Counter terrorism resilience for crowded places
The threat of terrorism towards businesses and crowded places has evolved significantly over the years. As new technologies emerge and shifts in the social and political context occur, this is unlikely to change, writes Gareth Hulmes
Terrorism has the potential to make people feel very vulnerable when they are in public places, at work or away from home. In fact, a recent survey conducted by BRE Global revealed that approximately two thirds of participants believed recent acts of terrorism have made them more security-conscious when out and about.
Furthermore, the majority of participants considered security a factor when deciding: whether to attend an event, concert or festival; when deciding which hotel they will stay in; and when deciding which property to rent or buy.
This anxiety rightly raises questions (both of and from) those involved in the management and operations of buildings, infrastructure and public places dealing with issues of security and counter-terrorism resilience.
Like any other risk-based business issue, security demands a holistic, evidence-based approach in order to provide assurance to end users. Simple questions, such as ‘Are we a target?’ or ‘Are we secure?’, can be difficult to answer objectively without a structured approach in place. Those asking such questions are typically seeking assurance, some confidence that the arrangements in place (or planned) are likely to address the current (or envisaged) threat.
Understandably, business leaders have a range of competing issues to address to make their businesses successful. However, if a business values security and the benefits it can bring to the organisation, it needs to place security high on the agenda and commit to operating securely for the benefit of staff, customers and other valued stakeholders.
Businesses already doing this are readily identifiable in specific sectors such as energy, aviation and communications; those where security is core to the success of the business activity. These organisations appreciate that the failure to establish effective policy, compliance procedures and give stakeholders confidence in their ability to operate safely and securely, could jeopardise the future of the business.
These businesses are recognisable by their corporate strategies, financial reporting, and the transparency they exercise when communicating the security credentials they hold.
In other sectors, where security is not a principle service offering and is considered to be lower on the agenda, there will naturally be a less integrated and more ad-hoc approach to security, with greater focus on operating profit and loss. However, given the evolving threat, and the recent push for greater legislation around protective security - specifically at ‘crowded places’ as proposed by ‘Martyn’s Law’ - can any organisation, irrespective of their size or sector, afford to ignore the business risks associated with today’s security challenges?
All businesses from SMEs to large corporates need to be security conscious for a range of reasons, not least due to the health, safety and data protection legislation which apply to all. As a result, security performance, like finances, should be monitored, assessed, evaluated and reported.
How can we improve?
The following points apply whichever type of organisation you represent. They will help you assess your current situation and what might need to be done in the future.
Understand your security needs
It’s vital to document the factors associated with your business and/or estate that contribute to your security profile. This will inevitably include, but not be limited to, considerations such as:
the assets to be protected; the activities taking place at your facilities and the associated operational requirements; who needs access to your premises; and whether there are any requirements filtered down from regulators.
Understand your security risks
With the contributing factors identified, you will be better placed to document the threats and associated risks facing your organisation. This may require consideration of: whether the geographical location and local context of premises could influence the likelihood of an incident; whether your premises are iconic or have attributes that make them attractive targets;
who might target you, when and how; the vulnerability of your premises to these types of incidents; and the consequences that may result from these types of incidents.
Through the analysis of these issues, you will be in a position to determine whether any action is required. If you have not considered these factors, then there can be little assurance that your security is appropriate, proportionate and effective, or that investment in security arrangements will deliver real improvement.
Security managers will also be in a better position to communicate the need for action to senior management, should they find themselves in an organisation reluctant to invest.
What security improvements should you implement?
Your approach to securing your premises will naturally be dependent on the results of your risk assessment and should be focused on reducing vulnerabilities and consequences. Never implement security for security’s sake. Doing so will not lead to improved security, will deprive the organisation of valuable resources and may even lead to the creation of a false sense of security. Remember, if in doubt, you should always seek professional advice.
At BRE Global, our experience in supporting organisations to improve their approach to security has identified a number of common characteristics amongst top performers:
Many organisations hold a policy for ‘Health & Safety’, ‘Quality’ and ‘Environment’. Security should be treated no differently. By maintaining a written security policy and a supporting security strategy, setting out what you are trying to achieve, helps to ensure that security measures continue to meet operational requirements. This will allow you to remain focused on your objectives and ultimately measure and improve performance.
An integrated approach
Be sure to examine the benefits of adopting physical or technical solutions over personnel and procedural solutions. Whilst often effective, physical and technical solutions can quickly absorb your available security budget. Recent events have shown how quickly the threat can change, and how you might be attacked tomorrow may be very different to the methods used previously.
It is therefore important to balance the deployment of physical and personnel security; the latter of which can be reconfigured more quickly and easily, and usually at less cost.
Whatever solution you arrive at should be demonstrably suitable for the risk it is designed to address and complementary to organisation’s operational needs.
Establishing a security risk management system will help you get the most out of your security budget. It will provide a framework for effective security and enable you to evidence the steps you have taken to mitigate risks. In a security conscious organisation, there may be an enterprise level risk management system. In this case, your local management system should be aligned with that of the organisation. Where this is not the case, you may wish to establish your own system.
Incident management & recovery
Far too often, security planning stops at the point of incident detection or an incident plan may rely solely on the police for incident response. It is important that having detected suspicious behaviour or a loss at a facility, that there is appropriate infrastructure and procedures in place to communicate and manage an incident to a successful conclusion.
Having invested significant time and resources in mitigating security risks, it is important that you are able to communicate your facility’s security credentials and provide stakeholders with assurance of your capability. This might be required internally within some organisations, it may be a regulatory requirement for your sector or act as a differentiator that offers competitive advantage.
BRE Global has developed SABRE, a security assurance scheme to help organisations demonstrate their commitment to security. Launched in 2017, SABRE is complementary to the ‘Protect’ strand of HM Government’s counter-terrorism strategy, CONTEST, in seeking to help premises’ owners reduce their security risks - including those posed by terrorism - so that people can go about their lives freely and with confidence.
The SABRE approach can be adopted in two ways:
Organisations may self-assess their premises using the SABRE Online platform. This enables the end user to understand current likely performance against the SABRE standard and target improvement as necessary before identifying premises suitable to take forward to certification. SABRE Online can also be used to measure and compare performance across a portfolio, with a built-in function for internal reporting.
This involves third party verification of your security management system and provides the most robust form of approval available. Certification is suitable for those wishing to communicate performance externally or to interested parties (such as tenants, regulators and insurers) and is the approach many organisations adopt for approval of management systems.
Assessment is delivered by independent SABRE Registered Assessors, with supporting advice available from SABRE Registered Professionals – a list of which is available at www.redbooklive.com.