Chapter 9

86 Identifying and Prioritizing Risks

D. Information—sensitive information, such as customer addresses, future store sites, etc.

II. Indirect Costs

A. Reputation with public or creditors—Retailers with shrinkage prob- lems are suspected of suffering from bad management.

B. Loss of employees—Recruiting, hiring, and training costs are multi- plied when employee turnover increases due to dishonesty or poor morale.

C. Employee morale—Honest employees are demoralized by the pre- sence of dishonest employees and rampant shoplifting.

D. Goodwill—the loss of targeted customers due to public perception of an unsafe atmosphere or the absence of desired merchandise due to theft

These costs are measured in terms of loss of assets, replacement costs, or loss of income. If an asset such as merchandise or critical information is lost, the resulting costs may come from one or all of the following areas.

Permanent Replacement Cost—Permanent replacement cost includes the wholesale purchase price, shipping charges and costs, and the cost to pre- pare and display merchandise lost to theft, accident, or error.

insurance Cost—The cost of applicable insurance premiums and déducti- bles should be subtracted from the coverage amount. The amount of cov- erage should then be subtracted from the maximum probable cost amount to accurately determine real costs.

Temporary Replacement Cost—If a part of a store location is damaged by fire, temporary costs may include rent or lease expenses and additional labor costs.

Related Cost—If a store is damaged by a natural disaster, an example of a related cost includes the salary cost of idle store employees.

Lost Income Cost—The loss of the use of a store or key merchandise can result in the operation having to divert cash, which could be earning interest elsewhere, to subsidize replacement and related costs. This is in addition to the loss of revenues. The following simple formula is used to determine lost income cost:

I = i ^{x P x t}

Where I = income earned i = annual rate of return

P = principle amount available for investment

t = time, in days, during which P is available for investment.

Data Analysis 87 ASSIGNING FINANCIAL IMPACT RATES

By affixing a total cost to each projected loss target, a rate can be assigned to each target. This rate reflects the financial impact the loss or destruction of that target would have on the retail organization. There are five rates that can be assigned to projected loss targets.

A Rating—Grave—a loss of this magnitude could result in the abandon- ment or long-term shutdown of the company.

B Rating—Critical—a loss of this magnitude could have a major negative impact on company assets or could force a major change in the com- pany's investment policy.

C Rating—Serious—a loss of this magnitude would have a noticeable impact on annual earnings.

D Rating—Moderate—a loss of this magnitude would be covered by nor- mal contingency reserve funds.

E Rating—Unknown—this is a temporary rating that is assigned until all priorities are established and a specific financial impact rate is assigned.

Every retailer can use this rating system, since it is subjective in design.

The level of a company's annual revenues and its contingency funds deter- mine the rating assigned to a potential loss. A $10,000 loss for a small retailer may equate a $100,000 or even a $1,000,000 loss to a larger retailer. There- fore, a small one-store jewelry operation that grosses $100,000 a year might assign a "grave" rating to a potential loss of $50,000 worth of inventory.

PROBABILITY OF INCIDENT OCCURRENCE

In order to more accurately rank loss threats from grave to moderate, the ana- lyst needs to determine the probability or likelihood that a particular incident will occur. The study of data collected during the survey should focus on two areas—current security and protective measures, and review of past loss inci- dents that have affected the company.

A major factor to consider when determining probability and frequency of adverse incidents is the historical data collected in the survey. Every attempt must be made to acquire this type of information. If there are no records of this information, the analyst should obtain similar information from businesses in the area and from local law enforcement authorities.

Interviews and written surveys from employees can reveal much of this information.

As past incidents are examined, trends should become apparent. Trends to look for include

88 identifying and Prioritizing Risks

• type of incident

• predominant time of occurrence, such as time of day, day of week, season, etc.

• type of merchandise taken, such as apparel, jewelry, health and beauty aids, etc.

• particular store, district, or region

• method of theft used, such as robbery, armed robbery, etc.

• profile of offenders, such as age, race, sex, employee, etc.

