In Depth

Metrics for Corporate and Physical Security Programs

CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives

By Tom Wailgum

Page 2

D'Addario says the decline in robberies at Starbucks has resulted from implementing better awareness campaigns to help employees anticipate problems. Technologies, including smart safes and an interactive system that confirms security events, also have played a role.

Other metrics D'Addario relies on include tracking the frequency and outcomes of background identity checks, employee access control compliance (which is measured by spot audits and credentials checks), and cash or asset protocol performance (including sales, deposit preparation and banking). D'Addario says those are continuously audited, and exceptions are investigated routinely. "Cash loss is monitored as a percent to sales on every business unit's P&L," he adds.

D'Addario says that some measures he takes for security are also valuable to Starbucks' quality assurance team. For example, tracking how well the company maintains the integrity of its food containers remains a critical interest for both his security group and quality assurance. Container integrity is the reasonable assurance that the contents shippedvia overseas and truck routesare those that were ordered. The company performs auditable inspections on these processes, including checking the integrity of container seals, he says.

Because Starbucks is global, method-ologies for tracking these processes vary by region, depending on the infrastructure and technology available. But the measures are an essential component of quality assurance, D'Addario says.

Key performance indicators are tracked by period, quarter, year-over-year and five years running, he adds. "That enables cost and benefit impact assessments, risk-gap closure analysis as well as return on funds spent," he says.

The trend analysis that D'Addario documents allows him to test new security technologies and protocols against the trends to decipher if they are contributing to sales or net profitability.

Working in the retail industry, D'Addario also benchmarks his cash loss as a percentage of sales as well as inventory shrinkage numbers with reputable industry group figures. Those kinds of numbers (which he declined to share for publication) allow D'Addario to present security performance indicators to his bosses.

"Thoughtful prevention design with forecastable results for performance improvement are viewed as investment opportunities," he says. As an example, he says that a number of international markets adopted exception-based reporting after witnessing its performance for top-line and bottom-line contributions in the United States. D'Addario reports that the protocol has since delivered the same performance in the international markets.

The key to all of that, D'Addario says, is that those forecastable results "are baked into the operational budget process with return expectations." While that puts your security department on the hook for demonstrable results, it also can make the CSO look brilliant in the boardroom when he delivers.Nestlé Metrics Emphasize Prevention and Protection When there is civil war where your people are working, one physical security metric rises above all others: Keeping all of your employees alive.