BASIC CONSIDERATIONS

There are two factors that determine the quality of an assets protection program: an adequate and active prevention plan to prevent and limit losses and top management’s understanding and support of the program.

Countermeasures Planning

Rather than formulate and implement a comprehensive prevention plan, some organizations adopt protection measures in bits and pieces, reacting to problems as they occur. In fact, in some cases the problems are avoided until they become so serious that they can no longer be ignored. For exam-ple, when an organization receives a bomb threat, the facilities are often

1Uniform Crime Report 1995–1997, FBI, Department of Justice, Washington, D.C.

2Crime Victimization Survey, U.S. Department of Justice, 1997 (http://www.ojp.usdoj.gov/bjs/

abstract/cv97.htm)

evacuated immediately and the matter is typically referred to law enforce-ment. When additional bomb threats are received and production is seriously affected, the organization develops plans to cope with that hazard because it is perceived as the most urgent. By reacting in this way, the organization overlooks a wide variety of other potential emergency situations just as destructive as bombs or the threat of bombs. With very little more effort or expense, a complete plan could be developed to include all types of emer-gencies, instead of coping with only one situation.

Other organizations have adopted only one countermeasure instead of a complete program. An illustration of this is the organization that attempts to limit losses of materials by hiring security officers for each exit. The losses may decrease somewhat due to the use of security officers.

But large losses may continue because the bulk of the material is not being removed stealthily through exits but it is being diverted through a conspir-acy between inside employees and delivery drivers.

Avoidance of loss or prevention of loss is important in the design of the complete plan. Some security programs have been based almost entirely on after-the-fact responses to events that have already occurred. This is appropriately described as “crisis management.” An example is the enter-prise that depends entirely upon arrest and prosecution to deter dishonesty.

While fear of detection will discourage some individuals, others will con-clude that the risk of discovery is small and they will take a chance.

When a loss does occur, every organization has the right to make a criminal complaint and to initiate civil action to recover damages, when appropriate. The goal of the criminal complaint is a conviction with an order of restitution. In a civil action, judgment for the organization will result in an order for restitution. But those orders may be of little economic value if it is impossible to recover anything. This often happens, and firms have been forced out of business because they were unable to recover their losses. The fact that an individual is convicted and sentenced to jail will be of little benefit to an organization that has been damaged. This explains why private security is more interested in loss prevention than in loss detection and prosecution.

Although many potential losses can be avoided by effective security controls, others, such as natural disasters (for example, earthquakes and floods) cannot be prevented. But developing adequate emergency plans in advance to cope with all such problems can help mitigate the damage to property, even when some losses are inevitable.

Management Support

Some protection programs have been ineffective because the second basic factor, the need for complete management support, has not been effi-ciently stressed. When senior management delegates complete protection

responsibility to lower-level managers without top-level backing, the results are usually unsatisfactory. The protection program must be fully understood and supported at the top level in the enterprise and senior management must be interested enough to ensure that all personnel follow the established requirements. The example, good or bad, set by senior executives in complying with requirements will permeate the organization.

It is incumbent upon the asset protection professional to establish a well-defined strategy and communications program to ensure all levels of man-agement and employees understand the goals of the security organization.

Neglect or a lack of appreciation for adequate protection can also result in personal liability for corporate officers and directors — the stock-holder’s suit. Top officials of a company may be personally involved in legal actions if stockholders become aware of losses that could have been prevented by a prudent asset protection program. Additionally, two statutes also provide criminal penalties for “controlling persons” in corporations under certain conditions.

The Foreign Corrupt Practices Act (FCPA)¹ applies to any company that has a class of securities registered pursuant to Section 12 of the Securities Exchange Act of 1934 and any company that is required to file reports pur-suant to Section 15 (d) of that act. One segment of the FCPA makes it a crim-inal offense to offer a bribe to a foreign official in order to obtain or retain business. The segment of the FCPA that is most pertinent to our discussion requires that the company devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that the following four objectives are met:

1. Transactions are executed in accordance with management’s specif-ic or general authorization.

2. Transactions are recorded as necessary to:

a. permit preparation of financial statements in conformity with generally accepted accounting principals or any other criteria applicable to such statements, and

b. maintain accountability for assets.

