What’s important to energy provider Georgia Power (federal regulation compliance, for example) may not be important to coffee purveyor Starbucks (armed robbery statistics, for example). “Clearly, statistics on their own don’t make a very good read,” says John Hedley, head of group security for food maker Nestlé.
Francis D’addario Starbucks Metrics insight: Rigorous tracking of processes leads to improvements and business value.
Here is the story of four security executives in different industries who give a rare peek into the physical security metrics that are important to them, their CEOs and their organizations. Taken together, data points and measurements help them keep a firm grip on the most important metric of all: How much confidence the rest of the organization has in the security department.
To Francis D’Addario, the connection between security metrics and how effective he is as CSO of Starbucks is simple: His mission to protect people, secure assets and contribute savings year over year is validated with key performance indicators. Whether D’Addario, vice president of partner and asset protection at the $5.3 billion coffee and food retailer, is talking about physical assets (stores and equipment), liquid assets (cash and coffee) or human assets (employees and customers), using metrics is how he judges the success of his security group.
First and foremost on the priority list, D’Addario says, is the safety of people. The frequency of armed robberies at retail outlets, for example, is an important metric at Starbucks and within the retail industry.
Nestlé Metrics Emphasize Prevention and Protection
When there is civil war where your people are working, one physical security metric rises above all others: Keeping all of your employees alive. Hedley’s security staff, led by a regional security manager based in Abidjan, the commercial capital, set in motion an evacuation plan for the international Nestlé employees when it was clear that the violence was escalating to a dangerous level. “We have not done a cost-benefit analysis of how much money we have saved because of the security plan in place,” Hedley says, adding he was not sure of the evacuation’s cost. The areas most important to him are Nestlé employees, distributors and consumers; company property; and the strength of Nestlé’s reputation and brand.
Utility Uses Government Rules to Build Metrics
Margaret Levine, corporate security manager at Georgia Power, has found ways to convert the necessary burden of regulation into a bounty of physical security data for the electric utility. Readiness reviews are planned events and are a key component of Georgia Power’s business continuity program. The reviews assess whether employees and site security professionals at a particular facility understand that facility’s threat plans and know what to do when the threat level is raised or lowered.
Tracking Trends Incident trends and loss trends are next on Georgia Power’s metrics list. Levine says that it’s critical to be able to demonstrate that a CSO’s security program is a significant mitigating factor in preventing increased incidents and losses. Levine can compare incidents by quarter, year-to-year and across multiple years. She can note the changes in the number and frequency of incidents by type of incident (for example, thefts, threats against employees or sabotage), by line of business (generation, transmission, distribution, staff services) or by location.
She follows the same process for tracking losses; she says she tracks property and monetary losses. The key, she says, is if you’re not able to prevent losses, then “you can demonstrate an ability to quickly pinpoint where the weakness was and put in place the appropriate stopgap measures. Levine adds that metrics must be more than in-house security tools; they have to be relevant to the people she supports—business executives, plant operators, substation engineers, customer service managers. She says her reports must contain information that is important to them, not just to security managers.
Depending on the type of data and compliance requirements, Levine reports her metrics monthly, quarterly or yearly. Levine says Georgia Power collaborates on metrics reviews with other security managers from within Southern’s 12 operating companies.
(Besides Georgia Power, there are four electric utilities and companies in wholesale power, power generation management, natural gas, nuclear power and energy services. Southern also owns a wireless company and a fiber optics business.)
As for data quality, Levine says that it’s important to watch out for the equivalent of scorekeeping changes. She says Georgia Power recently transitioned from a 10-year-old case management system to a new system developed last year by Southern’s security managers. The case management system is a database that records all the details of incidents that are reported to corporate security. This includes an incident narrative and summary; victim, witness and reporting party names; losses; investigative activity; and case resolution. For example, the old case management system had separate incident categories for burglary, larceny, fraud and robbery. But in the new case management system, all of those crimes are categorized as financial matters.
“To make an apples-to-apples comparison between the old and the new, we have to select a specific subcategory (for example, larceny) in the new system,” Levine says.
http://www.csoonline.com/read/020105/metrics.html