Dr Peter Speight writes of increases in the security threat level.
The threat level system is part of the Government’s counter terrorism strategy and reflects the level and nature of the threat from international terrorism. They are a tool for security practitioners working across different sectors of what we call the Critical National Infrastructure (CNI) and the police to use in determining what protective security response may be required.
In simplistic terms, the objective of the threat level system is to act as a ‘trigger’ so that all security efforts, be they official, commercial, or those of the general public reflect the immediacy of the threat – in other words, they should elicit an appropriate Response. Concerning the expectation for the general public, the UK security services require a heightened state of alertness so that millions of individuals are added to official ‘eyes and ears.’
For a commercial security operation, heightened awareness will be one essential requirement should a threat potential increase (as it should be with other staff members), but there is a further range of enhanced duties and tightened procedures that should come into play to sensibly protect against an increased risk. Below is an outline of the official UK threat levels and attendant response levels.
Threat levels
Low; an attack is unlikely
Moderate; an attack is possible, but not likely
Substantial; an attack is a strong possibility
Severe; an attack is highly likely
Critical; an attack is expected imminently
Response levels
Official response levels provide a broad indication of the protective security measures that should be applied at any particular moment. They are set by security practitioners in Government and in some Critical National Infrastructure (CNI) sectors. They are informed by the threat level but also take into account specific assessments of vulnerability and risk. Response levels tend to relate to sites, whereas threat levels usually relate to broad areas of activity. Within response levels, there is a variety of security measures that can be applied.
Security strategy
The risk management strategy for the security guarding contract rests on fully understanding the range of attendant risks. The process for arriving at the point, where we can construct and then execute a ‘risk informed strategy,’ will have been achieved by means of initially understanding current national, regional and site-wide threats and hazards, achieved by a socio-political risk assessment and site-specific risk assessments and supported by site security and vulnerability audits.
The consequence of these highly detailed and well-practiced processes is that we will be able to assess how current security practices help or hinder the management of risk. ISO 31000 establishes the Securitas risk management methodology, following the seven scalable elements of the process, making it scalable and applicable to the assessment of risks at both a strategic and business unit level.
In project management terms, we consider the above processes to form the ‘Discovery Phase’ of the wider project. The next phase in the project process is the ‘Design & Development Phase,’ where we translate our assessment and audit findings into a detailed Security Strategy
The resultant Security Strategy will, itself, be based on a number of agreed Objectives, each with a list of tasks, required to be achieved, to meet the objectives within agreed timescales. Manpower, technical security systems, physical security features and procedures will be strategically integrated in the correct proportions so as to provide a true ’solutions’ approach to the management of risks.
The proposed Strategy, as described above will be delivered to an Operational Project Plan, itself based on principles of ‘change management’ and which falls within the ‘Implementation Phase’ of the project plan, laying out timescales, milestones of achievement and resources. The Securitas Risk Management model follows the ‘Enterprise Risk Management’ (ERM) approach, having moved away from a sole concentration on ‘downside’ security threats and hazards, now acknowledging the need to both recognise and action opportunity risks.
First it has to be said that the Securitas ERM policy and framework, whilst based on, and consistent with, the international standard on risk management, ISO 31000, now takes this standard further than traditionally found within the security industry; it expands the process to include not just risks associated with accidental losses, or traditional threats and hazards, but also financial, strategic, operational and other risks. Securitas Security Services is committed, therefore, to the implementation of ERM, which is defined as “an organisational-wide approach to developing techniques that assist to have the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.”
Our approach to ERM implementation is not a one-time event. It is a process that commits the institution to an on-going programme of continuous improvement and change that requires time, resources and planning. It provides a consistent frame of reference (understanding) and common language by which risks are identified, described, measured, mitigated and reported. This is a cultural shift that starts at the Board level and permeates down through senior management and finally to all other levels. This support is demonstrated by the implementation team through their on-going commitment of time, resources, training, coaching and support to those charged with responsibilities to ensure the achievement of ERM objectives.
Background
Market pressures currently take the form of uncertainty in financial markets, a situation unlikely to resolve itself, certainly in Europe with its own unique problems, in the short term. Pressures on corporate spending will, undoubtedly, affect the allocation of financial resources to security, in all its facets, and we see a trend to an over-reliance on technology as a seemingly effective way of securing assets and protecting reputational risk, albeit often without the benefit of its operational requirement being tested against risk and procedural capabilities to respond to the information provided by the technical security systems in place. In this regard, we are passionate in our belief that in an era of pressures on corporate margins, that any security provision be truly integrated and consequent upon operationally tested and risk justified strategies.
It is also apparent that the security market has been insufficiently focused on future trends and unforeseen but often predictable threats and market pressures. It would not be inaccurate to say that often security is responsive to incidents, that with the benefit of ‘Horizon Scanning,‘ may well have been avoided. A horizon is a period of time in which risk/opportunity is likely to first occur and have impact. Normally, a technology horizon is very short – meaning things change very quickly. Conversely, ecological horizons can often be very long and we have decided upon three horizons to help the decision makers understand the likely timescale of a first impact for each ‘insight.’
Horizon 1: 1-3 years
Horizon 2: 3-5 years
Horizon 3: 5-10 years
It benefits at this point to look at our methodology for ‘Horizon Scanning’, which is based on a framework that, in the first instance assesses:
1.External Signals
2.Future Trends
3.Internal Signals
4.Internal Futures
These make up the range of scenarios or forecasts, which fall under the heading of ‘Synthesis. This moves through to the Options (Analysis) stage and on to Decision Making and Implementation.
