Rome didn't scale by adding more quaestors. Retail can't scale by adding more store detectives. Practitioners who've run the numbers know most loss comes from the inside—people, process, and procedure driving margin erosion. This is the path from apprehensions to enterprise risk, rooted in craft, backed by evidence.
If you've spent time in retail loss prevention, you're somewhere on this path. The Romans called it the cursus honorum, a mandatory progression through public offices. You couldn't skip levels. You had to earn each seat.
The role kept expanding: e-commerce fraud, ORC, compliance, crisis, continuity, while HR, Finance, Ops, and IT focused on their core work. Who was handling the rest? Practitioners building cross-functional teams to support the enterprise. Retail has the same progression: hourly investigator to business-resilience leader. Anyone who's looked at shrink by category knows internal and operational loss dominates. The cursus honorum maps the journey and the principles that define excellence in the role.
Rome kept adding quaestors thinking volume would solve the problem. Retail kept hiring store detectives for the same reason. Practitioners who measure total loss know neither scaled. The framework for the map has been there; the question is who uses it?
The profession started in the late 1960s and 1970s, built by people from law enforcement and military service. They installed the first PTZ cameras, transformed LP/AP at major retailers, created recruiting firms and daily publications. No playbook, no certification. They invented all three.
Camera room. Sales floor. One job: catch shoplifters.
Expectations were explicit: one apprehension per forty hours; two or three employee interviews per month. The narrative: cases equaled worth. Tell the C-suite we're catching people stealing. The industry promoted leaders on apprehensions and admissions. At the crossroads of digital transformation and data analysis, the question isn’t why the field is changing—it’s why it took this long.
More stops meant a better program. The incentive was catching bad actors, both external and internal. A statistic that haunts the industry today, rooted deep in the profession but far from honing the craft. Practitioners who dug into the numbers saw operational errors and process failures as the real drivers of loss. The data was always there.
The profession drifted from what the craft could already see.
Rome kept adding quaestors. More territory, more investigators. But the real problems were systemic. Same story: more store detectives didn't solve operational loss. The industry needed a different kind of leader.
First inflection point: stop focusing on individuals, start on environments. A messy backroom and a receiving dock without controls are margin erosion in plain sight. Every investigation leads to training or theft.
This wasn’t a subtle shift. It required practitioners to look past the person in front of them and see the process behind them. Shrinkage without a suspect attached—receiving errors, pricing failures, inventory distortion—didn’t fit the enforcement model. But it was where the money was.
High-value inventory, regulated products, compliance. You need process, controls, and partnership, not just authority. Consulting exposed practitioners to dozens of retail environments. Building programs from scratch taught executive presence and how a business actually runs.
The aedile era introduced a question the profession hadn’t faced before: can the practitioner speak the language of the business? Reading a P&L, understanding margin, translating operational risk into terms a CFO acts on—none of this was part of the traditional toolkit. The profession never built a formal path to develop it. Those who found their way there did so on their own.
The aedile didn’t arrest people in the marketplace. They made sure the scales were honest and the grain wasn’t spoiled.
Same job. Different millennium.
29% employee theft. 27% operational error. Practitioners who track by category have seen it for years. Most programs still allocated resources to external threats. The data pointed one way; the industry narrative pointed another.
56% of loss is internal. The craft has always had the tools to see the full picture. Buy-in lagged.
NRF/LPRC National Retail Security Survey 2023
Practitioners who have audited their own programs know the pattern: shrinkage—loss without a known cause—consumes the budget while known, measurable, preventable loss goes underfunded. Markdowns, waste, receiving errors, pricing failures. Every internal investigation ends in one of two places: training or theft. Both are solvable. Neither requires a camera.
The tribune influenced without authority.
Some couldn't make the transition from enforcement to partnership. The ones who adapted had stopped equating cases with worth. They became trusted advisors. You needed all stakeholders on board.
Exception-based reporting changed the game. POS analytics flagged refund abuse, discount manipulation, void patterns across thousands of registers. The best cases were built on transaction data, not surveillance footage.
For the first time, practitioners could see loss at scale—not one register, not one store, but enterprise-wide patterns that no camera and no floor walk would ever catch. The data didn’t just support investigations. It replaced the need for most of them.
LP/AP built careers on instinct. Then: trust the algorithm. The ones who combined field experience with data became exponentially more effective. The praetor administered justice on evidence, not intuition.
The shift raised a honest question for every practitioner in the field: is my value in what I’ve seen, or in what I can prove? Instinct built on decades of experience doesn’t disappear—but the boardroom increasingly required evidence alongside it. The practitioners who learned to pair both became harder to replace.
