Fraud/White Collar Crime of OpportunityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652016-12-01T05:00:00Z, Lilly Chapa<p>​Over the past decade, retail and grocery stores have been turning to self-service checkout lanes to create a better shopping experience: making purchases will be easier and quicker, while store staff can be mobilized away from checkouts and into more customer-focused roles. However, self-checkouts and mobile shop-and-pay programs generate significantly higher rates of loss, a new report finds. </p><p>Developments in Retail Mobile Scanning Technologies: Understanding the Potential Impact on Shrinkage & Loss Prevention, a report by professors Adrian Beck and Dr. Matt Hopkins of the University of Leicester, analyzed data from nearly 12 million shopping trips from four major British retailers between 2013 and 2015. The researchers found that using self-checkouts in stores increased the rate of loss by 122 percent to an average of 3.9 percent of turnover.​​</p><p><img src="/ASIS%20SM%20Article%20Images/1216-asis-security-management-retail.jpg" alt="" style="margin:5px;" /><br></p><p>​<br></p>

Fraud/White Collar Crime of Opportunity Clean Review: Anti-Fraud Program Design Review: Fraud Identification and Prevention the Ante on Corruption Expands Corruption to Focus on Executives in Corporate Investigations Review: White Collar Crimeón-Médica.aspx2015-06-10T04:00:00ZFuga de Información Médica Medical Data Tries to Cage Corruption the Biometrics Test Analytics: Strategies and Methods for Detection and Prevention Theft, Inc. Fraud in Lithuania Blocking Releases 'Culture of Compliance' Guidance for Financial Institution Leaders CAST A Wider NET Breach Victims

 You May Also Like... Review: Business Continuity<p>Rothstein Publishing;; 464 pages; $99.99.</p><p>Those practicing in the disaster recovery and business continuity fields have benefited for more than 40 years from the experience and expertise of Jim Burtles via top-drawer training and guidebooks. Now semi-retired, he continues to contribute to the field by authoring the second edition of <em>Principles and Practice of Business Continuity: Tools and Techniques</em>.</p><p>The book begins by enumerating six areas upon which business continuity must focus: loss of access, people, supplies, communications, function, and data. The first three involve physical disruptions; the rest involve technical disruptions. Burtles explains each and what its impact could be on a business. Then he sets forth roadmaps for preparation and responses to deal with them. Step-by-step, he provides strategies, decision-making criteria, options, and other tools required for proactive business recovery planning and response.</p><p>Burtles clearly demonstrates how business continuity planning fits within a larger emergency planning context, including risk management, crisis management, emergency response, business recovery, and other disciplines that together form a comprehensive whole. Concentrating on the business recovery area, Burtles takes readers from preparation through planning, response, and recovery–emphasizing the need for resilience and how that applies to corporate governance.</p><p>The book is intended to educate–regardless of the reader’s experience and background. It serves as a primer, a textbook, a reference, and a practical guide from planning and preparation to recovery.</p><p>--<br></p><p><em><strong>Reviewer: Mayer Nudell</strong>, CSC (Certified Security and Safety Consultant), is an independent consultant on crisis management, contingency planning, and related issues. He is an adjunct professor at Webster University and a member of ASIS. He is a coauthor of The Handbook for Effective Emergency and Crisis Management.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Inside Story on Outsource Planning<div class="body"> <p class="MsoNormal">Outsourcing continues to be an  appealing strategy for business executives, who see it as a way to cut costs and focus the company on core competencies. Security is frequently one of the functions selected for outsourcing. More than half of the respondents to the 2004 ASIS salary survey said that their companies had contracted out some portion of security services. But contracting won’t meet corporate objectives unless the process is properly managed.    The key to success is to have a plan for every step of the project, including not only how the vendor will be selected, but how it will be integrated into the company’s operations. A good model to follow is known as contract lifecycle management (CLM), which consists of four primary components: contract governance and oversight, request for proposal (RFP), due diligence, and contract negotiation and execution. These elements provide a disciplined approach for optimal vendor selection and consistent contract performance.