This column will address the increasingly important subject of crime in the workplace. A review of news headlines across Canada on any given day shows the sheer prevalence and harmful impact of work-related crime. Organizations have a moral and legal obligation to understand the crime threats they face and to take diligent steps in managing crime and security risks.

Why is crime in the workplace an important issue for organizations?

Crime in the workplace has received relatively little attention within society and amongst politicians, with the possible exception of widely-publicized incidents such as 9/11, workplace shootings and company data breaches. The lack of attention paid to work-related crime is hard to understand, as illustrated by the following important factors:

• Workplaces contain people who need to be insulated from the harmful impact of crime (particularly violent crime).
• For many offences, workplaces are at a higher proportional risk of victimization compared to non-workplaces.
• There is a legal (and moral) requirement for employers to protect employees from crime at work.
• A great deal of social life revolves in and around workplaces and some types of workers are at greater risk from crime and violence than others.
• The true extent of workplace crime is unknown as a large number of offences go unreported.
• The costs of crime at work are ultimately passed along to end-consumers as “part of doing business” – workplace crime costs us all…

A common misconception is that workplace crime is less serious than other types of crime. This view is often based on an assumption that the employer or organization is a ‘faceless victim’, more resilient and less vulnerable than the individual ‘citizen victim’. Clearly, however, this position ignores the fact that workplaces are populated by individuals. Crime in any work setting impacts people—including customers and staff—who often witness distressing aspects of the offence or become personal victims.

There are many types of workplace crime. Some crimes such as theft or fraud can be committed by employees (i.e., “internal crime”) while other crimes such as armed robbery or property damage may be committed by outside parties (i.e., “external crime”). Within the legal system, criminal offences are broadly categorized in ways that allow for guilt to be established within a court of law. As individuals, we tend to define crimes in terms of the impact felt or suffered, the apparent motivation of offenders, and/or the perceived vulnerability of victims. While those responsible for workplace crime prevention should be mindful of the legal context, they must also be cognizant of the impact crime has upon staff, customers and ultimately the vitality of the affected organization.

How is business crime prevention typically approached?

There is compelling evidence to suggest that certain workplaces and occupations are at greater risk of crime victimization than others. Organizations expecting employees to handle cash and valuables, work alone or in isolation, work on the road, handle complaints, or deliver goods to people’s homes, for example, require an understanding of the elevated crime risks surrounding these work activities. While there is a clear need to inform employees of crime threats and support them in reducing the risk, the appropriate steps are all-too-often not taken until a crime event of sufficient magnitude brings the need for better staff training and education into clear focus.

Generally speaking, why aren’t organizations more proactive in addressing the risk of workplace crime? One answer may be the longstanding tradition of compartmentalizing responsibility for managing business “risks” within individual silos. In this scenario, responsibility for crime prevention and security could fall to a workplace actor who may not have the requisite knowledge, skills and tools to proactively identify, evaluate and manage the risk.

Another reason why crime in the workplace is often under-emphasized within organizations is a lack of awareness amongst senior management. Despite the fact that business security failures are scrutinized far more critically across today’s “new media landscape”, senior management’s conception of crime and security has often not kept up with the times.

One reason for this is the difficulty of quantifying the financial benefits of crime prevention activities (i.e., dollars spent) in traditional units of business measurement (i.e., dollar losses averted). Another factor could be that senior managers are rarely taught about crime prevention and security in business schools or through other forms of learning. As a result, the identification and mitigation of crime risk is not seen as a priority in many workplaces.

How can an organization establish an effective crime prevention program?

The first step in setting up an effective security and crime prevention program is to assess the risk of crime. As Draper (1995) rightly states:

No [crime prevention] program can be effective unless it is aligned with the objectives of the organization it is intended to serve, and is based upon a clear understanding of the actual risks it is designed to control.

Assessing the risk of crime involves taking the following steps:

1. Understand the organization, its activities, and assets
2. Conduct a crime threat assessment
3. Conduct a crime vulnerability assessment
4. Select the most risk-appropriate security and crime prevention measures
5. Evaluate and re-assess

1. Understanding your organization, its activities, and assets

Each organization has unique factors which should drive specific crime prevention objectives. The first step in assessing the risk of crime focuses, therefore, on gaining an understanding of the organization (i.e., what are we protecting?). What are the main assets of the organization? Where does the organization operate? What type of activities are conducted by employees? What type of client interactions take place? Which assets and/or activities require protection from crime?