High-value merchandise wasn’t selling. Why? Locked up, hard to buy. In one program, a test of open sell with creative EAS produced a 40% sales increase at a single store before rolling to the rest of the enterprise. That’s a business win discovered through security methodology—the kind of outcome practitioners have seen in the field.
Outcomes like these reframe the role entirely. The question shifts from “what did we lose” to “what are we leaving on the table.” When a practitioner can answer both, the conversation with leadership changes.
Protecting revenue and enabling it.
True risk evaluation asks not just where are we losing money, but where are we vulnerable and why.
The TRL framework reframes the conversation: 42 categories of loss across operations, supply chain, e-commerce, and corporate. While ORC dominates the conversation, internal causes continue to erode the foundation. Implementation demands cross-functional authority, executive alignment, and organizational buy-in.
Beck, A. (2016). Beyond Shrinkage. RILA. TRL 2.0: From Theory to Practice (2019). RILA.
Security became loss prevention, then asset protection, then LP/AP—a new name every cycle, yet the industry remains stuck in an identity crisis. The core tenets of the craft remain. The question is whether the practitioner can walk into the boardroom with business acumen.
Enterprise budgets forced vendors to hyper-focus on ORC. Those solutions don't map cleanly onto mid-market retail, where internal theft and operational error dominate. Left behind, practitioners built their own analytics and workflow grounded in how the job actually gets done.
The tools, frameworks, and solutions are already here. It's time to turn the page.
The consul earned the position through every preceding level. C-suite ESRM leaders speaking business risk, enterprise continuity, strategic alignment.
“We have a $3M ORC problem and recovered $250K” frames value narrowly. “We’re at 54% ESRM maturity, targeting 61% by Q4” changes the conversation.
Cases used to equal worth. Maturity equals credibility.
ASIS published the ESRM Guideline in 2019. Traditional LP/AP operates from control: lock it up, say no, enforce. ESRM inverts that. Whoever owns the asset owns the risk. Practitioners advise; they don’t decide unilaterally. The methodology conflicts with legacy thinking at a fundamental level. Few programs are structured to develop that person—yet.
ASIS ESRM Guideline, Sept 2019
All external theft—every category, organized or not—accounts for 36% of shrinkage. ORC is a subset of that 36%. No published study has ever isolated ORC’s share. The one industry attempt to quantify it—a “nearly half” claim in 2023—was retracted months later as a “mistaken inference.”
Shrinkage itself only measures unknown loss. Add the known categories—markdowns, waste, supply chain damage, pricing errors, administrative failures—and total retail loss is substantially larger. Under that lens, ORC likely represents single digits of actual loss.
The industry’s loudest advocacy—task forces, legislation, lobbying—targeted the smallest slice of the problem. The majority of loss never got the same energy, the same funding, or the same strategic priority. The Congressional Research Service put it plainly: “There are no reliable national data on the prevalence of ORC.”
The industry’s loudest policy issue is built on data that doesn’t exist.
NRSS 2023 (FY 2022); CRS IN11840 & R48061; Beck, Beyond Shrinkage (2016).
Read the full public record →
The path is the qualification. You can’t manage enterprise risk without having stood post, managed operations, conducted internals, built analytics. The consul doesn’t present case counts to the board—they present risk posture, maturity benchmarks, and the dollar cost of inaction. They translate field reality into language the CFO acts on.
The cursus honorum wasn’t optional in Rome. It shouldn’t be here.
Traditional loss prevention and asset protection are built on control: lock it up, say no, enforce policy. The model assumes security owns the risk and decides unilaterally. Apprehensions, recoveries, and compliance audits are the outputs.
ESRM flips that. Whoever owns the asset owns the risk. Security advises asset owners; it doesn't decide for them. The practitioner becomes a trusted partner guiding business leaders through risk decisions, not a gatekeeper saying yes or no. Risk-based decisions, governance, strategic alignment. The focus shifts from enforcement to enablement.
Traditional LP/AP rewards control: fewer shrink incidents, more cases closed, policies followed. ESRM rewards partnership: stakeholders aligned, risks understood and accepted or mitigated, the business advancing its mission with security as an enabler. One model measures outcomes by what security stopped. The other measures by whether the organization moved forward with eyes open.
The methodology conflicts with legacy LP/AP thinking at a fundamental level. Most programs were built on the first model. The second requires a different kind of leader.
