Like all other aspects of business today, security systems often prove to be highly complex and hard (even for the participants) to identify.
The culture of an organization is like the culture of a family, a community, or a nation: Because it surrounds the people in it they often have a great deal of difficulty in recognizing to what extent policies and procedures arise from the constraints of culture and what therefore can be relatively easily changed. Matz (2010) summarizes the ways in which organizational culture both supports an organization and can blind the individuals in it to ways in which their actions may no longer be as effective as they once were:
… the essence of organisational cultures consists of a set of 'unspoken rules' that exist without conscious knowledge of the members of the organisation. Over time the invisibility of the attributes at the deepest level of the culture becomes reinforced, which further complicates access in studies or casual interviews. Values and behaviour become manifestations that reflect the essence of the culture. Accordingly, it becomes necessary to examine the functions of organisational cultures and the impact the behavioural patterns of such cultures on the organisation as a whole. (Matz, 2010).
One of the most necessary aspect of any organizational culture to examine are the security mechanisms of the culture. Because most employers feel at least some discomfort in addressing security concerns (in no small measure because they do not want to think of their own employees as possible criminals), security systems are often allowed to lag behind.
Moving Toward an Era of Total Asset Protection
Dalton (2003) argues that most firms (and this has certainly been true of RAI) move through a predictable process of creating security systems. He describes this process as follows:
Step One: Physical Security Era: The primary role is reactive loss prevention
Step Two: Corporate Security or Global Security Era: An increased integration of security into business decisions, occurring simultaneously with the emergence of employee awareness programs
Step Three: Total Asset Protection Era, characterized by 'a focus on addressing all of the corporation's assets -- tangible and intangible' (Dalton, 2003, p.23).
Dalton argues that most companies (regardless of what sector they are in) are still focussed on one of the first two steps. This is certainly the case with RAI, which must shift toward a more complete and integrated version of how to supply security.
There are two different ways of assessing how far a company has proceeding along the path to Total Asset Protection. The first is what can be considered to be a technical one, one that assesses the ways in which (for example) alarm systems are wired and connected to live personnel. This is of course important. However, even more significant is how the overall corporate or organizational structure affects the company's ability to provide total asset protection. As suggested above, an essential part of the concept of Total Asset Protection (indeed, an essential part of any well-designed security system, regardless of what one calls it) must be the acknowledgement that all of the assets of a company must be protected from assaults from both the outside as well as the inside:
[a] criminological approach should be pursued to fully encompass the conceptual framework of the relations between provision of security and organisational culture. The effectiveness of an organisation is generally exposed to both internal and external threats. Organisational cultures and security structures respond differently to these types of threats. In the following the role and structure of security will be evaluated in relation to internal threats, primarily described as employee dishonesty and workplace violence. (Matz, 2010)
While it is not essential, it is certainly in almost all cases much easier to call in an outside company to provide an assessment of a security system's faults and strengths. Precisely for the reasons outlined above when describing what an organizational structure is (that is, something that affects every aspect of how those in an organization work in such a way that they are not always aware of it), it may prove to be impossible for employees to provide sufficiently insightful reviews of the system.
Moreover, bringing in an outside security firm to assess and initiate security systems provides the advantages that such a firm is much more likely to be aware of the latest developments in hardware as well as in practice. This is hardly to be unexpected: Security firms, after all, are paid to do precisely this. And finally, in terms of the pursuit of Total Asset Protection, having an outside firm design the process of securing the company means that fewer employees will have access to the details of the security system and will therefore have less temptation.
Risk Analysis Model of Security
A risk-analysis model for instituting a security system is an older model than is that of total asset production and thus to some extent reflects the simpler security needs that companies used to try to meet. This does not mean that companies in fact had the need of simpler security systems but rather that they conceived of their security needs in simpler ways. Like the neighborhood where everyone keeps their doors locked, companies tend to follow the lead of their neighbors and institute only the same degree of security that other comparable businesses use.
Risk analysis can be broadly defined as any form of analysis that is used to, first, identify any and all possible factors that might put the success of any project into jeopardy. The term is usually applied to single projects but can also be applied to the overall goals of a company. One significant advantage of a risk analysis over other forms of security is that it can be used in a preemptive way. That is, it can be used as a way to predict what kinds of security problems may crop up and to put mechanisms into place to prevent these problems from becoming serious.
One way in which RAI can use this particular form of security strategy is to institute better screening of its employees as a way of looking ahead to prevent possible problems. Currently the company screens for past felony convictions but not for misdemeanors. This can be a distinct problem because many drug offenses are pled down to misdemeanor convictions, which has already allowed some previous drug-users to be employed at RAI.
Given that one of the most serious problems that the company faces is employee crime (as is true of other companies) and that the most valuable asset that the company has that can be stolen is medication, it would benefit the company to exclude individuals with drug conviction records from being hired. The company does not currently drug screen its employees. Instituting such screening might seem to be a good idea given the above suggestion to keep drug-users out of the employee pool, but the company CEO will not allow such testing, believing it to be a violation of employee civil rights.
While there is certainly the possibility that failing to drug test employees will increase the chance that drugs will be used by employees either off-site or even at work, there are also advantages to it. Assessing risks includes both an assessment of what can increase risk as well as what can decrease it. Drug testing is an excellent example of an action that has the potential both to reduce and to increase risk. Because employees know that they will not be tested, they may be more likely to use drugs, which increases risk. However, the experience at RAI has been that not having drug tests makes the employees more loyal. This is likely to decrease the chance that the employees will use drugs.
Even more importantly in terms of the bottom line is the fact that RAI has a much lower turnover rates than do comparable companies. Given how expensive turnover is in terms of retraining, this is a significant benefit to the company, as it would be to any company. A company that offers medical services to individuals who are in a vulnerable position in their lives will in all likelihood be grateful to a company where they can count on seeing the same staff faces each appointment.
RAI presents us with an excellent case of how complicated the process of protecting a firm's security may be because it includes the need for both traditional forms of security as well as the most up-to-date. The company is not doing a bad job, but it could certainly improve the quality of the security that it offers to both staff and clients.
The most important change that the company can and should make is to integrate its different departments more closely. The company has designed a process for providing dialysis that offers many more and substantially better medical services to its clients. This much-higher level of service allows the company to charge higher rates than can other dialysis clinics. RAI…