The role of a security manager varies widely according to the particular organization and its needs, but despite this variety, there remain certain best practices and policies that can help maintain security and stability. This is nowhere more true than in the case of organizational loss, because while loss can mean widely different things depending on the field, the underlying theoretical concepts which inform attempts to minimize loss are broadly applicable. By comparing and contrasting different kinds of organizational loss and the demands they place on security managers, one is able to better understand which responses and policies, both general and specific, will be most effective in responding to organizational loss. As will be seen, while the specific options available might vary wildly according to organization, the underlying theoretical justifications for those options apply nearly across the board, because they are based on the same shared concepts that define the role of a security manager regardless of context: surveillance, communication, symbiosis, and directed autonomy.
To begin it is necessary to define organizational loss both generally and specifically, because it is both a highly specific issue in practice that nevertheless affects every organization, whether it be a small school, a government agency, or a multinational corporation (Fox & Harding 2005, Newmann 2002, Comfort 2002). In the broadest sense, organizational loss is precisely what the term sounds like; that is to say, it refers to any loss suffered by the organization in question, whether financial, material, or immaterial. At first glance this might not appear to be a particularly useful term due to its broad definition, but when considering a security manager's responsibilities regarding organizational loss, it soon becomes clear that the same underlying concepts apply across the board, to the point that the broad category of organizational loss becomes a meaningful and useful classification.
Some of these losses are within the control of the security manager, while others are beyond the control of anyone within the organization. For example, while a security manager would undoubtedly be responsible for securing the sensitive internal communications of an information technology company, there is fairly little anyone could do to prevent the property losses associated with natural disasters such as earthquakes or hurricanes (Werlinger, Hawkey, & Beznosov 2009, Cristy 1963). Even in the latter case, however, one could probably identify some preventative measures to minimize that loss, such insurance, backup databases, and employee counseling and emergency communication services.
Having defined organizational loss in general, it will now be helpful to define and describe it as it relates to a variety of different organizations, in order to better understand the concept as a whole as demonstrate how the underlying theoretical basis of security management and planning can inform responses to a variety of situations. Perhaps the easiest field in which to begin discussing organizational loss is retail sales, because the kind of organizational loss most frequently suffered by retail organizations is fairly simple to understand and respond to. This is, of course, referring to theft, whether it be shoplifting perpetrated by individuals outside the organization or the theft of goods or revenue by employees themselves. In both instances the role and activities of the security manager will be largely the same.
Shoplifting is one of the most prevalent kinds of theft, likely because it is frequently easy and there is little perceived risk. In fact, as of 2008, data suggests that "one in 11 people has shoplifted during his or her lifetime," and roughly "$13 billion worth of goods are stolen from retailers in the United States each year" (Blanco et. al. 2008, p. 905). Although specific responses to this kind of organizational loss will be discussed later, for now it suffices to acknowledge that direct losses such as those produced by retail theft are frequently the easiest to manage, due to the fact that they occur in relatively monitored environments and do not involve the kind of complexity or nuance that can make security management especially difficult. In turn, discussing the relatively straightforward approaches to shoplifting and employee theft will provide a simple demonstration of the theoretical concepts under discussion, before applying them to more complex situations.
In addition to the more straightforward losses created by theft and shoplifting, organizations are also at risk of more subtle, but no less insidious, forms of theft that do not target merchandise or cash, but rather proprietary or sensitive information, or else do target financial assets but through more subtle, frequently electronic means. This form of organizational loss has become especially relevant in recent years, as more and more organizations of all types have become increasingly dependent on information and communication technologies for their day-to-day functioning, even as a string of high-profile breaches and data losses have affected companies as notable as Apple and Sony (Werlinger, Hawkey, & Beznosov 2008, p. 5). In fact, digital theft and security breaches are rapidly becoming the most pressing issue facing security managers, as more and more individuals connect to their respective organizations via digital communication technologies rather than in-person interactions.
As will be seen, preventing and managing this kind of organizational loss requires a kind of spacial reimagining of the security landscape, because points of potential breach or loss are no longer confined to the physical boundaries of the organization. Nevertheless, this shift in perspective need not be viewed as an entirely novel or unprecedented response, because the same basic concepts that inform the security of physical boundaries can inform the securing of digital boundaries as well. This is because despite changes in technology, organizations still ultimately depend on human beings, and human beings present the same security risks everywhere, albeit in modified forms.
It is important to point out that organizational loss need not come in the form of theft. In fact, some of the most influential and difficult-to-manage organizational loss has nothing to do with theft, but rather with the natural comings and goings of an organization. As an organization expands or shrinks, it may need to hire new employees, fire existing employees, or reorganize employees into new hierarchies and groups. Every one of these actions creates the potential for loss, whether it be the loss of employees themselves, the loss of the experience or specific knowledge they retain, or even a loss in productivity from those employees who may have seen their friends and co-workers let go.
There is a reason much of the academic literature regarding layoffs and downsizing refers to those remaining employees as "survivors;" although the employees who have been let go are not actually dead, in terms of the organization as a whole, those employees that remain are forced to deal with their now-absent co-workers in much the same way that a family might deal with the loss of a loved one, while at the same time attempting to maintain the same level of efficiency and productivity (Milligan 2003, p. 115, Samuel 2010, p. 120). Though this might sound dramatic, it has very practical consequences for organizations attempting to maintain their level of productivity, and the security manager's role in surveillance and communication becomes crucial in this effort. In a sense, the security manager becomes the organization's internal eyes and ears, looking out for warning signs that employees are suffering.
This kind of organizational loss can extend even beyond employees and their connections with each other to actual physical spaces and properties, because if a particular building or property is closely associated with the organization's identity, the loss of that property, whether through disaster or simply a change of address, can negatively affect the organization in the same way that the loss of employees might (Milligan 2003, p. 115). This is because organizations, like individuals, establish their identity through a combination of physical and non-physical attributes, and because organizations are made up of individuals, this identity-formation is a two-way street; the organization contributes to the individual's identity, and the individual's identification with the organization ultimately generates the organization's identity as a whole (Hatch & Schultz 2002, p. 990).
While at first glance "employee nostalgia for the old site" might not seem like a particularly pressing or important phenomenon for a security manager to consider when confronting organizational loss, in fact it is precisely this kind of subtle, seemingly unimportant organizational attitude that can negatively affect organizations to the tune of billions of dollars in lost productivity, not to mention employee loyalty (which can itself affect the amount of internal theft or security breaches) (Milligan 2003, p. 120-121). Furthermore, if the property switch was precipitated by destruction or damage to the old site, then this attitude will only serve to compound the direct financial and material losses already suffered by the organization. In situations such as this, the security manager has the dual role of predicting risk while responding to the aftermath of those risks which were not sufficiently mitigated.
Before discussing potential responses to these different varieties of organizational loss, it is necessary to outline one final variety, namely, the kind of…