Security Risk Management

Further to carrying out a security risk assessment, it is possible to identify proportionate and cost-effective countermeasure options, having regard to the cost of potential loss. Physical protections is generally specified having regard to key security principles below, 3DR:

• Deter: This principle is often undervalued, although it is typically the lowest cost solution. Deterrence can be achieved through visible measures such as; signage, CCTV, lighting, or manned guarding.
• Detect: It is imperative to ensure that a potential adversary can be detected at an early stage, ideally externally (prior to breach) and notification measures are in place to enable response. CCTV and lighting are typically the key measures, particularly given advances in CCTV analytics. The two must however be properly integrated, to ensure compatibility and avoid conflict. Other measures include motion detection intruder alarms (internal / external).
• Delay: The typically physical security measures should protect the perimeter, all points of external access, all internal routes to upper / lower floors (stairwells / lifts) and any critical assets. It is important to consider all aspects of the barriers, including structures, locks, hinges, etc. Physical security is typically specified in accordance with the principle of ‘Defence in Depth’, which adopts a layered approach.
• Respond: The physical protection system must be set up to enable early detection and appropriate response. Response can range between; Public Address (PA) system, static guard response, remote response, or Police (depending on verification). Where remote response is adopted, appropriate physical security measures should clearly ensure early detection and delay, to avoid a significant loss event.

There are various ways to mitigate risk, including the 4 T’s, which are set out below:

• Tolerate: To tolerate the risk, the probability and impact of the event may not justify the potential countermeasures.
• Terminate: It may be possible to terminate trading activities, such as arranging working from home, if that mitigates the risk and enables lockdown.
• Transfer: Security risk may to some degree be mitigated by insurance. The security risk assessment will consider the probability and impact of a loss event and therefore what should be covered under the insurance policy. For high profile buildings, it is now general practice to include cover for damage caused by riots / civil unrest.
• Treat: There are various ways to treat risk, including the following controls:
  • Preventative controls (e.g. physical protection equipment)
  • Corrective controls (e.g. business continuity, or emergency response procedures)
  • Directive controls (e.g. ensuring training and awareness of staff)
  • Detective controls (e.g. post incident, asset register checks)

Security workforce during lockdown

On 26 March 2020, the SIA confirmed; ‘Roles essential to supporting law and order, with the potential to reduce demand on policing, also meet the critical worker definition. This would include, amongst other areas, the guarding of empty or closed commercial, retail or office premises; the monitoring of similar through CCTV or other remote means; and the provision of alarm response centres including mobile units’ and ‘…assess whether you can deliver more services remotely e.g. through CCTV. If a physical presence is required, then you should seek to minimise the number of staff deployed to the lowest safe level and ensure social distancing is applied’.

Therefore, it remains possible to secure sites by whatever means are considered necessary, including manned guarding. However, there is a requirement to consider whether security functions can be carried out remotely. At most sites, the level of resource during lockdown will simply be equivalent to typical out of hours, or weekend guarding. This often reflects the minimum resource levels.

During lockdown, the key is to regularly test the physical protection system to ensure it is effective, identifying any failures at an early stage and having measures in place to resolve them. Guarding can be employed, if a site is considered vulnerable.

Lockdown (partial / full) considerations

I have set out some key steps below, to assist building owners / managers, in managing the security risks during the period of reduced occupancy, or complete lockdown.

Security risk management

• Carry out a security risk assessment, to consider any changes to security threats, vulnerabilities and as such, necessary countermeasures.
• Consider suspending access rights for all but critical staff, depending on stakeholder approvals, or furloughed staff, having regard to insider threats.

Assignment instructions

• Review the site-specific assignment instructions, which should include partial / dynamic / complete lockdown procedures.
• Consider whether these procedures apply to the occupied status of the building.

Communications / IT

• Ensure the site IT network / telephone communications are maintained and reliable, to ensure monitoring of physical protection equipment.
• Ensure all key stakeholder contact details are up to date and ensure regular contact, to provide assurance and instructions regarding access / re-entry.
• Consult occupiers to determine re-occupation plans / volumes.

Deter

• Ensure there are appropriate deterrence measures in place, primarily signage, CCTV and lighting.
• Good housekeeping is essential to remove any potential reward.

Detect

• Consult the maintenance provider, to confirm whether remote monitoring of the physical protection system can be established and implement response procedures.
• Alternatively, ensure alarm, notifications and response procedures are appropriate and reliable.

Delay

• Ensure the physical protection system is proportionate to the occupancy levels.
• The number of external points of access should be limited and all other doors should be physically locked down, or secured and alarmed (where required for fire escape).
• Review access control permitted areas and fail open procedures.

Respond

• Subject to the status of occupancy and security risk, it may be appropriate to install a PA solution.
• Consult your security provider to determine a response procedure / commitment and availability of essential static guards, which are considered ‘key workers’.
• It may be necessary to review Lone Worker procedures. Alternatively, consider outsourcing guard patrols at random, via a local service provider.

Systems

• Regularly assess system performance, including day / night CCTV, lighting levels, systems alerts (motion detection, access control, door management, etc), to ensure failures are identified at the earliest possible opportunity.
• Consider Uninterrupted Power Supplies for CCTV installations (access control controllers are typically supported).
• Carry out random surveys and testing. All access and lockup must be recorded and validated.

Maintenance

• Consult your maintenance provider to ensure essential maintenance activities will continue and confirm response procedures.
• Consider how maintenance activities will be coordinated during lockdown.

Insurance

• Ensure appropriate insurance is maintained and relevant to assessed security risks.

Compliance

• Review the full extent of the security team responsibilities and consider whether all statutory requirements are properly managed (H&S, fire, GDPR, etc).
• Ensure that all guard SIA licensing is kept up to date.

Re-entry considerations

Procedures

• Establish procedures for re-entry and communicate with all stakeholders. These are likely to be aligned with heightened threat level response procedures, set out within the site assignment instructions.
• Ensure all occupiers are aware of procedures and consult them regarding phased working hours, to reduce peak flow.
• Define thresholds for scalable increases in service delivery.