ASIS defines five maturity levels (culture, context, stakeholders, risk management, ESRM governance) from Initial to Optimized. Most retail programs sit in the early stages. Moving up requires executive alignment, cross-functional buy-in, and practitioners who speak the language of business risk, not just shrink reports.
ASIS ESRM Guideline, Sept 2019; ESRM Maturity Model
In January 2023, the CFO of a national pharmacy chain told analysts on a quarterly earnings call that the company had overstated its shoplifting problem. Shrinkage had dropped to the “2.5%, 2.6% range” — down from 3.5% the prior year. The CFO said the company’s investment in private security guards had been “largely ineffective” and that they had been “maybe overly dramatic on the topic.”
In September 2023, a major general merchandise retailer announced it would close nine stores in four states, citing theft and organized retail crime as the cause. A monthslong CNBC investigation using public records requests and law enforcement data found that nearly every closed store had fewer reported crime incidents than locations kept open nearby.
A Chicago-based investment bank published equity research in 2023 concluding that some retailers were using the organized retail crime narrative to distract from underlying business issues. The analysts wrote that store closures were enacted “under the cover of shrink” and that the theft narrative was being used to draw attention away from operational problems.
In April 2023, a report published by the nation’s largest retail trade association, in conjunction with a private security consultancy, claimed that “nearly half” of the industry’s $94.5 billion in shrink losses was attributable to organized retail crime. The claim contradicted the association’s own annual survey, which showed all external theft accounted for approximately 36% of losses. In December 2023, the association retracted the claim. A spokesperson called it a “mistaken inference” made by an outside analyst who linked unrelated data points.
In October 2024, the same retail trade association announced it would not publish its annual National Retail Security Survey for the first time in more than three decades. The replacement report, released later that year, shifted from measuring shrink as a percentage of sales to surveying loss prevention executives about their perceptions of shoplifting trends. Independent analysis found the replacement report’s claims of a 93% increase in shoplifting incidents contradicted the association’s own prior data showing shrink as a percentage of sales was flat between 2019 and 2022.
According to historical survey data published annually from 1991 through 2023, the average shrink rate as a percentage of retail sales has remained between 1.3% and 1.6% for over twenty years. External theft has consistently accounted for approximately one-third of total shrink. Roughly two-thirds of inventory loss is attributable to employee theft, process failures, and administrative error.
The Congressional Research Service published analyses noting that there are no reliable national data on the prevalence of organized retail crime. The CRS identified limitations in industry surveys including small sample sizes, lack of generalizability, barriers to replication, and retailers’ varying definitions of what constitutes organized retail crime.
How organized retail crime became the vehicle for everything except addressing organized retail crime.
The Greeks didn’t beat Troy with a bigger army. They built something Troy would wheel through its own gates. The organized retail crime narrative works the same way. It looks like a security problem from the outside. What’s inside is something else entirely.
Cover for operational failure. When a major retailer closed nine stores in 2023, they cited theft. A CNBC investigation found those stores had fewer reported crime incidents than locations kept open nearby (ACTA II). An investment bank’s equity research said it plainly: closures enacted “under the cover of shrink” to mask underperforming locations (ACTA III). The horse carried in a way to close bad stores without admitting they were bad stores.
A vendor market that requires an existential threat. Computer vision. RFID. Exception-based reporting. Self-checkout surveillance. The entire LP technology ecosystem scales with the perceived size of external theft. If shrink is mostly internal—which the data consistently shows (ACTA VI)—the addressable market shrinks with it. The horse carried in budget justification.
Legislative leverage built on retracted data. The trade association’s claim that “nearly half” of $94.5 billion in shrink came from ORC was used in congressional testimony and lobbying for the INFORM Act. The claim was retracted as a “mistaken inference” (ACTA IV). The legislation it supported was already moving. The horse carried in policy outcomes that survived the data they were built on.
Deflection from the two-thirds. Every data source says the same thing: roughly two-thirds of inventory loss is internal. The CRS found no reliable national data on ORC prevalence at all (ACTA VII). The 32-year survey was discontinued (ACTA V). The horse draws every eye to the gate.
The real loss walks out the back door wearing a name badge.
The narrative was always larger than the function it described.
The trade association’s own 2023 survey: only 31% of surveyed retailers have a dedicated ORC team. Another 31% use shared LP/AP resources. The remaining 38% have no ORC function at all. Median team size: 7 people.
The survey sample: 177 brands. The U.S. retail landscape: over one million establishments. The independents, the regionals, the mid-market chains—their loss problem is process, people, and margin. Not organized boosting rings.
ORC is real. It belongs in the Total Retail Loss framework, categorized correctly. But the narrative built around it was scaled to an industry-wide existential threat. The organizational reality: roughly 55 companies with dedicated teams. A few thousand investigators across the entire country.
The industry is already moving away from the ORC framing. The new language is “Total Retail Loss”—a broader framework that quietly absorbs the categories the ORC narrative excluded. Vendor decks that said “organized retail crime” in 2022 say “total retail loss” in 2025. The horse served its purpose. Now it gets repainted.
A national pharmacy chain said the quiet part out loud: “Maybe we cried too much” (ACTA I). Six words from a CFO on an earnings call that told the entire story.
The Trojan horse worked because Troy believed it was a gift. The ORC narrative worked because the industry believed it was a threat assessment. In both cases, what was inside had nothing to do with what was written on the outside.
ACTA cards I–VII. ORC team data: NRF NRSS 2023 (177 brands). U.S. retail establishments: BLS (1.08M, 2024). CNBC, CBS News, Retail Dive, Popular Information, CRS IN11840 & R48061, William Blair equity research, CFO Dive.
What happens when you retire the only yardstick that could contradict the narrative.
For 32 years, the National Retail Security Survey measured shrink as a percentage of retail sales. The number barely moved: 1.3% to 1.6%, year after year, for over two decades (ACTA VI). External theft: roughly one-third. The other two-thirds: employee theft, process failure, administrative error. The survey wasn’t exciting. It was stable. And stable was a problem for anyone who needed the numbers to be alarming.
In October 2024, the survey was discontinued (ACTA V). First time in more than three decades.
“A broad study about retail shrink is no longer sufficient.” — Trade association spokesperson, October 2024
The replacement report made a category change disguised as a methodology update. Instead of measuring shrink as a percentage of sales, it surveyed senior LP executives about their perceptions of shoplifting trends. One is data. The other is opinion.
The headline: a 93% increase in shoplifting incidents between 2019 and 2023. Independent analysis found this contradicted the association’s own longitudinal data—shrink as a percentage of sales was flat over the same period. The Council on Criminal Justice found shoplifting rates in 2023 were 10% lower than in 2019. The Real Time Crime Index showed theft below 2019 levels. FBI property crime data: decreasing trends.
The replacement report was sponsored by an anti-theft technology vendor.
“Based on a survey of impressions rather than any meticulously collected evidence.” — Independent crime data analyst
Into this vacuum stepped a retail analytics firm with the first “Total Retail Loss Benchmark Report.” The headline: $796 billion in total retail loss. The number made the rounds. It was designed to.
The breakdown tells a different story:
ORC is $9 billion of a $796 billion headline. That’s 1.1%. One penny of every dollar in the framework that replaced it. Employee theft alone is nearly three times larger. Inventory and operational errors combined exceed it by a factor of three.
The number isn’t wrong. It’s engineered. Categories that were never measured together, combined precisely because the total justifies any pitch, any budget, any priority.
The 32-year survey provided a baseline. Imperfect, but longitudinal. You could compare year to year. You could see that shrink wasn’t spiking. You could see that external theft wasn’t the primary driver.
With that baseline gone, what remains is perception surveys, vendor-sponsored reports, and numbers too large to contextualize. The CRS already noted there are “no reliable national data” on ORC prevalence (ACTA VII). Discontinuing the one survey that measured total shrink consistently didn’t create that vacuum. But it made sure nothing would fill it.
You don’t have to fabricate data if you can retire the instrument that would contradict it. The measurement problem isn’t that the numbers are wrong. It’s that the yardstick is gone, and what replaced it was designed to measure feelings, not facts.
NRF NRSS (1991–2023, discontinued 2024). NRF “Impact of Retail Theft & Violence 2024” (164 brands, Sensormatic-sponsored). Appriss Retail “Total Retail Loss Benchmark Report” (2026). Council on Criminal Justice. Real Time Crime Index. FBI property crime data. Popular Information (Dec 19, 2024). CRS IN11840, R48061.
This site was built by LP/AP practitioners. Decades across big box, specialty, food service, and consulting—hourly undercover work through enterprise security risk management. No advisory board, no vendor sponsors, no conference speaking circuit.
The editorial is sourced from public records: earnings calls, Congressional Research Service reports, CNBC investigations, equity research. Every claim links to its origin. The framework—cursus honorum—maps how the discipline actually evolved, not how it gets marketed.
If the work is useful, it stands on its own. If it isn’t, credentials won’t fix that.