Five Steps to Creating Security Contracts that Reduce Risk
The failings during COVID-19 of security companies and officers tasked with monitoring returned travellers isolating in Melbourne hotels, brought the security industry under intense scrutiny. While the goal should have been for all people working and residing in the hotels to be able to leave the hotels virus free, the exact opposite occurred. Multiple security officers were infected which led to new and increased rates of community transmissions.
Whilst there’s a number of issues that attributed to the fiasco, ultimately one group is responsible for the service provided by the security contractors. And that’s the person or business who is paying for the service.
From my 25+ years of experience in the security industry, poor delivery occurs when the client has not properly defined their needs or the expected outcomes of the contract.
Read our 5-step process for defining and measuring the effectiveness of your security management and avoiding failures in the delivery of security contracts.
Step 1 – What is the purpose of the security service?
When security services are procured, it will be because there is a perceived risk of an event occurring if security in some form is not applied. Or, an event has occurred, and the business wants to prevent it from happening again.
But that’s a very broad position and one that is difficult to measure.
If security is applied properly, it can be measured for its effectiveness. If it can’t be measured, then something is broken.
Measurement is so important yet 86.9% of the security contracts we have reviewed over the last 6 years had no form of measure included in them. This makes it impossible to determine if the contracts are actually delivering value to the business.
From the outset, we need to determine what success looks like. To do this, think about the risk position today, and where you need it to be in 3, 6 or 12 months from now. What does that look like for the business?
Below are the top 5 reasons our enterprise clients will typically procure security services.
- Minimise loss/incidents
- Zero reputational damage
- BAU maintained
- Client and stakeholders happy
- Minimise expenses/maximise profitability
As an industry specific example, a key metric for a prison should be zero inmate escapes.
In hotel lockdowns for returned travellers, a metric should be no staff or contractor contaminations.
The metrics should be the gains to the business by security performing its intended function.
The process of contract delivery starts by aligning the security functions to the needs of the business.
This is important for two reasons:
- It defines the purpose and outcomes of the supply contracts, and
- It allows the effectiveness of the security service to be measured.
When service expectations are not met, either one or both parties have failed somewhere.
If the service is not delivered to the expected standard, there can only be two reasons for this:
- The client did not properly articulate the required outcomes of the service, or
- The contractor did not meet the required deliverables of the contract.
Many businesses will have a model they follow when procuring security services. They will broadly outline their requirements and include some commercial terms and details on contract tenure. They rarely if ever go far enough in defining the scope of the contract or its purpose.
Part of our role as specialist security and risk advisors, is to assist our clients with defining the scope of the required services, procurement and service delivery. We bring our subject matter expertise to ensure that they get exactly what they need from their security providers.
Step 2 – What security services to use?
Once the purpose of the security services has been determined, the next step is to identify the best way to achieve it.
Below are the top 5 most popular methods for securing commercial property:
- People (staff and/or cleaners)
- Security personnel (guards/patrols/alarm response)
- Electronic access control
- Alarm systems
Security is never about one thing.
It’s always a combination of three elements working in harmony together – people, process and technology.
There are many ways that these three elements can be applied to achieve the defined business outcomes.
Cost is always a consideration. A budget will be one of the first things to think about. How much money should the business spend on security until the risk position of the business becomes acceptable?
There’ll several factors that help determine this including the type of property, its accessibility, location, risk profile and purpose.
If you don’t know the best way to deploy security to your property or how to minimise the risk position of the business, then get some guidance from someone who will know.
Step 3 – Who, How, What, Where, When
With agreement reached on the type of security services needed, the next step is to determine the level of security required. For this, we follow the Who, How, What, Where, When model.
- Who does it?
- How do they do it?
- What do they do?
- Where does it happen?
- When does it happen?
This is when we determine how best to deliver the security services in order to meet the required business outcomes.
As an example, a rear door to a warehouse is a likely point of intrusion. Staff are known to leave the door unsecured at times as it is used by smokers throughout the day. The client wants to ensure that a breach does not occur, which means that the door is to be kept closed at all times.
It’s been determined that a mix of security processes are needed to ensure the door is kept secure. The table below is an example of how to apply the Who, How, What, Where, When model in this situation.
Step 4 – Measure
With the security services agreed, we now need to apply units of measure to ensure that the security services are provided as agreed.
Service Level Agreements (SLA’s) are applied to each supply contract and internal key performance indicators (KPI’s) are set by the business.
SLA’s are a common way to measure contract performance, while KPI’s are routinely used as a measure of a company’s goals and objectives.
Examples of SLA’s are:
- the security monitoring company actions all alarm events within two minutes of receipt
- all security officers undergo a formal induction process on the property before they’re allowed to work unaccompanied.
An example of a KPI would be that incidents of loss reduce to zero over 6 months. The KPI’s will be aligned to the objectives of the company that have been agreed in Step 1 of this process.
Note that in the above table, we have already applied one form of measurement by documenting when the services are to be operational by. There’ll be others that will also need to be considered.
Measurement is not just important for ensuring contracts are delivered properly. It’s also important to determine if the security activities are actually delivering results.
- Are security incidents decreasing in line with expectations?
- Has the business experienced any disruption?
- Is the reputation of the business still intact?
- Is expenditure in line with budget expectations?
These are all easily measured and need to be measured every month. Any negative result may mean that the security strategy is not working as intended and will need to be reviewed. Circumstances change over time and security is rarely ‘set and forget’. It’s something that needs ongoing monitoring and measurement.
Step 5 – Governance
With the type of security decided and the units of measure in place, all that’s left is to provide oversight and governance to ensure that what has been procured, is what is delivered.
This is achieved by the respective security providers each month as part of their contractual obligations, reporting their actual performance against the contract SLA’s. This should be undertaken in conjunction with irrefutable systems and work practices such as electronic guard tour systems that register each security patrol attendance.
Each contractor must be able to prove they have delivered what they committed to provide. Accountability is also critically important which dictates that penalties must be applied for non-compliance and serious contract breaches.
In the example of the hotels in Melbourne, an infection of a security officer should have immediately indicated either a breakdown in protocols, or the protocols were inappropriate from the outset. A review of operational procedures should have occurred immediately once the first security officer was diagnosed.
There were fundamental failures in the delivery of the services in this example, given that so many security officers became infected.
Over to you
A simple test to determine if your security is effective is to do a quick review of incident history over the last 3 years. Are incidents trending down, up, or remaining static over that period?
If they haven’t reduced, then it’s time for a review of your security practices.