The objective at this initial stage is to determine precisely what/who requires protection from crime. A complete review of the organization’s primary assets, work functions and operational activities will paint a picture of the ways in which potential offenders could view and/or interpret crime opportunities.

2. Conducting a crime threat assessment

The next step involves a careful consideration of existing crime threats. Fundamental issues to be addressed at this stage include identifying:

1. the types of criminal (or “threat sources”) likely to be attracted to your workplace/organization (e.g., general sources of threat such as youthful offenders, professional criminals, opportunistic thieves, sexual predators);
2. the objectives of each threat source (e.g., types of crime likely to be attempted such as robbery, embezzlement, assault, internal theft);
3. the capabilities of each threat source (e.g., skills/experience/courage of threat source, knowledge/awareness of target location, ability to gain knowledge of target); and
4. the potential for realization of the crime (e.g., the offender’s level of confidence and the overall likelihood that criminals will target the organization/workplace).

3. Conducting a crime vulnerability assessment

Following on from the threat assessment, we now need to look at the adequacy of any existing security and crime prevention measures to establish the vulnerability exposure. By now, a comprehensive threat profile should have been created. It is now possible to identify the crime threats most likely to affect the organization/workplace and consider if, and how, protective controls are currently being applied to lower the risk.

Before conducting this portion of the assessment, it is important to understand that vulnerabilities operate on two distinct, but overlapping levels. Firstly, vulnerabilities can contribute to the likelihood that a particular threat will be realized. Secondly, vulnerabilities can also contribute to the degree of harm arising out of a threat after it has been realized. Both of these factors should be kept in mind in assessing the organization’s vulnerability to crime.

As set out in the ASIS International General Security Risk Assessment Guideline (2003: 6.)

The vulnerability analysis should take into consideration anything that could be taken advantage of to carry out a threat. This process should highlight points of weakness and assist in the construction of a framework for subsequent analysis and countermeasures.

4. Selecting the most risk-appropriate security and crime prevention measures

The selection of crime prevention and security measures should be made within the framework of risk management. When selecting strategies to lower the risk of crime, there are several approaches open to the organization – these include (1) tolerating, (2) transferring, (3) avoiding, and/or (4) reducing the risk.

Tolerating the risk is where the cost of mitigating the risk of harm from a particular crime type outweighs the benefits to be gained. In some cases, the risk of crime in a particular workplace is deemed to be so minimal that a decision is made to simply tolerate the risk.

Transferring the risk involves the purchase of insurance and/or the act of contracting out. A recent example is the trend towards the purchase of terrorism insurance, which serves to insulate the policy holder financially in the event of a terrorist incident.

In some cases, the risk of workplace crime is deemed to be so significant that a decision is made to close a workplace location, or cease certain work-related activities altogether. This is known as risk avoidance. An example is the relocation of business premises due to out-of-control crime problems.

Strategies aimed at reducing workplace crime risk operate to decrease crime opportunity and potential loss to the lowest level. These measures seek to affect the offender’s target choices before commitment to the offence has been reached. An example is a sign in a convenience store that states “Limited Cash on Premises”.

Reduction strategies also seek to minimize the harm or loss once the workplace crime is committed. An example related to the previous scenario involves the offender who decides to commit a robbery in spite of the warning sign – an effective risk reduction measure would be to utilize a drop safe and limit accessible cash to small bills only.

5. Evaluating and re-assessing

Crime risks are inherently dynamic and threat sources and offender methods are constantly adapting. For this reason it is important for organizations to monitor crime risk factors and re-assess periodically to ensure control strategies remain effective. Appropriate timelines should be established for formal re-assessments and triggers should be identified that signal a need for re-assessment (such as new legislation, a change in operational activities, new crime threats, etc.). It is the evaluation process which is most often overlooked after organizations establish crime prevention measures.

Bringing it all together

In his book ‘Canadian Private Security Administration’, Ray (1995: 36) has contended that three things must come together for security and crime prevention to be handled appropriately in any organization:

1. senior leaders must demonstrate genuine interest in crime prevention and allocate sufficient budgetary resources to manage the risks;
2. middle-managers across all departments must support the crime prevention program and influence those under their charge to do likewise and;
3. employees must voluntarily buy-in to the concept of crime prevention and do their part to lower the risk.

In coining a very well-worn phrase, “crime prevention is everyone’s responsibility”.

David Hyde
David Hyde and Associates