</p> <p class="MsoNormal"> <strong>Governance. </strong>The first step of the process is to form a contract governance and oversight council. The council should include representatives from the leadership of the organization’s core business segments and functions, such as contracting and procurement, legal, compliance, finance, human resources, operations, and information technology. By involving this cross-section of management in the CLM process, the company can identify all of the business and system requirements that any contract service suppliers will have to meet. </p> <p class="MsoNormal">The council should secure senior management buy-in at the beginning of the outsourcing process and reinforce it throughout the resulting program’s lifetime. The council should encourage corporate leadership to take an active role in all phases of the CLM process from exploratory discussions to monitoring for compliance with the contract. </p> <p class="MsoNormal">In one case, General Nutrition Incorporated (GNI), where author Adler previously worked, wanted to outsource its employee background checks to reduce operational costs and turnaround time, as well as to create a standardized approach to employment hiring practices. GNI had a governance and oversight council that spearheaded the process, ensuring that all business interests would be addressed up front.</p> <p class="MsoNormal">As part of GNI’s governance and oversight, the human resources and legal departments first looked at company expectations, which were to find a vendor that could verify the employment and education of any new hire and to review credit and criminal records. The legal representative also assessed vendor compliance with relevant state employment laws. Meanwhile, the governance and oversight IT representative made sure that the selection process would address issues of system connectivity between the company’s personnel and the vendor’s database.</p> <p class="MsoNormal"> <strong>RFP.</strong> The second step of the process, the request for proposal (RFP), begins with a team of corporate stakeholders who develop a detailed statement of work (SOW), which can be thought of as painting a picture of a process landscape.</p> <p class="MsoNormal">A SOW takes the form of a narrative description of products and services to be supplied, or tasks to be performed by the vendor, under a proposed contract, including equipment and capacity needs and required outputs. This document should also consider operational processes, system and data requirements, human resource demands, and the turnaround times associated with vendor output. </p> <p class="MsoNormal">For example, a retailer outsourcing the analyses of its point-of-sale (POS) exception-based reports would have to identify all data feeds from its stores to the central IT servers, data capacity requirements, maintenance needs, and—most importantly—it would have to determine what data was to be captured, trended, and formatted for management reporting. </p> <p class="MsoNormal">The RFP and SOW should include an outlay estimate—basically the amount the company is willing to spend for the service. This might be a range or a cap above which vendor proposals won’t be considered. The RFP and SOW should also include a discussion of performance incentives, if any, that would affect the total compensation package to the vendor. </p> <p class="MsoNormal">For example, when GNI moved to outsource its background verification services, GNI explained in the RFP and SOW what it would offer in terms of incentives and what it would require in terms of performance guarantees. GNI expected a three-day turnaround on each check. If the vendor completed the checks in less than three days for one month, an incentive payout to the vendor would be made. </p> <p class="MsoNormal">The RFP and SOW also address service-level agreements, which encompass service or product delivery requirements, including timeliness and quality expectations. Additionally, the RFP includes a service-monitoring process, with quality measurements, and it should spell out how problems would be addressed through an escalating series of communication and quality-remediation steps.</p> <p class="MsoNormal"> <strong>Due diligence.</strong> A contractor’s past performance record is the key indicator for predicting future performance. Thus, a detailed inquiry into prospective vendors is necessary to ensure their operational and financial soundness, transparent ethical standards, and ability to meet company service requirements. </p> <p class="MsoNormal">A due diligence team should be assembled, with representatives from functional areas that will work with the selected service provider, such as human resources, legal, and finance. Since the due diligence process requires a high level of confidentiality and expertise, a consultant or “of counsel” legal advisor should be brought in to manage the process.</p> <p class="MsoNormal">The due diligence process should begin with a request for information (RFI)—a detailed questionnaire to the vendor’s chief executive and financial officers. The questionnaire should ask for specific information associated with the vendor’s operations, including financial statements and regulatory-compliance documentation that shows how the company complies with applicable federal and state requirements, such as Sarbanes-Oxley. </p> <p class="MsoNormal">It should also ask for information on pending litigation and potential mergers or acquisitions. In addition, the questionnaire should request other pertinent documents, such as letters of credit and Standards of Auditing Statement-70 reports that are associated with certification of the controls on the vendor’s business and system processes by external auditors. Other requested materials would be licensure requirements, proof of adequate bonding and insurance, and a client list from which a random sampling can be contacted.</p> <p class="MsoNormal">Supplemental to reviewing all of that information, the due diligence committee should perform an on-site visit and vendor interview. During the visit, committee members should be able to deduce an important indicator of suitability—the vendor’s investment in its people, property, and equipment. For example, if officers’ uniforms are unkempt and the patrol vehicles appear shoddy, the vendor should be eliminated as an outsourcing candidate.</p> <p class="MsoNormal">During the interview, the committee members should once more explain the company’s expectations of quality, service-level agreements, costs, and contract enforcement requirements so that the potential vendor is clear about the expected service standards.</p> <p class="MsoNormal">The governance and oversight council should then assess the information from the due diligence committee to narrow down the finalists. If needed, the council should have the due diligence committee ask further questions to clarify vendor information. By the end of this process, the best choice should become clear.</p> <p class="MsoNormal"> <strong>CNE.</strong> Contract negotiation and execution (CNE) is the last phase of the CLM process. This is when the hiring company and the selected vendor agree on final terms, document them, and execute the contract. As a part of this process, a contract negotiation team should be formed from a cross-section of internal stakeholders to review the contract for accuracy and appropriateness.</p> <p class="MsoNormal">For example, if the company is outsourcing guard services, the chief security officer should ensure that staffing coverage is adequate for emergency response and around-the-clock operations, including duties such as escorting. Similarly, the chief risk officer should review insurance coverage levels and risk riders to ensure that they satisfy corporate requirements. These parameters would already have been discussed and reviewed by these people in preparing the RFP, but this final review ensures that nothing has been overlooked before the contract is signed.</p> <p class="MsoNormal">There should also be a contract review by the legal department to ensure that the contract is binding on all parties. Finally, there should be a review and approval by the chief financial officer and an acceptance of the contract.</p> <p class="MsoNormal"> <strong>Facing change</strong>. Once the contract has been signed, the company must prepare itself to manage the change. Three key elements in a successful transition are a dedicated transition team, focused communications with affected employees, and a transition analysis, including monitoring of performance indicators.</p> <p class="MsoNormal"> <strong>Team up</strong>. It is important to create the right team to oversee and manage the transition. Members should be chosen based on a variety of factors, such as their ability to work collectively, their stature in the organization—whether formal or informal—and their ownership over individual pieces of the security function. A team might be composed of managers from human resources, operations management, maintenance or facilities, and information systems, and front-line staff with a reputation for being peer-group leaders.</p> <p class="MsoNormal">If there have been any major detractors of the program, it makes sense to invite their participation. The more they get involved and have a sense of ownership in the project, the more they are likely to want it to succeed.</p> <p class="MsoNormal">Many guard service providers tout the ability to provide customers one point of contact—a single manager to provide all the answers, oversee the operation, and run the account. Although this may be viable with small accounts, it is not a realistic solution for any significant transition. </p> <p class="MsoNormal">New providers should, therefore, be prepared to furnish a significant management presence throughout the initial transition time to ensure that the new officers are operating at acceptable levels and that any deficiencies are addressed in a timely manner. This issue will have been addressed as an expectation in the RFP and SOW.</p> <p class="MsoNormal"> <strong>Communication.</strong> The transition team must be prepared to explain to the affected personnel the reasons behind the shift to outsourcing, the specific timing of events, the extent to which services important to the receiver may be affected, and most importantly, how questions or other issues will be managed throughout the transition and under the new arrangement.</p> <p class="MsoNormal">For example, when one company hired a guard service, the transition team sat down with the manager to explain changes and to make sure the manager knew that he could bring any problems or questions straight to the team for resolution.