SubscribeCorporate security service purchasing decisions must be based on risk assessment, not merely a replication of past arrangements, argues Tim Whitfield of ISS Security Group.
Saying that risk assessment ought to be at the heart of the security strategy may seem like stating the obvious, but the plain truth is that far too many security contracts are being specified tendered and let on the basis of a simple replication of historical arrangements.
How many central London businesses can say, hand on heart, that they responded to the terrorist bombings of 7th July 2005 and the attempted attacks on 21st July 2005 with a full, comprehensive and considered review of their risk portfolios and measures in place to mitigate those risks? All too few, I suspect. And such reviews should not be restricted to London businesses, although it's clear to me that many outside of the M25 do perceive grave risk as being restricted to the capital.
So if risk isn't at the heart of the purchasing decision, how are these decisions made?
Perhaps businesses that have not been seriously affected by crime or assault (from whatever source) in recent years sit back and assume that their security procedures are robust and effective. And if it ain't broke, don't fix it. Sadly, the reason their business hasn't been affected may have more to do with the fact that it hasn't been targeted than any security they have in place.
Security strategies must be reviewed at least annually, and a contract review or anniversary does seem to be the ideal opportunity to do so.
Although fewer and fewer businesses retain the full-time services of a specialist security manager, this is no barrier to good security thinking or good security practice. Indeed, many highly competent security chiefs are now engaging with British businesses on a consultancy basis. Instead, however, we see more and more price-driven tenders where the prime considerations are TUPE (the perceived need to re-employ staff in their posts regardless of the value or suitability of the service they provide) and the desire to have a benchmark to directly compare suppliers' costs.
I understand this, I really do. But I cannot escape the conclusion that when procuring security services, the primary consideration ought to be the accurate and impartial evaluation of risk and the selection of the most appropriate and cost-effective suite of countermeasures to those risks. If not, what is the point of security as a meaningful part of the corporate machine? Equally, one should not assume that change equals additional expense - there's no logic that would lead to this conclusion. Quite the reverse may be true in fact as the technical innovations that have taken place in the security industry in the recent past can be brought to bear, bringing efficiency and best practice in one tidy, palatable package.
Both generic and specific risks have changed dramatically in the past few years - for all of us. We owe a duty of care to staff, visitors and the commercial entities that employ us to keep them safe, to protect their assets and interests and to maintain business continuity. Those interests are not best served by simply repeating last year's formula, nor indeed a formula that has been in place for two, five or ten years.
Sadly, many security companies are incapable of providing the intelligent, evolutionary and expert service that I describe... but some are. Surely it's the role of the professional buyer to seek these companies out and take full advantage of the skills that they have to offer.