Friday, June 6, 2008

Is Your Key Control A Cornerstone Or Liability

Writen by Scott Serani

Have you ever thought about how your retail organization handles the distribution and record keeping for its mechanical keys? If you have, what did you conclude? That the current system is a cornerstone of your security program or a liability? If you're like most, you might have reached the decision that it was just too stressful to think about and simply stopped thinking about it.

Whether you have hundreds or thousands of stores – the issue of key control MUST be addressed or it will likely impair the effectiveness of all your other security operations.

Where do you start?

By reading this far you already have started. Now let's take it to the next level by breaking the problem down into its simplest components.

A good example of a company that does it right is G & S Oil, a retail marketer of Conoco and Texaco petroleum products throughout Colorado. G & S follows each of these four steps in managing key control at its seven service stations and 6 convenience stores.

G & S recognizes that there are four critical pieces you must address when looking at key control.

1. The quantity of existing keys has to be controllable. Management must know the number of keys being used at each location. Five cannot turn into six without your knowledge. It's that sixth key that was reproduced at the kiosk in the mall, the neighborhood hardware store or even by your own locksmith who forgot to document the event that will cause you problems. You have to have a system with a proven track record of restricted keys – keys that have only one way of being duplicated – with your authority.

According to Jim Larkin, retail sales manager for G & S Oil, each manager at the 13 different locations is responsible for keeping an inventory of keys registered to the stores' employees. G & S employs between six to 10 workers per location. The number of keys varies between location, from four to six.

If you cannot control the number of authorized keys to that front door, your security program is virtually useless.

2. Policies and procedures to rekey must exist. As a retailer, there will be times when keys are outside of your control – they've either been lost or stolen. And, there is the issue of keys are left unaccounted for because of employee turnover. Inevitably, there will be a day that keys to your operation will turn up missing. It's one thing to have dropped a key over the side of the boat to the bottom of the lake, and something else to suspect it is still in the hands of that very angry ex-employee. What is your store's policy when employees leave?

At G & S, a store manager doesn't have to call a locksmith to rekey all the doors every time a key is unaccounted for because it's been lost or stolen. Instead, G & S outfits its store managers with a master key.

"With this system, the doors can be rekeyed in a matter of seconds," said Larkin.

"I have a master key for all locations and don't have to worry about not having access to a location if a problem arises after normal operating hours."

A set of policies and procedures should be developed that let your store managers know when the store should be rekeyed. Instructions on rekey procedures should be clearly and concisely documented. Whether you use interchangeable cores, call out the local locksmith, or utilize some of the more technologically advanced "user rekeyable" locks, the fact remains – missing keys are a liability and a risk. A regulated program to rekey doors made vulnerable when a key turns up missing could prove to be a necessity.

3. Records management is a must. What good is going to all that effort and expense to get your system under complete control (knowing all the doors, all the keys, all the keyholders) only to lose that control by not staying on top of it from that point on?

Larkin leaves the records management to the supplier for G & S – Englewood Lock & Key. It monitors all of the G & S locations as well as the number of authorized keys per store. When a location requests replacement keys, Englewood Lock & Key notifies Larkin for approval.

"This system means I don't worry about tracking the many keys in circulation, and I can focus more on retail sales," said Larkin.

All it takes is one event (like getting an authorized sixth key to that location) that isn't recorded that will start the degradation of the system you worked so hard to implement. You might remember next week that there are now six keys, but it is unlikely you'll remember it next year – and it's guaranteed your successor won't either.

In the last few years, significant technological advances have been made in the area of real time records management. Computer technology, coupled with the Internet, has provided capability for record keeping that never before was possible. Whether you have five locations or five thousand locations, computer technology software now makes "real time" control over all doors and keys a reality.

4. Policies, procedures and enforcement are critical to the success of the program. You might have the most sophisticated key control program on the planet (restricted keys, rekeying avenues, real time records) and end up with nothing if your own company does not embrace the need for the very control you sought to provide. Management must understand the need for rules and the enforcement of those rules. Policies should be enacted that cover who is allowed to have keys for your doors and when the store's doors should be rekeyed. Without these policies in place, you'll end up exactly where you started – with an uncontrolled liability.

How do you begin to create an integrated program to monitor – in real time – and control key location, key holders and keys?

