Making Sense of Security
Assessing facility risks accurately helps clarify selection of security services
There are many decisions to make when considering how to provide a safe and secure environment for tenants, guests and others who use facilities. One difficult decision is knowing who can best help supply the technological and contract services necessary to protect facilities.
Nonetheless, because of legal liabilities and the peace of mind that security planning brings building occupants, thoughtful consideration of the issues that go into making such decisions can significantly limit exposure and injury in the event of an incident.
Before deciding what security services and technologies are necessary, however, facility executives should have an understanding of issues affecting their organizations. There are three phases to improving security at an organization: assessing the current level of security, determining what the organization’s level of security should be and determining the best path of attaining the desired level.
Risk and Needs Assessments
Risk assessment means evaluating the chance of injury, damage or loss of assets. Assets include personal and real property, people, and critical information. Risk assessment is the process that should be used to begin determining countermeasures. When a risk is identified, there are five solutions: accept the risk as a cost of doing business; avoid the risk by removing the threatened assets to another location; reduce the risk by minimizing the threatened assets; spread the risk by hardening the target; and transfer the risk by buying insurance.
The risk assessment process involves four steps: identify assets; identify threats; identify vulnerabilities; and make countermeasure recommendations to remove risk.
Security Surveys
Although the process is easily outlined, it’s often difficult to implement. The source of risk to an organization might be subject to debate. In addition, risk is influenced by many factors, including the location of a facility or nearby facilities, and the activity of building occupants.
However, remember that circumstances change, so plan for the possibility of a significant change in security. What if a controversial company, such as a stem cell research company, moves next door?
A security survey is the way to begin the risk assessment process.
The security survey process consists of gathering the data necessary to conduct a thorough analysis of the physical and operational environment in which the security systems must operate and the threat postulated against that environment. Considerations include the full range of events potentially confronting the site or assets to be protected, the consequences of loss or compromise, and the equipment and techniques that might be necessary to deter or prevent such events.
Security surveys are necessary for a variety of reasons, including: to comply with regulatory requirements; to comply with insurance requirements; to establish security systems and procedures at a new or modified site or facility; to respond to data indicating an increased threat; or to respond to an actual or attempted forced entry or other incidents.
The scope and complexity of a security survey is somewhat flexible and should be determined on a case-by-case basis. The scope of the survey may range from an informal information-gathering visit by one or two people, upwards to include multiple survey teams equipped with a variety of complex specialized equipment. Factors influencing the scope of the survey include the size and complexity of the site, the size and complexity of the desired security systems, and the desired end product.
Getting Specific
A comprehensive security survey should provide the basic data to determine which structures are in need of additional physical security or intrusion detection system protection. It should also identify the physical and environmental factors that might affect the operation of various types of security devices, as well as the structural modifications or upgrades necessary to support additional physical security equipment, and the types and quantities of additional physical security equipment needed.
Surveys should also address security policies and procedures. Plans for new construction, modification of existing facilities or changes in operations that might impact the existing security operation should be included.
Generally, for each specific site the survey will include a description of the site to be protected, a description and evaluation of the existing security devices, if any, and a description of any known security vulnerabilities. The survey will include recommendations for correcting any vulnerabilities — if they can be corrected — and details of new protection recommendations.
Site surveys can be done by in-house personnel, equipment suppliers, consultants and systems integrators. While in-house personnel have a great deal of institutional knowledge, they may not have the necessary expertise to conduct a full-scale site survey. In-house surveys generally work best for small add-ons to existing systems.
Equipment suppliers generally offer free security survey service to current or potential customers. Be aware, however, because the survey results tend to be biased towards the manufacturer’s products. This type of assessment may work well for add-ons to existing system and under limited circumstances.
Consultants may be available for assessments, but are only as good as individual areas and levels of expertise. They may operate alone, or may contract substantial portions of the survey work to other consultants. They may also be used to conduct a pre-survey, requirements analysis and to act as a liaison between the facility and a systems integrator retained to do the actual site survey and system design.
Systems integrators specialize in conducting large-scale site surveys, determining requirements and integrating products and techniques from a wide variety of manufacturers into complete operating systems. The differences between an integrator and a consultant can be subtle or nonexistent. Generally, a systems integrator will have a multidisciplinary staff, while a consultant will not.
When Security Officers are Needed
If the threat and needs assessments suggest security officers are necessary, how can facility executives know they are getting the best value?
Contracting of security officers is difficult. Guard contracts are historically low-bid based. A majority of a guard contractor’s expenses are personnel costs. Contracts based on the lowest salaries hire the lowest-paid employees. Keep in mind the adage: You get what you pay for. A corollary, however, is that you get what you ask for.
Simply put, any guard service is only as good as the contract. Guard contracts typically run on slim profit margins, meaning contractors can’t be expected to operate beyond the terms of the contracted services and still make money. As a result, facility executives should be sure to get the services they expect to receive in writing and in the contract.
A guard contract can involve many different parties, including a contracting officer, a contract monitor or inspector, the contractor, the contract manager and the contract employee.