3. Access to assets is permitted only in accordance with manage-ment’s general or specific authorization.

4. The recorded accountability for assets is compared with the exist-ing assets at reasonable intervals and action is taken with respect to any differences.

The penalties for failure to maintain these internal controls include a fine of not more that $10,000 or imprisonment for not more than five years, or both. These internal control requirements might appear to be solely within the purview of the accounting department. However, the assets protection

115 U.S.C. § 78dd-1

organization should make a significant contribution to attaining the third objective concerning control of access to assets.

It should also be noted that in January 1998, that the Organization for Economic Cooperation and Development (OECD) adopted a “Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.” The OCED consists of 29 member nations, and an additional five non-member nations (Argentina, Brazil, Bulgaria, Chile and the Slovak Republic) that also ratified this approach. The convention requires all sig-natory countries to enact legislation in their countries similar to the requirements of the FCPA in the United States. When this legislation is com-plete, a corporation will be required to adhere to the provisions of the FCPA and also meet the tenents set forth by each specific country in which it does business. These requirements subject the corporation to potentially multi-ple prosecutions in the event a bribe to a government official is discovered.

The second statute is the Federal Organizational Sentencing Guidelines.

The purpose of these guidelines was to stiffen the penalties imposed on cor-porations when their employees violate federal criminal statutes. They apply to antitrust, securities, tax, bribery, ERISA, fraud, money laundering and envi-ronmental violations. The guidelines substantially increased the penalties for businesses that do not make any effort to deter, detect and report crime.

The penalties were significantly decreased for those businesses that do.

The deterrent aspects of the guidelines provide that every company must make restitution to any party injured by criminal conduct and must pay a non-tax-deductible fine. A criminal violation that results in a $20 mil-lion gain for the company can result in a fine ranging from $1 milmil-lion to

$80 million. The amount of the fine is determined by the application of a table of multipliers based on aggravating and mitigating factors to arrive at a “culpability score.”

A compliance program designed to deter and detect criminal conduct can result in a significant reduction in the “culpability score” and the fine.

An effective compliance program must meet seven requirements:

1. The company must establish compliance standards that are reason-ably capable of preventing criminal conduct.

2. High-level management must have specific responsibility to oversee the standards.

3. The standards must be communicated to the employees and train-ing in compliance issues should be offered.

4. The company should test the system by monitoring, auditing and other systems designed to detect criminal conduct.

5. The company must exercise due care to ensure that discretionary authority is not delegated to individuals with a propensity to engage in illegality.

6. The compliance standards must be enforced through appropriate disciplinary procedures that include provisions that individuals will be disciplined for failing to detect or report an offense.

7. After an offense is detected, all reasonable steps must be taken to prevent a future similar offense.

A simple self-inspection checklist and scoring plan for assessing the level of your current security program is found in Appendix A to this chapter.

Communicating the Plan

Top management support of the plan will be based on a solid under-standing of the value of the effort. The plan must, therefore, be couched in terms that will be readily understood by top management. Business is ulti-mately conducted in financial terms and the prudent assets protection professional will communicate in those terms. Senior management will usually embrace an assets protection plan that is cost-effective and, if pos-sible, provides a return on the investment made.

Statutory and Regulatory Requirements

The conduct of many of the activities in the assets protection plan will be regulated by federal or state agencies or by statutes. For example, the Fair Credit Reporting Act provides requirements for the conduct of certain personnel investigations in most organizations operating in the U.S. Some segments of commerce and industry are governed by specific statute or regulation. For example, security requirements in the banking industry are specified in the Banking Act while the requirements for nuclear power gen-erating stations are found in the regulations of the Nuclear Regulatory Commission. The specific requirements are addressed in other chapters of this handbook.

Senior management will understand the need to comply with the statu-tory and regulastatu-tory requirements. The assets protection manager must be aware of the requirements and include them in the assets protection plan.

The innovative assets protection professional will meet the requirements in a cost-effective manner and, where possible, simultaneously fulfill other needs of the enterprise.