Step 1 to obtaining control begins with an objective assessment of your security program. Measure the effectiveness of your program by taking the test in the sidebar. Ask yourself if your current program has the four critical elements (restricted keys, rekey practice, records management and policies/procedures). Determine the vulnerabilities and risks inherent in your current program.

Step 2 is to make the decision to fix it. Document your reasoning so that you can use it as a checklist as you transition into the new system.

Step 3 requires building your constituency – you will need it. Don't kid yourself – this change will meet resistance – human nature resists change or anything that is designed to regulate access. You need your management to endorse what will be necessary to achieve the result. You'll need the company's budgeting decision-makers to understand the cost effectiveness of one program over another based on the agreed upon goals.

Step 4 is to then begin evaluating key control programs on the market today. When you research and interview vendors about your particular needs, look for a vendor who approaches key control as an integrated program – not just cylinders, keys and software. This particular vendor will relate to what needs to be done on all levels including the nuances of day to day procedures at your own operation. This vendor can sometimes even drive it for you – monitoring and managing your day to day security. However, it is important to note that they cannot simply do it for you. There is no way to avoid the need for your company's "buy in" and commitment. The most sophisticated program is of no value if managerial hierarchy does not endorse the need for the policy and thus the enforcement to go along with it.

Before you actually begin…

Review, one last time the key points and objectives laid out above together with those you documented for yourself.

Does it contain the four critical components of an effective, long term system?

Then begin with the intention of completing the task in its entirety.

To some, this will sound cumbersome. It sounds like a lot of work doesn't it? It probably even sounds like it will cost more than your budgets would ever permit. The fact is, any total overhaul will seem expensive. But those who have done it – with the right vendor/partner – will often find it to be not much more expensive than simply replacing the cylinders and keys you already have in place. And the long term effect of a properly run system is tremendous savings – not to mention the increased security. There are means today by which you can actually save money while simultaneously gaining security control.

Remember, it only takes one event – stolen merchandise, vandalism or one tragedy somewhere in the course of normal business operations to more than justify the effort.

SIDEBAR: How serious do you take your store's security? Take this test and find out:

1. Do you know of every locked door in your domain? (Every location? Every locked door in each?) Are they documented somewhere? (Think they ought to be?)

2. Do you know who is holding all the keys for all those doors? (In other words, do you know where every key is that could open one of your doors?) Don't forget about any master keys you may have (e.g. District Masters). Don't forget about all those keys that have been loaned out to contractors and cleaning crews over the years. And oh yes, don't forget any of those reported lost or those you were unable to retrieve from ex-employees.

3. Are your keys on "restricted sections"? In other words, can you depend on the fact that your keyholders can't get duplicates down at the local hardware store? Are the five keys you originally handed out still at five or have they been multiplying without your approval?

4. If you found a key to one of your doors, would you know whose it was and what it fit? Or would it simply be deposited in that coffee can or shoebox so many of us maintain – the "tomb for unknown keys".

5. If a key was reported lost, would you rekey? What if it was stolen?

6. If you had an event, would you be able to answer one of the first questions surfaced in the investigation – "who has keys to this door?"

Interesting, simplistic questions – don't you think?

If YES was your answer to each of the above, you are to be congratulated – your key control program is indeed a cornerstone to your security program. We would suspect that with the other measures you likely have in place, your facilities are about as secure as they can be in today's world. You need not read on any further in this article.

If NO was the answer to one or more of the above, the unfortunate reality is that there is a hole in your key control program and thus a potential liability in your overall security program. Compounding that liability even more is that so many of us have focused our attention and our funds on the latest/greatest high tech solutions often deluding ourselves into believing we have a sophisticated program while completely overlooking a fundamental question "who has a key to the front door?" -- the equivalent of constructing a building without a foundation – a security program without a cornerstone.

As low tech and likely uninteresting a subject as it might be, the fact of the matter is that key control MUST be thought about or it will likely impair the effectiveness of all your other measures.

Mr. Serani is the President of InstaKey Security Systems where he has directed the company's focus on mechanical key programs for the last 20 years. Considered today to be one of the security industry's experts in this cornerstone niche of security programs, Mr. Serani has published numerous articles and is often asked to speak to Loss Prevention forums in a variety of industries and government venues. He is most noted for his entertaining methods of relating real world key control issues to practical/proven solutions.

www.instakey.com

No comments: