Critical assets for business continuity and risk management
In an ever-changing world with traditional and new threats to business continuity, the security function is critical in mitigating and managing those risks.
Business continuity responsibility reaches across most areas of a business, and all staff have a role, directly or indirectly, in ensuring its success. It is a fundamental objective for any security team. Evolving and emerging technologies are enabling companies to deliver more efficiently and effectively against business continuity objectives, using technology and people to the best effect.
CCTV is a good example where markedly improved functionality in terms of image capture, storage and retrieval and automated alerts based on pre-determined algorithms free up security staff to focus less on time consuming monitoring, and more on the value-added tasks of analysis and deduction – essential activity in identifying areas of risk and pre-empting threats.
As the technology and the skills required to deliver a security service evolve, it is important the highest standards of professional and technical competence are maintained. For example, the latest version of the NSI code of practice for companies approved for the design, installation and maintenance of CCTV surveillance systems – NCP 104 Issue 3 – concentrates on ensuring users’ requirements are accurately understood, interpreted and embodied in system design, and operation.
The code forms a part of the basis for NSI approval of installers, as well as the basis of the certificate of compliance issued on system commissioning signifying due consideration has been given to the threats faced by an organisation in the delivered solution design.
From a CCTV monitoring and analysis perspective, the NSI code of practice for the provision of control room services – NCP 107 Issue 2 – is a framework to be applied by operators ensuring the highest standards through specified training requirements. It sets out that operatives new to the role of monitoring and analysis be assessed for competence within three months of employment against relevant criteria relating to the duties they perform.
Closer working relationships between commercial security providers and law enforcement agencies means the role of the security officer is fundamental not only for protecting an immediate site or premises, but as a source of information, often in real time, that is safeguarding the community.
For example, many security officers, particularly in the City of London, are trained in the national counter terrorism awareness initiative, Project Griffin. Security managers are the focus for guidance issued by the National Counter Terrorism Security Office on managing increased threat levels. The guidance can be used as part of an escalation plan during a rise in the threat level.
SOCs (Security Operating Centres) are another example of how the blend of technology and people can work exceptionally well. SOCs gather data and information using a range of services, including web crawlers, and employ experts in intelligence analysis, operational understanding and communication. SOCs are a valuable asset in the security toolbox, helping organisations to benefit from an intelligence-led approach to security. They often serve as the communications hub for crisis management, helping with informed decision making and deploying resources to return the organisation to a ‘business as usual’ state as quickly as possible.
Businesses can assess to some large degree how security suppliers are able to achieve these high standards through scrutiny of the approvals held specifically for the services offered. Approvals are important as a recognised means of establishing integrity, technical competence and effective management in service delivery. Part of the NSI Gold audit covers the quality management standard ISO 9001, which itself covers business risk assessment. Although there is no specific requirement for a business continuity plan (covered in BS EN ISO 22301:2014), compliance to this approval does signal value.
This is particularly important given the Greater London Authority assesses that up to 73% of small businesses do not have a business continuity plan in place. Often these are the very businesses forming part of longer supply chains for larger organisations.
Security management and business continuity are interdependent and part of an integrated whole that delivers broad effective security. The security team is best placed in terms of physical security for the assessment of risk, deterrence and prevention of breaches, preparation and readiness to respond, and finally support post-incident recovery. They are at the heart of reducing and managing risk, protecting assets and people, adding value on which it is impossible to put a price.
Richard Jenkins, Chief Executive
National Security Inspectorate