The risk management safety net: standards and codes of practice
What is the role played by standards, codes of practice and quality management systems in risk management?
Risk management policies and procedures implemented by public and private sector organisations help strike the balance between fulfilling their various daily activities and enabling adequate protection for staff, customers, site infrastructure, visiting contractors, stock, and operational on-site equipment including IT – without interfering with the important, prime activity.
Regularly reviewing this in the context of evolving risks and threats can highlight potential vulnerabilities, as well as opportunities for continual improvement. Policy often invokes standards as a short cut way to ensure quality is maintained. One key to optimising risk mitigation lies in making use of the latest standards and codes of practice developed in response to evolving threats and new technologies. Complementary utilisation of ISO 9001 approval for quality management systems assists in this objective through its inclusion of a strong customer focus, the motivation and responsibility of top management, a process based approach and continual improvement.
Detector activated CCTV
Detector activated CCTV surveillance systems delivering police response is a case in point. The existing standard, BS 8418 (first introduced in 2003 and currently undergoing its third revision), has disappointingly not been widely adopted as a means of qualifying for a police URN. The ‘root and branch’ changes being introduced in this latest version of the standard – BS 8418 version 3, due for publication in 2021 – will tackle previous limitations including a perceived high system cost and, some would say, overly onerous installation requirements.
Cyber risks
The global pandemic has accelerated the role of IT-based communications in all our lives, and the emergence of significant new online security challenges for residential users and commercial/public sector organisations continues to be a growing cause for alarm. Increasingly internet-connected devices and systems, and the growing number of links in home and business networks, leave individuals and companies vulnerable to cyber attack.
Recognising this, the British Security Industry Association’s Cyber Security Product Assurance Group (CySPAG) was formed in 2017. Specifically responding to interest from installers, CySPAG produced a cyber security code of practice for installers of safety and security systems in 2020, providing guidance in practically managing their clients’ cyber risk when supplying, and installing, interconnected security systems.
NSI is working to ‘upgrade’ its scope of approval for security systems to include this code of practice, reinforcing installer competence and the confidence buyers can place in approved businesses. Similarly, an updated NSI code of practice for access control systems, NCP 109 Issue 3, is due in 2021. This revised code, embracing new technologies and methods and drawing on the latest BS EN 60839 standard series, will steer installers for example regarding IT networks and devices, along with cyber security.
The BS 10800 ‘umbrella’
Meanwhile, important developments in the security services field include the required introduction of BS 10800:2020 for NSI Guarding Gold & Silver certificated guarding providers by 31st March 2021. The thinking behind this overarching standard will simplify life for approved companies in the long run. It details managing the provision of security services at a strategic level and provides recommendations for the planning, management, staffing and operation of all organisations providing security industry services. All the security standards for static guarding, mobile patrol and events sit under the ‘umbrella’ of this new standard. Other remaining British Standards covering security services will be aligned with BS 10800 as they come up for revision.
Labour provision under the radar
Neither British Standards, nor the SIA’s Approved Contractor Scheme, directly address agency labour provision at present. Widely used, agency labour provides essential flexibility for guarding service providers. When professionally managed, it ensures security standards are maintained, not compromised, whilst remaining cost effective. Yet it remains an unwelcome opportunity for rogue labour and/or worker exploitation.
NSI is addressing this vulnerability with the introduction of a code of practice for the Provision of Labour in the Security and Events Sectors (NCP 119) after consultation with industry. From December 2021 it will become mandatory for NSI Guarding Gold and Silver approved companies to only use outsourced security staff from labour provider organisations signed up to the code.
Conclusion
Independent third-party certification plays proxy to a degree for discerning buyers of security systems and services, providing confidence in their suppliers’ capabilities and integrity, ensuring relevant service criteria are met, and certifying that associated insurance conditions are complied with.
Underpinning this, standards and codes of practice offer a valuable safety net for buyers, providing them with the reassurance of knowing that competencies are kept up to date and in line with revised standards and codes as a matter of course – in a sense, future-proofing tools.
Richard Jenkins
Chief Executive
National Security Inspectorate
Read previous articles from Richard Jenkins
For further views on this topic, see related articles in our categories: Counter Terrorism Risk Management and Security Management