Sweet success: Dunkin’ Brands security focuses on making dough

It was an industry conference that sparked something inside Jack Sullivan, director of Corporate Security and Loss Prevention for Canton, Mass.-based Dunkin’ Brands. At a security conference in Boston several years ago, Sullivan says the speakers on the agenda were largely from Fortune 100 companies. He was expecting the usual presentations, mostly advocating guards and gates. Instead, what he saw was business leaders with security and investigations backgrounds talking about how they use their expertise to drive their businesses.

“For example, instead of a tired presentation about how to conduct a background investigation, they spoke about the economic benefit of hiring the best people because of their thorough background-check procedure,” he recalled. “They demonstrated the ROI of having a vigorous background-investigations program and coached us on how we should position our argument to executives to justify an enhanced background-check program. Once I saw how these leaders approached their roles, I completely reimagined how I looked at what I could do for my organization.”

Reimagining and rebuilding the security program at Dunkin’ Brands, which owns Dunkin’ Donuts and Baskin-Robbins—chains of coffee shops and ice cream stores—and has 13,000 stores in 31 countries worldwide, was Sullivan’s vision for the next several years. What was initially a three-person retail-loss-prevention and royalty-assurance department is now a 30-plus-person department that owns global corporate security, loss prevention, due diligence, business continuity, disaster recovery, travel security and a host of other duties. Sullivan’s mission from the start has been to move from being perceived as the department that always says “no” to an enterprise risk-management model that is fully integrated in all facets of the business.

Also see The essential retail security reader for a roundup of retail industry security issues and tactics

“Security departments have long been thought of as a place where ideas go to die,” notes Sullivan, who has a masters degree in government from Harvard University and who earned a criminal justice degree at Curry College. “I try to encourage my team to think of themselves as business people with security and investigations backgrounds rather than as security and investigative professionals that happen to be working in a business. We need to have business skills similar to those any other corporate employee is expected to have.”

But it was a perception that was going to have to change not only within the security department, but throughout the Dunkin’ Brands organization.

“In a meeting a while back, our CEO listed the departments that would have the biggest roles in improving sales in our restaurants in the coming year,” he says. “Our department was not mentioned as we were focused on policy enforcement that did not add material economic value to our franchisees or the enterprise. I was determined to make my team as valuable to the economic success of the business as any other business unit.”

From Deterrence to Making Dough

One of his first focus points was helping Dunkin’ Brands franchisees—where employee turnover can be as high as 200 percent annually—to identify employee theft, which can total millions in loss each year. Until Sullivan got involved, franchisees were left to their own devices when it came to loss prevention. But Sullivan saw an opportunity to boost profits for franchisees and the company.

“Five years ago, if I thought we needed new CCTV technology in our restaurants, I would have given our executives and our franchisees an elevator speech on the deterrence value of the cameras. My viewpoint would have been as the head of security rather than a business executive,” says Sullivan, who was director of security for the Joslin Diabetes Center in Boston before coming to Dunkin’ Brands.

“Today, I would approach the executives and our franchisees with a business case focused around the percentage of increase to the top line the CCTVs will provide, along with a defendable ROI. Because we have fully integrated security into the business strategy, this approach positions my department as a business driver and a success enabler, not just the department that enforces policy.”

Sullivan is no stranger to fraud investigation. He was at one time a special agent with the Department of Health and Human Services Office of Inspector General and the chief investigator of the Commonwealth of Massachusetts Health Care Fraud Unit. So fraud was where he first searched for proof of how security can drive change and profit.

Sullivan and his team at Dunkin’ Brands decided to adopt a strategy that involved integrating video and point-of-sale data, and using exception-reporting software to zero in on suspicious transactions. In a typical POS theft scheme, the offending employee will underring a sale, manipulating the cash register to expect a smaller amount than the customer is charged, then pocket the difference.

Sullivan implemented a third-party data-investigation service that can query Dunkin’ Brands point-of-sale database in search of suspicious transactions, remotely access the corresponding video for confirmation and report incidents of employee fraud to franchisees. They zeroed in on one particularly problematic location at the outset.

“Each transaction from the system flows into a database of sales-transaction information. My team analyzes the data and then informs the franchisee of our belief that theft is occurring. The franchisee then reviews his own surveillance video to confirm our suspicions.”

The results were excellent. By analyzing suspicious transactions, the Dunkin’ Brands’ corporate loss-prevention staff discovered that several employees were defrauding the franchisee by ringing up one-cent sales and keeping the money the customers gave them. Sales went up 30 percent at the store as soon the offending employees were terminated, according to Sullivan.

Corporate Goals Guide Security’s Priorities

These days, Sullivan says his basic philosophy is to concentrate on the strategic goals of the business and mold the security program to enable those goals. His team includes four direct reports: a senior manager of investigations, a senior manager of analysis, a manager of physical security, and an employee protection lead.

Each manager runs a team of between two and 10 people, says Sullivan. All are encouraged to use their investigative or security disciplines to enhance the larger business rather than trying to fit business objectives into existing security strategies. He says he lets the corporate strategy inform the goals he sets for the department and focuses on adding value rather than rigidly enforcing policy.

“At the start of each year, I send my personal goals to my team,” explains Sullivan. “These are the same goals that all employees have to develop and review with their supervisors each year. All of my goals revolve around my basic philosophy of using enterprise risk-management techniques to attain the goals that the organization has set in its annual strategy sessions. I coach my team that their personal goals for the year should be based on how they can use their security and investigative backgrounds to drive economic impact to our organization.”

Employees are held accountable to these goals as a way of continuing the cultivation of this way of thinking, says Sullivan. The topics discussed at team meetings and regular conference calls all flow from the basic philosophy that corporate strategy drives their work. It is a constant effort to maintain and develop this mind-set, he says, but it has paid off in many ways throughout the organization.

“At the corporate level, we have also made it easier for our executives to travel abroad in emerging markets. Whereas in the past, we might have tried to discourage the travel, we have now adopted a business-first mind-set in which we realize that the company must explore emerging markets in order to stay competitive. Today, when an executive wishes to travel to a new market area, the answer is, Here is how we can support your efforts.’ We use the latest threat analysis, close protection, active monitoring, check-in procedures and emergency evacuation plans to enable business objectives.”

Sullivan also created a new business continuity program for the company, an effort, he says, that emphasizes the financial impact of a possible disaster. The plan includes the results of a business-impact analysis he conducted to determine which departments need to get back to work first and which can be delayed. The process required sound business acumen and input from many stakeholders in the organization.

“Developing a business-continuity program provides a great opportunity for security executives to be recognized as a business leader. Don’t fall into the old line of thinking that your role begins and ends with providing physical security in a disaster. Your role is to define a strategy on how to get your organization earning revenue once again by getting individual departments back to work after a disaster.” In addition to enabling the business and prepping for business continuity and disaster recovery, Sullivan says his efforts also include streamlining operations within the security department.

“Every morning I review our Security and LP dashboards that detail our metrics from the prior day, week and month. These are a mix of custom-built dashboards and spreadsheets that we input our data to each day. I watch for trends in either direction and meet with my senior managers to tweak our process to improve efficiencies if we can.”

“I also review sales reports for both of our brands so I can keep an eye on our business. Those reports keep me aware of our results on a daily basis and give me benchmarks that we can use to calibrate where we devote our resources. By looking at these reports daily, we can make changes in the moment before any downward trends can get a foothold.”

Coffee Talk Leads to New Concepts

Sullivan says he views Dunkin’ Brands’ internal corporate partners and franchisees as customers and tries to speak with as many of them as possible on a daily basis with informal visits and chats.

“I can almost always walk away with another idea on how we can better serve the business. It’s the best way to learn how your programs are impacting people. It’s easy to stay behind a desk all day trying to manage a P&L or to keep up with e-mail, but I make it a point to get up and walk through other departments to be seen and to informally solicit feedback.”

Also see Brand protection: The expanding CSO portfolio on CSOonline.com

Throughout his week, he seeks out opportunities for informal chats to get feedback and ideas, and also to educate others in the company on what his department does.

“I recently shared a coffee break with our head pastry chef,” he says. “Our paths have never crossed before, but I thought he’d be interesting to speak to. Once he found out what I did for the company, he expressed frustration about ice-cream-cake theft. I told the chef that my department actually has a number of people working on that issue. He was stunned and excited that his culinary work was being well protected. You can’t assume that everyone in your organization understands what you do.”

Sweet Success

Based on the feedback he is getting from other departments, Sullivan says he believes his efforts are a success. Perhaps the best compliment of all, he says, is the attention he now gets from the C suite.

“We are now at the table for every decision as it pertains to risk mitigation globally. One of the best measures of our value is that C-suite executives now engage, asking me what my team can do to solve a particular business challenge.”

Sullivan sees integration into business strategy as his ultimate goal, and he thinks his department is now there. Case in point: Recently, Sullivan spoke with a new hire who had been brought on to head one of the company’s brands. He met him on his way out of a board meeting and the new hire informed him he had big plans for the future, plans that would include Sullivan’s security team.

“He told me that, based on what he was hearing about my department’s performance, he had just told the board of directors that the security and loss-prevention department would be a key piece of his plan for his brand’s success in the coming years. He told me that we would be [joined] at the hip as he tried to lead this brand. Thinking like that is exactly what I have been striving for as I try to get business leaders to fully integrate security departments into the overall strategic vision for their companies.”

See more in-depth security case studies.