The contract begins when a security specialist establishes need and justifies the expenditure. Typically a security manager then approves and obtains funding. The specialist or manager submits requirements for the contract, including the number of guard posts, and written standard operating procedures.
A “post” is specific assignment staffed by a security officer. A post can be fixed or mobile. A typical post would be a lobby of a facility. A post might be Monday to Friday from 9 a.m. to 5 p.m. (40 hours per week), 24x7 (168 hours per week), or anything in between. Often overlooked is the number of hours involved in a contract. The general rule of thumb is that it takes five people to cover one post twenty-four hours a day, seven days a week. This number includes staffing three shifts a day, seven days a week, and includes hours for training, vacation and sick days.
Security contracts differ from other service contracts in one specific aspect. Most security posts cannot go empty. For other services, if a worker misses a day because of illness or vacation, the job simply doesn’t get done that day. Security positions, by their nature require that every post is filled every time. This requirement means that when a position is open, overtime might be required to allow other officers on the contract to fill the vacant post.
Maintaining Control
Important to the contract is a specific removal procedure for security officers under the contract. Ideally, the contract should contain a specific clause that allows facility executives to remove any contract employee, at any time, for any reason. This clause does not require that the contractor terminate the employee, only that the person be removed from the contract.
Security officers, like any other employee, are allowed breaks and a lunch period. The contract should address who covers the officer’s post during breaks. This is an important issue in contracts that have fewer officers.
Other issues include specific assignment of what equipment is required, and who provides the equipment for the contract. Remember, guard contracts run on low margins, and money not spent is profit. There have been contracts written that specify who supplies flashlights, but disputes break out over which side provides batteries. Other disputes have occurred over provisions that require contractors to provide radios, but not necessarily working radios. One contractor had six radios, but only three worked. The contract didn’t specify who would pay for repairs to the radios, and the contractor was unwilling to bear the expense of repairing broken radios.
Lastly, inspections are an important part of maintaining successful contracts. Inspections must occur every day at every post, and must be consistent and in writing. Follow-ups with the contractor should occur to keep lines of communication open. A good contract will provide both penalties for poor or substandard performance and rewards for exceptional performance.
Security can be a difficult, but necessary, task to undertake. Proper planning and well thought out contracts can make a difficult task manageable.
Tool to Help Determine RISK
Facility executives undertaking a risk-evaluation project have multiple sources of information to determine perceived risk. Interviews with building occupants and recollections of events and threats to an organization are just a few.
It’s important to the security decision-making process, however, that the perceived-risk information be evaluated against an objective measure. If it’s not, there’s a chance that the security measures put in place to address perceived risks might be too stringent or too loose.
The CAP Index is one source for objective risk information.
CAP Index Inc. is a company that provides analysis information to help decide on locations for new outlets and to determine the appropriate level of security at existing sites. The CAP Index is a forecast intended to indicate the likelihood of crimes occurring at any location in the United States and Canada. CAP Index scores are provided for any specific location in comparison to national, state and county averages. The scores are scaled so that a value of 100 is equal to the national, state or county averages. Thus, a CAP Index of 200 is twice average, while a score of 50 is one-half of average.
By employing sophisticated computer modeling techniques similar to those used to forecast the economic trends of the nation and to forecast weather, CAP Index is able to forecast where criminal activity is likely to occur. CAP Index has created a statistical forecasting model that correlates demographic data with survey information and other databases with known indicators of crime.
The CAP Index crime forecasting model incorporates a wide variety of information from neighborhood demographic and physical housing data, FBI Uniform Crime Reports, National Crime Surveys, local police data, and company crime loss reports from major industries. The national score compares the crime risk at a specific location to the crime risk at "Main Street, U.S.A." The national score allows facilities in multiple locations to be compared to each other using a common baseline.
The state score compares a location to the rest of the properties in the state the site resides in, rather than to the country as a whole, while the county score compares the location to the rest of the properties in the county. This is important because in litigation, juries are chosen from the local environment. Jurors’ perceptions and anxieties about crime will be the result of experiences in that county, not the nation. Facility executives thrust into security litigation should be aware of the local as well as the national crime risks to facilities. |
Why YIELDS What A true assessment of why an organization wants to improve security is important in determining what technology and services will be needed to achieve its goal.
Knowing whether an organization wants to truly provide a safe and secure environment, or whether it simply wants to meet a legal obligation can go a long way in determining what type of security plans should be put in place.
The two approaches can yield very different results.
Consider a company that hired a director of security to oversee several retail establishments. Upon taking the job, the director of security indicated it would take several months to assess the company’s security position before making changes. Eventually, the security director started making recommendations to enhance security.
The company acted on none of the recommendations. As it turned out, the company hired a security director only because the company’s insurance company suggested they hire an experienced security professional to reduce its premiums. The offered reduction in premiums far exceeded the salary of the security director. The company didn’t want to make any changes; it simply wanted a security director on the payroll for the accompanying reduction in premiums. |
Jeffrey Dingle is the assistant director of special projects for LSI, a U.S.-based antiterrorism, homeland security and physical security training company. He has held security specialist and instructor positions with a presidential library and private industry.
E-mail comments.
Related Topics:
