Betting on Enterprise Risk Management

Strategic Security
Betting on Enterprise Risk Management
 

A YOUNG WOMAN had been sitting with friends at one Las Vegas entertainment venue when a quarrel that erupted in a nearby booth quickly evolved into a physical fight. As the woman attempted to flee, the combatants fell on top of her and continued brawling, seemingly unaware that they were crushing her. When security personnel finally rescued her, she had suffered extensive injuries, including damage to her spine that caused permanent paralysis.

The above example is based on a real-life incident (although details have been altered to protect confidentiality). The question that arises is whether such incidents are random events or whether they can be anticipated and prevented. In other words, how often are such incidents highly likely based on calculations of weighted probabilities of frequency and severity in a volatile environment rich in previous similar adverse incidents? The sad truth is that similar situations of near-equal magnitude occur in Las Vegas gaming and resort establishments with increasing frequency, and they will continue to occur until the industry applies the principles of enterprise risk management (ERM). ERM is defined as the identification and assessment of collective risks that affect value and the formulation and implementation of a companywide strategy to maximize that value.

ERM is a risk-based management approach integrating concepts of strategic planning, operations, and internal controls. It is a dynamic process that evolves to meet the needs of the various stakeholders in the enterprise. The goal is to understand the broad spectrum of risk exposures facing complex business entities to ensure that those risks are appropriately addressed.

Real-World Impact
Before getting into the details of ERM, let’s look at the real-world implications. The following examples from my experience illustrate the implications of failing to analyze enterprise risk.

A gaming property was located in a high-crime-rate area as evidenced in the calls-for-service reports from the local police department. Without regard for security implications, the company built a new parking garage that was a four-story facility with average illumination and no CCTV system.

The chief operations officer expected that the security department would simply absorb the expanded parking lot into its already over-extended roster of duties. Given the neighborhood dynamics, the security director had no choice but to reallocate staff, especially since there were no cameras in the garage. Five months after shifting security staff from the hotel to the new garage, a worst-case-scenario event occurred—a sexual assault and near homicide in the hotel. A major lawsuit followed, and the casino settled out of court.

When the owner conceived the garage, no one assessed the full spectrum of consequences for pursuing that business opportunity. One of the linkages between the garage and the hotel was the security department. The cost of that one settlement would have paid for a CCTV system and almost a year’s worth of security manpower. Soon after the settlement, the casino operator installed CCTV and access control systems.

The second example concerns a property located in an area that was known to be the territory of opposing gangs. The casino operator decided to add a movie theater on a distant site that was also a parking lot. Management of that site was outsourced to a company that was responsible for every aspect of the casino, including security. The management company addressed its contractual security obligation by hiring a local guard company.

Shortly after the theater opened, scuffles between opposing gang members began. The subcontracted guard company was barely able to address the incidents. This necessitated the repeated deployment of casino security officers to the movie theaters.

A year into operations, a major fight erupted between gang members; shots were fired, resulting in several serious injuries. Once the media ran the story of the shooting and the gang incidents that preceded it, patronage at the entire property, including the casino, plummeted, and nearby competitors were the beneficiaries.

One of the linkages between the movie theaters and the casino was the security department. The cost of failing to assess the risk-reward calculation resulted in the casino operator having to eventually sell the movie theater and rebrand the theater from the name of its former casino owner.

The third example involves a property located on the Las Vegas Strip. The casino operator decided to mimic its competitors and convert a low-key lounge to a full-scale nightclub. For several years after the nightclub opened, incidents were relatively few and minor.

Part of the site’s success was attributed to the mix of music, the talent of the DJs, and a strict dress code. Then a new general manager switched the music format and dress code to attract a different clientele willing to spend more money both in cover charges and beverages.

Shortly after the change, a major fight broke out in the club, sending 12 patrons to the hospital with serious injuries. The resulting litigation, coupled with complaints by local law enforcement and negative media exposure, created an untenable situation for management, who had not assessed the full spectrum of consequences of changing the DJ and music format.

Once again, the primary linkage between the club and the casino was the security department. Because of the event and the resulting litigation, the club was closed.

Core Concepts
The core concepts of ERM are the same, regardless of the industry to which the model is applied: know the organization’s strategic direction; know the value centers of the enterprise; understand the linkage of those value centers; identify and quantify unacceptable risks to those value centers; and then mitigate, obviate, or underwrite those risks to an acceptable level.

To the uninitiated security practitioner with little knowledge of risk management concepts and dialectics, ERM appears similar to standard risk management (SRM). But there are key differences. SRM models typically focus on department-centric risk exposures, with the objective of controlling casualty risks within that unit. This model is antiquated in contrast to ERM, which engages a broader and more strategic perspective by addressing the full spectrum of risk exposures: casualty, liquidity, market, political, and technological enterprise-wide risks.

Strategic Direction
ERM initially focuses on the organization’s strategic direction. When asked, far too many security practitioners are unable to meaningfully discuss this topic because it is above their place in the senior management hierarchy. An organization’s strategic direction generally reflects and defines the degree to which senior management will focus its attention on risk control and security resource allocation.

Not knowing the answer to this question may have been generally acceptable in the past, but today’s practitioner can no longer operate effectively with such ignorance in this post 9-11 environment. The importance of having this knowledge becomes clear when attempting to obtain funding during annual budget reviews with the CFO.

It can also be important in litigation. During the deposition in the resort casino case highlighted at the beginning of this article, the highest-ranking security manager was asked questions about the casino’s strategic direction that he could not answer. This lack of appreciation of where the company was headed directly translated into the security department being inadequately funded since the mission of the department was not in sync with the direction of the company.

In another case in which I was involved, a gaming security director was asked during a deposition whether, and how often, he discussed with top management the strategic direction of the gaming organization to determine how to allocate protective resources. He responded that he, as well as the other security directors from properties operated by the defendant, rarely saw the CEO or CFO, much less had discussions with them. This situation is emblematic of an outdated management system prevalent at many casinos.

Companies need to understand that this issue of security’s relationship to top management will affect liability when the company has to defend its security practices in the courtroom. What’s more, it affects security’s ability to do its job. There must be in-depth discussions between the security director and the CEO or the COO, as well as conversations about security financing with the CFO.

Though gaming security directors usually don’t sit at the table where strategic decisions are made, they should strive to open lines of communication so that they can understand the essential priorities of senior management.

Risk and business management literature offer a business-status continuum that is helpful in gauging the organization’s current operational strategy. Beginning at the lowest and ascending to the highest end of the continuum the steps are: basic survival, continuity of earnings, profitability, stability of earnings, social responsibility, and growth. The general principle applies that the higher an organization is on the continuum, the more resources will be allocated to sustain that direction.

For example, during the past decade, the gaming industry has undergone major changes in ownership through buyouts, mergers, acquisitions, sell-offs, and spinoffs. On one end of the spectrum there are gaming giants composed of dozens of former competitors operating under one corporate umbrella with tens of thousands of employees and billions of dollars in assets. On the other end of the spectrum, there are small to mid-size operators who are trying to hang on.

The following broad generalizations are accepted maxims in risk management and are designed to illustrate resource allocation at each progressive state on the business continuum.

For the giants and super-giants, the primary focus is growing the company both vertically and horizontally in their current markets and in expanded jurisdictions. For a few of the super-giants, construction projects are currently underway costing several billion dollars. Mid-range operators focus on maintaining market share, stabilizing earnings, and earning an annual profit.
 
For a few of the financially stressed mid-size operators and some of the marginalized family-owned gaming companies, the current picture is not rosy. These enterprises are operating at the level of basic survival or straddling between survival and maintaining basic continuity of income. For companies on a fast track for growth and expansion, senior management’s focus is typically riveted on guiding the company to a new level of performance. They are still interested in managing their risks, but not in the same category and not with the same sense of urgency. Their focus is on business, political, and market risks and less on casualty risks.

Senior management is more casualty-risk averse within nongrowth-oriented operators, and in that case, decision makers will play a greater role in partnering with the risk and security management team to mitigate the unacceptable exposures. For those barely surviving, the will is there but the checkbook is not. In these cases, sheer risk and security management creativity and ingenuity is required. Access to sophisticated techniques and technologies is simply not possible.

Profit Centers
Once security understands the strategic direction of the company, risk exposures should be identified, both vertically and horizontally throughout the entire enterprise. In the analysis to find these exposures, no area or department within the organization should be omitted.

In gaming establishments, there are five vertical profit drivers, called silos: the casino, the hotel, the meeting room, the amenities (such as restaurants, clubs, or shops), and the parking facilities. The old SRM model examines the type of casualty-risk exposures afflicting each silo while viewing every one of them as a standalone source of risk. This myopic perspective fails to grasp the interconnectedness of each activity; consequently, the risk assessment does not acknowledge possible links among the respective silos.

ERM not only recognizes the nature and scope of risk in each silo, but it also examines the risk activity or processes from the following perspectives: Does the activity that is generating the risk exposure hold critical value to the enterprise? What is the worth of the activity relative to the overall strategic direction? Is the value mission critical to the strategic direction?

If the answer to the third question is yes, what are the extraordinary resources that will be required to mitigate the risks and take advantage of the opportunity while enhancing the activity? If the answer is no, then serious consideration should be given regarding the sustainability of the activity as measured with both a risk-reward calculation and its net present value relative to future cash flow.

The ERM model recognizes critical risk interdependencies threatening profit drivers. Using linkage analyses, it probes the relationship between one system and another. One type of analysis examines direct-linkage resembling a series of dominos. If one domino falls (system failure), then it cascades onto the next one, triggering another failure. Some of the linkages are direct; others are indirect.

The other type of analysis examines embedded-linkage wherein one system is embedded as a critical component within a larger system. If a vital component fails, then the whole system is vulnerable to failure. By viewing the enterprise holistically and examining critical interdependencies, risk and security managers can forecast the implications of system failure anywhere throughout the value chain.

The next step in the ERM process is to investigate the relationships between each previously identified value center, whether the links are vertically or horizontally direct, indirect, or embedded. The resulting relationship arrangement can be conceived as a model made of Lego pieces, with multiple nodes connected at various angles to other nodes. (The examples given earlier show the implications of these interrelationships.)

Mitigating Risk
At this point in the ERM process, security will have identified value-oriented profit centers and their interdependencies, and it will have assessed the threat environment relative to those centers. Next, security must address the unacceptable uncertainties using a formal and disciplined approach. The following steps are considered standards within the ERM model and a continuation of the previous three phases.

The fourth step is evaluation of countermeasures to either mitigate or obviate the threat, or ameliorate the threat-based conditions. The fifth step is the selection of the most appropriate of these identified potential countermeasures using predetermined operational and financial criteria. Sixth is the implementation of the chosen countermeasure either all at once or phased-in over time. Finally, the seventh is supervision of the entire process by monitoring both compliance and deviation from predetermined parameters.

The ERM process is not difficult, and most organizations possess the in-house talent to get the job done. What is missing in many organizations is the conscious decision to ramp up their existing risk and security management programs to create one that encompasses the entire enterprise, vertically and horizontally.

ERM can save the organization substantial sums of money by reducing losses and insurance premiums. Moreover, ERM will increase the organization’s ability to take advantage of risky opportunities while fortifying its ability to control the attendant loss exposures.

But this process is not implemented in one stroke of a pen. Typically, ERM is introduced in phases over a reasonable period of time, allowing the process to become part of the enterprise culture.

Back at the Club
Let’s return to the opening example of the nightclub incident in which the female patron was crushed. The lack of an ERM approach was clearly evident as each departmental silo was managed separately, with no appreciation of the interdependency with one another.

During depositions taken in the case, security officers spoke of having insufficient numbers deployed at the club and of recurring fights and increasingly hostile patrons. Security officers also revealed that they received little in the way of formal training to prepare them for a volatile nightclub environment.

Although the club’s security officers were given some instructions regarding handcuffing and conflict resolution for a nightclub environment, they received no practical training, such as mock simulations duplicating real-world working conditions. Rather than drilling officers in the club with the music blasting, strobe lights flashing, and fog machines operating, the security training supervisor simply lectured security personnel using a series of articles downloaded from the Internet that addressed date-rape drugs and certain promiscuous behavior by young adults in nightclubs.

During her deposition, the training supervisor revealed that she had never worked in a nightclub and knew little of what occurred in them. The only qualification she possessed to obtain the position as security department trainer was that she previously taught junior high school for 12 years in another state, clearly leaving her ill-equipped to train adults for a large casino-resort-nightclub operation. She possessed neither the knowledge of what constituted security deliverables in a nightclub, nor the requisite skill to address contingencies, such as precursor behavior to fight, in such environments.

It also came out in the proceedings that the risk manager was actually a claims manager who reviewed the casualty claims after an adverse event occurred by reviewing the incident reports, studying the videotapes, and interfacing with the insurance company. He played no role in the identification, prioritization, or quantification of risk exposures and hazardous conditions in the environment.

The risk manager testified that those functions fell more into the security director’s area of responsibility, but the two rarely met for collaborative discussions regarding security. The risk manager also testified that he was not aware of the number of times that the police were called to the nightclub to assist with a public fight. He was only informed if the fight resulted in a claim against the casino.

Had the risk manager conducted a trend analysis of previous fights and a probability distribution of the varying levels of resulting injury, a picture of an unstable environment would have quickly emerged. This statistical analysis would have strongly supported the contention that there were probably too few security officers assigned to the club and that their training was inadequate to prepare them for the contingencies they would encounter.

Finally, the security director testified that he did not track the frequency and severity of incidents in the nightclub, because he thought the tracking was done by the risk manager. The security director said that he deployed the type and number of security personnel that he “felt” would be adequate.

The security director never conducted a comparative assessment of other clubs to ascertain what best practices were currently being used regarding nightclub training, manpower allocation, crime abatement, risk management, and loss prevention. This ignorance was compounded by the lack of risk-control coordination with the risk management department. If it had existed, the security director would have realized that his subjective sense of adequate protection was not statistically validated.

Into this fractious and unstable environment entered the plaintiff and her friends. The woman is now significantly paralyzed and almost entirely confined to a wheelchair.

ERM cannot eliminate all risks or guarantee that the enterprise will avoid any losses. But the process can ensure that the firm is attending to all of its risk exposures, rather than blindly taking on risks of which it is unaware.

ERM is not a set of rigid rules that must be followed under all circumstances. It is a toolkit for trimming excess risks, and it offers a system for intelligently selecting those risks that require obviation. It provides a set of methods for avoiding situations that might result in losses that would be outside the firm’s tolerance. Additionally, ERM provides a language for communicating the firm’s efforts to maintain a manageable risk profile.

D. Anthony Nichter, CPP, ARM (Associate in Risk Management), CHE (Certified Hospitality Educator), is a Las Vegas-based forensic analyst and litigation advisor. He is a former chair of the ASIS Council on Gaming and Wagering.