Below, with permission of the author, is a digest the case study chapter from Peter Speight’s book, Why Security Fails: How the academic view of security risk management can be balanced with the realities of operational delivery. The unidentified organisation in this case study is an international company that makes and distributes high-value motor vehicles.
The company’s focus is unquestionably external. It is marketing oriented, and brand image is paramount. the organisation had given security little attention, transferring responsibility for risk management to various non-specialist departments. The company’s management would not, at a basic level, disagree that a secure site is a requirement; however, over the years, they have simply been satisfied with the illusion of the visible elements of security.
The company commissioned a contractor to lead investigations into their security delivery and recommend improvements. A systematic risk management approach was applied to researching and protecting the resources and income of the business against losses. The company had not carried out any security risk assessments before, preferring to invest heavily in CCTV, access control, and guarding. Management and procurement acknowledged there was a lack of joined-up thinking and scope for much improvement.
Although a large and prestigious contractor had supplied security personnel for about 10 years, a combination of client disregard and contractor complacency caused security personnel to become ineffective. Compounding matters, the company had started assigning security personnel a variety of duties not related to the core security function. There was also a growing awareness that the security personnel did not reflect the brand image of the company.
Risk overview
Access controls, intrusion detection and CCTV all have their place as security tools, but unless the company designs and implements complete systems based on proper risk analysis, they will result in little more than an illusion of protection. Real security can be achieved only when resources are correctly allocated to security’s most pressing needs. A goal was to produce a security strategy document. This process starts with an understanding of the threats and hazards an organisation faces, be they external, internal, man-made, natural or technical. The final stage is developing the security strategy, which is essentially a policy statement; that is, a set of security objectives.
It was important to clearly arrive at terms of reference that would lead to achievable goals compatible with the company’s culture and its external focus on marketing and sales. The following threats to the company were identified: property crime, property damage, major disaster, terrorist threats, personal crime, personal injury, harassment, public disorder, computer and proprietary crime and traveller incursion. The audit assessed the suitability of the existing access control system and the security control room and found that the security measures currently in place needed to be improved by upgrading the current CCTV system, installing a more comprehensive monitoring system supported by detection and audio equipment, and adding the support of remote management. Eight recommendations were highlighted and served as key objectives.
Two specific areas that required attention were the physical security infrastructure and the manned guarding and security policy. The company decided that an access control system should be programmed to allow entry through certain points for certain personnel only; this enabled management to direct employees to the nearest point of entry to their workplace. This would also affect where people parked their vehicles, with the system recording details on vehicles parked in every company lot. Cameras were installed to view and monitor the operation of the access control devices. Where appropriate, the CCTV system is remotely managed.
The risk assessment and security audit clearly indicated the number of security officers required to execute the professional duties outlined in the site assignment instructions. However, to make progress, it was necessary to strip out non-security tasks. The security audit identified that the security officers should perform duties such as access and egress control, patrolling, issuing ID passes, locking and unlocking of doors, control of key issue, traffic and car parks management and emergency management.
The company and the security contractor agreed to formulate a recruitment plan to attract staff in line with the corporate identities of both the company and contractor. The project team implemented a 42-hour rolling shift pattern with annualised pay. The recruitment approach started using joint brands to emphasise the benefits of working at the company sites, including catering facilities, club membership, varied responsibilities, good accommodation, teamwork and a sense of belonging. One of the recommendations from the security audit was to increase security officer pay, develop personnel assessment and appraisal criteria, establish professional development opportunities, continuously review the deployment of security personnel to ensure they man challenging posts, and train security staff to provide the correct level of service.
The project team undertook an internal security awareness campaign, which provided employees with necessary information relating to the security requirement on-site. Examples of their initiatives include the creation of a security induction CD-ROM. It was only by clearly determining the success or failure of the security initiatives that the benefits could be sufficiently understood and then integrated into the mainstream management.
The project team developed a site security manual that included all of the duties and responsibilities for all positions. They then consolidated it into one standard document. Security incident reporting throughout the site required consolidation, which was achieved using a web-enabled security incident management software package. As a consequence of regular meetings, senior company management realised that brand reputation had survived despite many years of neglecting the security contract.
Some of the outcomes of the exercise—that is, the ‘after’ picture:
– The annual spending on security manpower reduced from some £3.1m a year, to £2.3 million;
– Establishment of crisis and incident management plans, which determined the roles and resources of the various departments that would have a part to play in emergency management;
– Development of a detailed security manual, risk informed assignment instructions and task oriented procedures;
– Suitable guidance and briefings at departmental level restarted the company’s Business Impact Analysis process as a precursor to workable business continuity plans;
– Reciprocal accommodation arrangements made with a large organisation in the same locale for temporarily housing staff during emergency evacuation;
– Improved security staff morale as evidenced by reduced turnover;
– The security training further contributed to a motivated security force, strengthened by task driven roles;
– A new service level agreement and continuous improvement, managed through attainment of Key Performance Indicators (KPIs), which were regularly achieved to a high degree.
For more on the book, Why Security Fails, visit the Securitas website. Peter is pictured at Portsmouth Guildhall on Friday, July 20 after his graduation ceremony. As featured in the May print issue of Professional Security, Peter gained a doctorate in business administration for Portsmouth, with a stress on security and emergency management. He plans to write a further book, ‘The Real World of Security and Risk’.