• average dollar amount of loss and/or recovery

One factor to consider when determining a target's vulnerability is the number of ways a particular loss event can happen. In the case of high-cost merchandise, the target may be damaged, lost, stolen by vendors, employees, and customers. Since the variety of ways to lose this target is so extensive, the probability of a financial loss is much higher than other lower cost merchandise.

Characteristics of the target must also be considered when determining vulnerability to loss. Examples include the mobility of the item, access to the item, the people who have access to the item, and the real or perceived value of the asset. Also, in the case of natural or man-made disasters, physical and political environments must be considered.

There are several tools that the security analyst can use to help determine probability and frequency of adverse incidents, such as incident calendars and plot maps. Incident calendars are large calendars on which incidents are entered by the date on which they occurred, to determine if patterns are tak- ing place. Plot maps are geographical maps or schematic charts of a business that have been covered with plastic or acetate so that loss incidents can be plotted to indicate patterns of occurrence. Plot maps are also used to indicate whether prevention efforts are displacing incidents from one locale to another.

EXAMINING SECURITY DATA

Once financial impact rates have been assigned and probability of incident occurrence has been determined for potential losses, the next step is to ana- lyze the data collected during the survey regarding current security efforts.

Starting with grave loss targets and working down to moderate loss targets, review stated policies and procedures for those loss targets and compare them to the actual practices taking place. In each case, barriers, control pro- cedures, and employee training designed to detect and deter theft and error should be in place. If there are no controls, no adherence to control policies, or an inadequate training effort, this should be noted. This information indi- cates the vulnerability of that asset to loss and suggests that effective counter- measures should be implemented.

Data Analysis 89 Individuals who analyze data from any survey must have a high level of expertise in order to correctly interpret collected data. It is also helpful to understand the day-to-day operation of the business. The probability of a par- ticular crime or loss incident changes constantly. Employees may be more liable to steal cash from a register if their personal needs are strong, there is a large amount of cash available, or if a more lax member of store manage- ment is on duty.

There is no secret formula or mathematical equation that will ensure per- fect analysis of loss threat data due to the number and complexity of social and environmental factors that affect loss incidents. However, the primary results of a thorough analysis include

• trends or patterns of similar type incidents

• suspect or crime links, that indicate a possible perpetrator

• target profiles that indicate merchandise or other assets that are frequently victims of losses

• forecasting of future incidents or shrinkage percentages

ASSIGNING LOSS INCIDENT PROBABILITY RATE

After all available data have been collected and examined, a probability rating should be assigned similar to the rating used to rank impact of finan- cial loss on a business. This rating is made before any new countermeasures are implemented. The assigned rating indicates the likelihood of an event occurring compared to all other significant adverse events. There are five loss incident probability rates.

1 Rating—Almost Certain—Barring major changes in circumstances, this event will occur or will occur frequently, compared to other events.

2 Rating—Very Probable—This type of incident is more likely to occur than to not occur.

3 Rating—Probable—This type of event should occur if circumstances remain stable.

4 Rating—Improbable—This event is less likely to occur.

5 Rating—Unknown—More data is required to assign a rate.

While this type of rating system is not exact, it does allow the security specialist to make educated guesses. When in doubt, assign a higher rating.

PRIORITIZING RISKS

Now that risks have been assigned financial impact and probability rates, the security specialist must then prioritize risks, starting with listing the most

90 Identifying and Prioritizing Risks

serious risks. By prioritizing risks in descending order, attention can be focused on the most serious threats first. By following this method, risks would be listed as follows:

1. Al, A2, A3, A4 2. Bl, B2, B3, B4 3. Cl, C2, C3, C4 4. Dl, D2, D3, D4

The analyst must make the determination if greater weight should be given to the financial impact or the vulnerability of the asset when prioritiz- ing risks. Once all risks have been ranked, the formal security data analysis is complete. The security specialist has identified and prioritized risks, and can now design and implement cost-effective countermeasures to reduce overall corporate losses.