</p> <p class="MsoNormal">In another case, a company that had experienced sabotage at a Midwest manufacturing plant outsourced the resulting investigation. During the CLM process, the vendor told the company that company personnel would be significantly involved in the investigation. If focused communication had not followed between the company and its support personnel, those employees may not have been available or able to provide the level of assistance the investigators required.</p> <p class="MsoNormal"> <strong>Transitional analysis</strong>. After the process is complete, the transition team must carefully examine any new procedures, including those for daily activity reports, exception reporting for alarm activations, handling of procedural violations, publishing of schedules, training methods, planned management interaction, inspection forms, and emergency communications. </p> <p class="MsoNormal">The transition-analysis process allows team members to assess how well the new procedures are working and, where needed, to make changes. This process will ensure that the services provided are achieving the desired outcomes. The team’s involvement in fine-tuning these procedures will also create ownership of the process and, ultimately, wide support throughout the organization. </p> <p class="MsoNormal">At a Chicago distribution company, for instance, the lack of available receiving docks often led to a backup in deliveries, causing employees to work too much overtime. During the transition analysis, it was discovered that a new contract swing officer who roamed between the shipping and receiving areas had ample time to redirect incoming vehicles to available shipping docks. </p> <p class="MsoNormal">This arrangement had not been anticipated at the time that the RFP and SOW were worked out. But the analysis after the contract work began revealed the opportunity for this improvement.</p> <p class="MsoNormal">By having the roaming officer communicate directly with the transportation manager about the loading dock traffic and availability, the company was able to unload deliveries in a timely manner with little or no employee overtime. It also allowed the officer to become familiar with the drivers, vehicles, and shipping and receiving processes, adding security value where none existed before.</p> <p class="MsoNormal"> <strong>KPIs.</strong> Contract provisions usually require that vendors document and report key performance indicators (KPIs). During the transition phase, it is important that there be close monitoring of KPI measurements and other daily performance indicators to see both that the information is adequate and meaningful and that the performance is meeting expectations.</p> <p class="MsoNormal">During the transition, the regular cycle process of reviewing performance should be shortened to monitor individual performances and functional duties that are vital to the operational success. That way, any problems can be caught early and addressed.</p> <p class="MsoNormal">Outsourcing will continue to be a favored business strategy. Security managers who take a lifecycle-management approach to the contracting process will be most likely to achieve the desired result. </p> <div class="MsoNormal" style="TEXT-ALIGN:center;" align="center"> <hr align="center" size="2" width="100%" /> </div> <p class="MsoNormal"> <em>Steven I. Adler is business risk manager with Uniprise of West Hartford, Connecticut. Prentice Robertson is executive vice president of St. Louis-based Whelan Security. Kort L. Dickson is senior manager, global security, for Kraft Foods of Northfield, Illinois. All three are members of the ASIS Business Practices Council.</em> </p> <p class="MsoNormal"><!--[if !supportEmptyParas]--> <!--[endif]--></p> </div>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Trends<p>​<span style="line-height:1.5em;">In r</span><span style="line-height:1.5em;">ecent years, security professionals have been bombarded with rules and regulations on corruption as well as court rulings on discrimination and harassment. The upcoming compliance trend centers around safety and health. A new rule on reporting workplace fatalities, injuries, and illnesses will bring workplace safety practices under scrutiny. Almost 5,000 U.S. employees were killed at work in 2014, a 5 percent increase from the number of reported fatal work injuries in 2013. And nearly 3 million people experienced a workplace injury or illness in 2014, according to the U.S. Department of Labor’s (DOL) Bureau of Labor Statistics (BLS). </span></p><p>To make data about these incidents more accessible to the public, the DOL’s Occupational Safety and Health Administration (OSHA) issued a final rule, Improve Tracking of Workplace Injuries and Illnesses, in May 2016, that requires many employers to electronically submit information about workplace injuries and illnesses to the government. The government, in turn, will then make this information available online in a public database.</p><p>“Since high injury rates are a sign of poor management, no employer wants to be seen publicly as operating a dangerous workplace,” Assistant Secretary of Labor for Occupational Safety and Health Dr. David Michaels said in a statement. “Our new reporting requirements will ‘nudge’ employers to prevent worker injuries and illnesses to demonstrate to investors, job seekers, customers, and the public that they operate safe and well-managed facilities.”