Scenarios are an internally consistent view of what the future might be, care being taken to ensure this is not understood as a forecast, rather one possible outcome. In this regard, we are clear that we are in the field of Strategic Risk, that is one, which threatens the organisation in potentially substantial ways, and horizon scanning provides advance warning which will help / design escalation procedures. So, horizon scanning is the process of looking for signals, which will inform the organisation. Scenario planning is a technique for “packaging” the results of horizon scanning to create alternative futures that people can relate to.
The scenario planning provides for futures that ‘real people‘can relate to and allows an organisation to move to decision and implementation. Securitas recognise that organisations and their senior management are often too consumed with the immediacy of business implementation, leaving little capacity for horizon scanning, whereas our people who are at the leading edge of scanning the future are capable of, and in fact enjoy, working with ambiguity and complex ideas; turning these ideas into strategic options, steering through into planning, and hence into operation. In essence, horizon scanning requires the use of a framework and methodology for prioritisation, based on accuracy and relevance.
On a more specific front is the issue of contingency planning in the event of disruption and availability of supply of key resources. Business continuity management (BCM) is increasingly seen as the overarching business system under which incident, crisis and risk management can happily sit as sub-sets of this, what we now refer to as ‘societal security‘ planning. In 2009, a report by the Chartered Management Institute in conjunction with the Cabinet Office, ‘A Decade of Living Dangerously,‘ presented findings of business continuity research and demonstrated how BCM can make a real difference by improving an organisation’s flexibility, readiness and ultimate viability in the face of an ever-changing risk environment
Securitas are currently monitoring the seemingly increasing heat within public service organisation’s staff relations and increasing discontent of their staff and strong possibility of union activity, with the prospect of loss of transport and other key services.
The ‘Arab Spring’ is bringing with it the potential for further instability and closer alignment of countries whose traditional support of international terrorism has now, we perceive, actively changed in its nature. Iran’s support for Syria and its now active support for ISIS and Al Qaeda in the form of finance, material and its international logistics increases the potential for that organisation and its various offshoots to target the West and its iconic businesses.
Other emerging security threats, often determine security trends and the Cabinet Office 2013 update to its National Risk Register NRR) based on the 2011 iteration of the National Risk Assessment. The 2013 NRR includes two risk matrices one detailing the risks of various terrorist and other malicious attacks, the other detailing the risk of natural hazards, major accidents and other non-malicious attacks. The use of the two matrices better reflects that a different methodology is employed when assessing the likelihood for these two categories of risk.
We draw much of our strategic planning from the NRR and how, on a more directly corporate front we can mirror for our clients the mitigation principle that the Government have, on a national planning level in respect of high impact threats. It is significant, and resonates with our comments in that new social disruption and industrial action risk categories have been added to the NRR to reflect the fact that the consequences of these events are captured by a number of NRA risks and in reflection of recent events.
The most worrying trend for large and medium size organisations has to be the threat of cyber security. We add this to the ever-pervasive threat of international and domestic terrorism and what now seem more mundane threats of the theft of proprietary information. A summary of the strategic threats we monitor include pandemics, climate change, political fragmentation, nuclear proliferation, religious fundamentalism and the increasing risk of international organised crime. In 2011 Major General Jonathan Shaw told the Daily Telegraph that Britain faced the prospect of losing its global position in hi-tech manufacturing due to cyber attacks, with hackers stealing sensitive commercial information. Shaw, then the MoD’s assistant defense chief for global issues, said the greatest threat came from China.
Clearly, the message coming from the UK’s security services places cyber security at the forefront of strategic concerns. Interestingly, it has also become apparent that hackers are targeting situations where mergers and acquisitions, reveal seams to be exploited as two organisations seek to harmonise often non-complementary IT systems, exposing opportunities for attacks. We are warning our clients, who may be in this situation, to be aware of these illicit, opportunistic attempts to gain access and even control.
Securitas is firmly committed to ensuring our clients address the range of impending risks by both implementing robust, cost-effective, and risk informed security strategies, but equally by ensuring that in the event of an emergency that incident, crisis and continuity planning is in place – comprehensive, tested, and rehearsed.
In this regard we have welcomed the publication of the international standard BS ISO 22301:12 Societal security – Business continuity management systems – Requirements, building on the original BCM standard BS 25999. Long advocates and active supporters of our client’s endeavours to establish continuity systems in line with this original standard, we are now working closely with them to manage the implementation of the new specification and requirements to build upon the work already done in this critical field of endeavour.
Knight and Perry of Templeton College, Oxford undertook research in the mid-1990s that showed that the impact of disasters on shareholder value could be serious, conclusions further backed up by the Cass Business School study into major risk events, Roads to Ruin, published in 2011 by Airmic [UK association for risk and insurance management]. This study investigated 18 high-profile corporate crises of the past decade, finding most of the companies – and their shareholders – suffered severe, uninsurable losses and most reputations suffered severe damage.
None of the companies emerged without obvious immediate harm and among the seven issues identified were inadequate board skills to exercise control, blindness to inherent risks, such as risks to the business model or reputation, inadequate leadership on ethos and culture, defective internal communication and information flow, and organisational complexity and change.
These, somewhat painful conclusions are in the forefront of our minds during consultancy and BCM training work with clients committed to ensuring they are as prepared as possible to manage impactive, continuity threatening risks.
Effective BCM integrates with incident/crisis management to ensure that if a major incident does occur then not only is the organisation able to maintain continuity of operations, it is also able to reassure all interested parties that it is in control and we make no apologies for increasing the pressure on our clients to address this increasingly vital addition to their traditional business systems.
