Until recently, Continuous Monitoring was, at best, theoretical.  Why?  Because true Continuous Monitoring required real-time access to court records in order to make actionable, informed decisions on employees involved in legal matters.  Arrest record data and other sources were ok, but to truly get the whole picture, court records were required.  Thanks to progressive advances in automation, true Continuous Monitoring is now very real and can, today, provide organizations the opportunity to actively manage employees that operate in high-risk, high-compliance environments.

True Continuous Monitoring is crucial in the modern workplace because it brings efficiencies to risk mitigation immediately after an event occurs, especially if it’s non-jailable or an unreported offense.  With businesses right now running lean and looking for any advantage as they right-size, re-strategize and build towards a post-COVID-19 economy, they need their people to be who they say they are.  True continuous monitoring enables this.

But what about before something bad happens?  That, as they say, is where the rubber meets the road.

Predictive technology absolutely exists in the mainstream already – it drives the engines powering social media, music streaming, news feeds and online retail, to name a few.  But these insights are typically gleaned from prior activity or stated preferences to predict what a person might next want.  Whether you subscribe to Maslow’s ‘Hierarchy of Needs’ or any other human behavior model derivative, when a need is unmet in a person’s life, it’s true that the behaviors that follow are also (usually) predictive; but the technology that works for Spotify playlists and Amazon purchases doesn’t quite meet the litmus test required to anticipate (and mitigate) workplace violence, fraud or other activities that can profoundly impact a business and the people that work there.

Businesses need predictive insight to identify when a behavior pattern becomes a concern, or at the very least, be able to alert a managing authority to deviations that are outside what’s considered “normal and safe” behavior by an employee in order to mitigate the risk exposure.  The algorithm to perform said task does exist, but it’s still very much analog.

What is this old-fashioned engine that can help predict and manage risk-related behaviors, you ask?

Simply put, it’s communication.  More specifically, it’s employees in high-risk or high-compliance environments at all levels using standardized processes to communicate proactively about, well, anything and everything.  When it comes to mitigating risk, proactive communication’s predictive capacity is less about mind-reading and more about behavior-reading.  It enables a framework that employees can use to identify and communicate red flags before those red flags turn into bad behavior and a court case, or worse, yellow caution tape.

In the final entry of #OurStory series, Jon Groussman crystalizes the ’before and after of risk‘ using an example of a client that took a massive hit to employee morale and reputation that, had proactive communication and continuous monitoring been options, might have been avoidable.

This particular incident occurred at a research and manufacturing facility and involved a supervisor and an employee.  Can you tell us what happened?

Jon Groussman: I remember I’d gotten to the office a little bit early that day to do some catching-up.  My phone rang right around 830, it was an executive from a client’s facility letting me know that they had an incident the night before at around 11pm.  A supervisor on the overnight shift had brought a handgun into the facility, put the handgun to the head of one of the workers and threatened to blow the co-worker’s head off if he ever spoke to the supervisor again.  The police were called, the supervisor was arrested for aggravated assault and possession of a firearm, banned from the property and then, of course, taken into custody.

Clearly, the executives were rattled and couldn’t understand how this could happen at their facility.  I was able to get over to the facility the same afternoon that I received the call, walked through the facility and met with the executives.  Unfortunately, the executives didn’t really know much about what actually went on during this 3^rd shift which, for all intents and purposes, was an overnight shift. A lot of times, not only in this environment, but in other environments that have shift workers or that are open 24 hours, the more senior management doesn’t know what’s actually happening during those hours.  What develops then is a communication gap.  From a safety and security standpoint, that gap can become a real vulnerability because you’re not getting tipped off to issues that may be occurring in situations like this one.  So, I started to interview people.

Of the 16 or so people I spoke with, a common theme started to emerge. The primary one was that they were understaffed. They had a hard time finding employees with the skill set to meet their demands and so they were more tolerant of, not something like this incident, but we’ll say, inappropriate behavior.  The second was that being understaffed, the demands of the business had put them in a position where ignorance was bliss until reality hit – the lack of awareness and how to report inappropriate behavior was a huge issue.

You mentioned a pattern began to emerge.  Were there red flags that went overlooked?

Jon Groussman: There are almost always red flags; this kind of thing generally doesn’t happen out of the blue.  In speaking with people working that 3^rd shift, I was told that the assailant took longer breaks than everybody else.  As he was a supervisor, people didn’t question it because he also got his job done.  The problem was, we found out he was leaving the site – using the only camera that was well-positioned and functioning – to visit a neighboring community that was very well known for selling drugs.  We could see his car come and go at the times when his colleagues said he would be on longer breaks, and this began happening more frequently in the months prior to the attack.

With that revelation, we went to law enforcement to see if he had a record or had any weapons issues beforehand.  It turned out he’d been in court numerous times within that past year for purchasing drugs in the community I mentioned, but this client and facility didn’t have a system in place to know that. Now remember, this was a person in a supervisory role with access to assets within this facility that a loss or accident could have been very bad.  The materials and trade secrets were also very valuable on the secondary market, had he been desperate enough to need money for drugs or been coerced into stealing them.  Had this client and facility utilized some type of continuous monitoring and had a disciplinary policy, this incident would have likely never happened because he would have been gone long before it happened.

You mentioned that even with continuous monitoring in place, there wasn’t a mechanism to be able to report that information, let alone red flag behavior.  Was this a lapse in SOPs or a culture problem?

Jon Groussman: Everyone on that 3^rd shift acknowledged the assailant was unusual – he would go and dance on the roof, for example.  But, to your point, the environment at the facility was one where security and minimizing conflict was not part of the culture.  They didn’t have SOPs that addressed ways to communicate any perceived efficiencies, let alone any threats that somebody may perceive against the people or physical assets at the facility.  There was no standardized method to report much of anything.

So, it was clear we had to implement better access control measures.  We wanted to know when people were coming in and going out, and adding physical security equipment like CCTV to compliment it.  But one of the biggest things we had to do was change the culture.  In the security world, it’s sometimes easy to talk about standard operating procedures and physical security equipment, but all those things are only as good as if people are willing to follow it and buy into the program.

The other piece of culture change is that it requires people that are accountable. This facility didn’t have anybody responsible for security.  They didn’t have a threat assessment team. They didn’t have a facility security manager.  Their primary focus for security was that of the machines that did the manufacturing and research.  It was a deadline driven environment.  To get the work done, there was a willingness to overlook certain human capital elements when it didn’t have to do with occupational safety.  As long as the machines were running properly, the place was considered very safe.  But when it came to a potential insider threat, that wasn’t part of the culture. And that’s why I think it took everybody by surprise.  But that 3^rd shift was an island unto itself.  Nobody had eyes on it, and they didn’t have the protocols in place to try to capture the red flags.

You’ve seen a lot of things in your career.  Did anything about this experience shock you?

Jon Groussman: Unfortunately, no.  Most of the calls I get are when things are going well until they’re not.  The comparisons that always come to mind are insurance and lawyers – nobody wants to pay for either until they need it.  I think it absolutely surprised the executive team within this particular company that this happened.

The problem was that it wasn’t just the guy who had the gun held to his head that experienced the trauma; it was all the co-workers who witnessed the event.  They were fearing for their lives in that moment.  If that gun went off, even accidentally, who’s to say he wouldn’t have kept shooting?  And this was long before there was such heightened awareness about active shooters.

But this scenario still happens, and it happens because of a lack of communication that, had their communication been better, could have been prevented.

Besides more proactive communication, how did this experience become a teachable moment for you?

Jon Groussman: Most of what I do, and much of what security professionals do when they do assessments, whether it’s a post-event assessment or pre-event, is understanding what the threats are and understanding where the vulnerabilities are, and how you can operationalize the mitigation efforts. And for me to help a business change its culture to become more proactive around its security, I have to have an understanding of the way that business operates before making recommendations on how to minimize those risks.  In the process, you have to prioritize the risks.  And then you have to make sure that the business can still function with the recommendations that you’re putting in place, because you’re not there to create a prison.  You’re also not there to spend money unnecessarily that a company doesn’t have.  And, you’re not there to reduce the efficiency of their business.

In this case, there were some very simple things that we were able to do through an awareness campaign, through a 24-hour anonymous call center – which is very simple to do.  Improved access controls, new cameras.  We instituted continuous monitoring for those employees that had certain access to materials and information, and created oversight protocols for management.  We designed a reporting structure and also a disciplinary structure together so that, if somebody wasn’t doing their job or was behaving in an unusual way, you could address those issues.

We basically just connected the dots.  It took a long time for morale to improve, but it eventually did and proactive communication was really the driver of it all.

People are often referred to as the greatest asset of an organization. While this may be true for your organization, the greater truth is, people also represent an organization’s greatest risks. The actions, inactions, and mere presence or influence of people, present a potential for loss across the spectrum of business activities.

Perhaps no source of risk is more perplexing, hurtful, and damaging than those caused by intentional harmful acts. Consider just a handful of startling facts:

1. 30% of business failures are due to employee theft.

Employee theft costs businesses an estimated $50 billion a year and is rising at a rate of 15 percent per year, according to the U.S. Department of Commerce. The Commerce Department and the American Management Association say that 30 percent of new business failures are due to employee theft and it is believed that 75% of employees steal from their employers at least once. (source)

2. Organizations lose 5% of revenue to ‘fraud from within.’

According to the Association of Certified Fraud Examiners (ACFE), occupational fraud is fraud committed against the organization by its own officers, directors, or employees–an attack against the organization from within, by the very people who were entrusted to protect its assets and resources. In its 2018 Report to the Nations, the ACFE projects that organizations lose 5% of their annual revenue to fraud. Of these cases of fraud, corruption represents one of the most significant fraud risks for organizations, with 70% of such cases perpetrated by someone in a position of authority (managers and owner/executives).

3. Workplace violence is the fastest-growing category of murder in the U.S.

According to OSHA, every year, 2 million American workers report having been victims of workplace violence. The Center for Applied Learning reports that workplace violence incidents have tripled in the last decade and is now the fastest-growing category of murder in the United States. And according to the Bureau of Labor Statistics (2016), fatal work injuries involving violence and other injuries by persons or animals increased by 163 cases to 866 in 2016; workplace homicides increased by 83 cases to 500 in 2016; and workplace suicides increased by 62 to 291. This is the highest homicide figure since 2010 and the most suicides since data collection began in 1992.

4. One in five American adults have experienced sexual harassment at work.

A CNBC survey found one-fifth of American adults have experienced sexual harassment at work. By age group, 16 percent of those ages 18 to 34 said they have been victims, while 25 percent of 50- to 64-year-olds say they have been. What’s more, according to a 2003 EEOC study, 75 percent of employees who spoke out against workplace mistreatment faced some form of retaliation.

5. 80% of active shooter incidents occur in the workplace.

The Center for Applied Learning reports active shooter incidents tripled in the last eight years, with an event occurring in the U.S. once every three weeks; furthermore, workers are now 18 times more likely to encounter workplace violence and an active shooter situation than a fire. According to FBI statistics, of 160 active shooter incidents in the United States between 2000 and 2013, over 80 percent (132) occurred at work.

Where there are people, there are risks. The actions taken by employees and even subcontractors representing your organization have a direct impact on the productivity, safety, and success of your organization. When those actions turn bad, either through negligence or intentional acts, the damage to people, brands, and profits can be significant. What are you doing to identify, prepare for, and mitigate your human capital risks?

The end of the year is a great time to reflect and with that, we like to share our most-read articles of the year. This year’s top articles highlight a strong focus on workplace violence risk management, including active assailant concerns. More than ever, prediction, preparation, and prevention measures are needed to keep each workplace safe. Take some time to read through our top risk management articles from 2016 and plan for a safer and more productive 2017.

1. [Infographic] How to Address the Threat of an Active Assailant Incident in Your Organization

Each and every employee and community member deserves to feel safe. OSHA requires it, labeling it as an organization’s responsibility to provide a safe workplace. Tragically, with a growing number of active assailant incidents happening all around the country, this threat is more relevant than ever before. Over a two-year span, 26 states experienced 40 active assailant incidents, resulting in more than 230 casualties.

Read the full post >

2. Building a Culture of Compliance around BSA/AML – Guidance from FinCEN

In simpler times, the Bank Secrecy Act (BSA) regulated the Anti-Money Laundering (AML) activities of banks, as the name implies. In our globalized and networked world, it has expanded to cover financial institutions ranging from the biggest banks to mom and pop check cashing, or money transfer operations running out of storefronts in a mall. The Financial Crimes Enforcement Network (FinCEN) has launched actions against businesses across this spectrum for violations of BSA/AML requirements.

Read the full post > … Continue reading

The likelihood of an active assailant situation is now recognized by the US Government (OSHA, FBI, Homeland Security) to be an event that is “More Likely Than Not” to occur, especially in high risk industries.

The very idea of an active shooter incident is unsettling. Yet the way to feel the safest and the most confident about a positive outcome (prevention or safe management/resolution) is to look at the possibility head-on and prepare as thoroughly as possible. Understanding the risk factors, putting measures in place and rehearsing for various scenarios are the best practices to mitigate loss, including the possibility of loss of life. In even more simple terms, there are three clear steps to take in response to an active shooter incident: RUN, HIDE, FIGHT.

Our latest SlideShare summarizes many aspects of an active assailant incident, including which industries are most at risk, what motivates a perpetrator, and what best practices to implement to protect your organization.

Take your own first step today – view the slideshow here:

… Continue reading