. This return might be something as simple
as how many patrols security staff conducted, how many investigations
were carried out or how many reports security staff wrote in a fixed
period. Now these examples are simple in the extreme. Simply knowing
how many investigations were carried out isn’t as illustrative of
departmental value as learning how many of those investigations
resulted in asset recoveries, arrests, convictions, or some other
metric deemed important by senior management.
Those unwilling or unable to show what they bring to the organization
face diminishing budgets and influence. If a security practitioner
cannot even show what they are doing with their budget, then it must be
asked, why are they even there?
I will be the first to acknowledge that the use of metrics is fraught
with difficulty. As Benjamin Disraeli, a 19th century British Prime
Minister is often quoted as saying, “There are three kinds of lies:
Lies, damn lies and statistics.” You can pretty much get numbers to
say whatever you want. You can put 10 security people in a room, give
them a set of statistics and come up with 11 opinions.
This should not dissuade one from using metrics. They don’t have to be
fancy or complicated. For those not currently using metrics, it is
always best to start off with the basics. Whether a security
department consists of a single person or 100, they obviously have a
company or departmental mandate to produce some type of work. Often,
simply showing through numbers what that work consists of, is the start
of a metrics-based security program. Once a basic program has been
established, you will find that more sophisticated metrics will be
gathered, assessed and reported on. There are excellent resources
available including the aforementioned Security Management Metrics
(Butterworth-Heinemann), Measures and Metrics in Corporate Security:
Communicating Business Value, (Security Executive Council) and Cost
Effectiveness and Loss Reporting, Vol. I, Chp. 2, Part II of the
Protection of Assets Manual (ASIS International).
As a former employee of a major Canadian retailer, where I worked in the
early to mid-nineties as a loss prevention officer and internal
investigator, we collected various data including arrests per officer,
arrests by floor, arrests by sales departments, recoveries per arrest,
civil recoveries per case, arrests that resulted in conviction,
reported tips, cases launched per year, ratio of cases launched against
successful outcomes (arrests and recoveries), and total losses per
arrested employee. The use of these statistics did not just show value
of the work we were performing, it allowed us to fine tune our security
program. By determining where thieves were spending the bulk of their
time, it allowed us to focus our attention on high-loss area.
In my present position, working in commercial high-rise security, our
organization collects metrics on wide variety of issues, including
number of fire alarms both legitimate and false, number of emergencies,
their types, impact of losses, number of interactions with
undesirables, thefts in the buildings, arrests made, training programs,
as well as many other types of information. Metrics allows us to show
senior management the value our department brings to the company, to
fine tune our security program, tell us where the program is working
and where its not, if additional training is required for staff, what
our real threats are as opposed to what we think they are, if the
implementation of a particular security measure was effective or if it
made a situation worse, or had no impact.
The capture of data and subsequent analysis is vital to the continuing
operations of a security department. If you are currently using
metrics in your day-to-day security operations, I congratulate you. If
you are not, why aren’t you?