</p><p>Additionally, Michaels said that greater access to injury data will also help OSHA better target compliance assistance and enforcement resources to “establishments where workers are at greatest risk, and enable ‘big data’ researchers to apply their skills to making workplaces safer.”​</p><h4>What’s in the new rule?</h4><p>Under the Occupational Safety and Health Act of 1970, employers are responsible for providing a safe workplace for employees. As part of this act, OSHA already required many employers to keep a record of injuries and illnesses, identify hazards, fix problems, and prevent additional injuries and illnesses. </p><p>Under the new rule, all employers with 250 or more employees at a single facility covered by the recordkeeping regulation must electronically submit injury and illness information to OSHA in three forms: 300 (log of work-related illnesses and injuries), 300A (summary of work-related illnesses and injuries), and 301 (injury and illness incident report).</p><p>OSHA argues that, together, these forms will paint a picture of the number of injuries, number of fatalities, lost time, total lost days, total restricted work days, and the total number of employees at each location of a company.</p><p>And OSHA will be able to use it to answer certain questions. For example, within a given industry, what are the characteristics of establishments with the highest injury and illness rates? What are the characteristics of establishments with the lowest rates of injuries and illnesses? What is the relationship between an establishment’s injury and illness data and data from other agencies?</p><p>Facilities with 20 to 249 employees in certain high-risk industries will also be required to submit information from form 300A electronically. These are 67 industries identified by OSHA that have historically high rates of occupational injury and illness, including manufacturing, construction, urban transit systems, utilities, and more.</p><p>The requirement for facilities to submit the 300A summaries electronically goes into effect on July 1, 2017. If required, facilities must submit forms 300 and 301 electronically by July 1, 2018, and will be required to submit all three forms electronically by March 2, 2019.</p><p>OSHA will upload this data, after ensuring that no personally identifiable information is included, to a publicly accessible database. The details of the database, however, have not yet been released because OSHA is still creating it.</p><p>OSHA’s mission is to protect the safety and health of workers. This new rule, OSHA’s Office of Communications tells Security Management, will support that mission.</p><p>First, as previously noted, access to injury data will help OSHA better target compliance assistance and enforcement resources to establishments where workers are at greatest risk.</p><p>“The final rule’s provisions requiring regular electronic submission of injury and illness data will allow OSHA to obtain a much larger data set of more timely, establishment-specific information about injuries and illnesses in the workplace,” the rule says. “This information will help OSHA use its enforcement and compliance assistance resources more effectively by enabling OSHA to identify the workplaces where workers are at greatest risk.”</p><p>One example OSHA gives in the rule itself is that the data will help it identify small and medium-sized employers who report high overall injury and illness rates for referral to its consultation program. </p><p>“OSHA could also send hazard-specific educational materials to employers who report high rates of injuries or illnesses related to those hazards, or letters notifying employers that their reported injury and illness rates were higher than the industry-wide rates,” the rule explains.</p><p>The practice of sending high-rate notification letters, for instance, has been associated with a 5 percent decrease in lost workday injuries and illnesses in the following three years, OSHA says.</p><p>OSHA also maintains that publicly disclosing work injury data will encourage employers to prevent work-related injuries and illnesses.</p><p>The new reporting requirements are also designed to save government time and money. The agency believes that the new rule will convince “employers to abate hazards and thereby prevent workplace injuries and illnesses, without OSHA having to conduct onsite inspections.” ​</p><h4>What else does the rule do?</h4><p>Along with the electronic reporting requirements, the rule also reemphasizes whistleblower provisions for employees to report injury and illness without fear of retaliation. </p><p>“The rule clarifies the existing implicit requirement that an employer’s procedure for reporting work-related injuries and illnesses must be reasonable and not deter or discourage employees from reporting,” the office explains. “It also incorporates the existing statute that prohibits retaliation against employees for reporting work-related injuries or illnesses.” </p><p>Including the term “reasonable” is new for OSHA, says Edwin Foulke, Jr., partner at Fisher Phillips who cochairs the firm’s Workplace Safety and Catastrophe Management Practice Group and who was the head of OSHA from 2006 to 2008. </p><p>“Before, you were required to make sure that your employees knew that there was a system to report,” he adds. Now, however, OSHA requires that that system be a reasonable one.</p><p>While it is unclear how exactly OSHA is defining “reasonable,” it does explain in the rule that “for a reporting procedure to be reasonable and not unduly burdensome, it must allow for reporting of work-related injuries and illnesses within a reasonable timeframe after the employee has realized that he or she has suffered a work-related injury or illness.”</p><p>If employers are caught discouraging employees from reporting illness or injury, they can be cited by OSHA for retaliation. “Before, the employee had to file a complaint. Now, for an employer to get cited and to be penalized, OSHA can do that in an inspection under this new standard,” Foulke says. “So this is a whole new area, and they’re going to be looking.” </p><p>Actions that could be considered retaliation include termination, reduction in pay, reassignment to a less desirable position, or any other adverse action that “could well dissuade” a reasonable employee from making a report, the rule explains.</p><p>OSHA also has taken the stance in the rule that “blanket post-injury drug testing policies deter proper reporting” of workplace injuries and illnesses. Because of this, the rule prohibits employers from using drug testing—or the threat of drug testing—as a form of adverse action against employees who report injuries or illnesses.</p><p>“To strike the appropriate balance here, drug testing policies should limit post-incident testing to situations in which employee drug use is likely to have contributed to the incident, and for which the drug test can accurately identify impairment caused by drug use,” the rule says. </p><p>For instance, OSHA says it would not be reasonable to drug-test an employee who reports a bee sting or a repetitive strain injury. </p><p>“Such a policy is likely only to deter reporting without contributing to the employer’s understanding of why the injury occurred, or in any other way contributing to workplace safety,” OSHA explains.</p><p>However, if workers’ compensation laws require an employer to conduct drug testing, then this type of drug testing would not be considered retaliatory, OSHA adds.​</p><h4>What should employers do? </h4><p>Because of potential liability and opportunities for citations, Foulke recommends that companies take several actions in response to the new rule. </p><p>For instance, employers should look at how they advise their employees to report injuries and illnesses under the record keeping standard. OSHA has said that companies can meet this requirement by posting the “Job Safety and Health—It’s the Law” workers’ rights poster from April 2015.</p><p>Employers should make sure that their reporting process is “reasonable and doesn’t somehow discourage people, because, if it is, they are going to get cited for it and maybe open themselves up to a whistleblower retaliation claim,” according to Foulke.</p><p>A whistleblower retaliation claim could be likely because this is an issue that OSHA has been increasingly focused on during the Obama administration’s second term, he says. </p><p>Employers also need to know their rights during an OSHA inspection, a process that many are unfamiliar with. For example, Foulke says that when OSHA comes in to do an inspection based on a complaint it has received, it will frequently attempt to expand the visit into a “wall-to-wall” inspection.</p><p>“If the employer doesn’t assert their rights and allows a wall-to-wall, then potentially they could have many more citations,” Foulke explains.</p><p>Additionally, the business community has expressed concerns that the new rule will force them to publicly reveal secret business details that were previously considered privileged and confidential.</p><p>“When you fill out the 300 logs and also the 300A summaries, they are going to talk about departments and processes—especially in the 301, you may have some information that may be somewhat proprietary,” Foulke says. “Employers are going to have to be very careful about what they put when they’re submitting their data, that they basically look and provide only the minimum that they are required to provide.”</p><p>And employers should also recognize how the data they submit to OSHA may be used once it is publicly available. This is because using the information from the 300 and 301 forms, analysts will be able to determine the death, injury, and illness rate of a particular company to compare it to the industry average. </p><p>“Now that data could be used by union organizers who want to try to organize a company to show how bad at safety they are,” Foulke explains. “They can take that data and say, ‘Look how many injuries and illnesses this company has.’”</p><p> “Plaintiffs’ lawyers could look at it and say, ‘Look at this company. They have all these injuries there. Obviously something is going on there, so I need to go out to that plant, find one of those employees who got injured, and throw a class action against the company for all these injuries,’” Foulke says.   ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465