FrontCover October2015_001 05/10/2015 17:30 Page 1
October 2015
Security and Fire Management
Countdown to Continuity Maintaining Operations, Minimising Disruption Corporate Governance: Technology and Accountability ISO 27001: Information Security Management Historical View: Fire Safety in Heritage Buildings Vertical Focus: Risk Mitigation for the Healthcare Sector
Project1_Layout 1 21/09/2015 14:40 Page 1
CERTAINTY is having the essential features you need to get started
WiseNet Lite is a series of entry-level compact cameras that have been designed to give you the professional features you need. Their resolution ranges GSPN B XFMM EFmOFE Megapixel to a precise 2 Megapixel. There’s hallway view rotating from 90° to 270°. While Lens Distortion Correction, Motion Detection, Tampering and Edge Storage complete the
package. As if this isn’t enough, the WiseNet Lite series also has the ability UP TFU UZQFT PG WJEFP streams in a different resolution to different users or devices, with streams being viewed live, mobile, or recorded. So, in an uncertain world, it’s good to know you can be sure of at least one thing.
samsungsecurity.co.uk/FreeDemo
Contents October2015_riskuk_Dec12 05/10/2015 13:45 Page 1
October 2015
Contents 31 Security Solutions for the Healthcare Sector
Corporate Governance: Best Practice (pp26-27) 5 Editorial Comment 6 News Update
Risk UK’s Vertical Focus discusses security solutions for the healthcare sector. Brian Sims on the NAHS Annual Conference (p33). Philip Verner reviews compliance and accessibility (p34). Daren Lang tackles surveillance systems (p36) while Charles Balcomb takes stock of access control technology (p37). Brian Sims details lone worker protection techniques (p38) and Tim Northwood centres on security management (p40). Also, James Walker brings CCTV and IP video regimes to the fore (p41)
43 Making Gates Safe
SRI study on benefits of security. Plans for Emergency Services collaboration. Terrorism threat in the UK outlined by MI5
September 2015 witnessed the fifth anniversary of Gate Safe. Risk UK interviews founder and chairman Richard Jackson about the campaign’s bold plans for future development
8 News Analysis: Reports on Corporate Fraud
46 The Security Institute’s View
Brian Sims evaluates the latest figures issued by PKF Littlejohn and BDO UK on the cost of fraud episodes for FTSE-listed firms
Mike Gillespie assesses the major reasons why companies should adhere to the contents of ISO 27001
11 News Special: BCI World Conference 2015
49 In the Spotlight: ASIS International UK Chapter
Brian Sims previews the 2015 BCI World Conference set to take place at the Hilton London Metropole Hotel on 10-11 November
52 FIA Technical Briefing
12 Opinion: Working Together
55 Security Services: Best Practice Casebook
Steve Martin addresses how the disciplines of risk management and value engineering might work in perfect harmony
58 Cyber: Targeted Attack Defence Mechanisms
14 Opinion: Security’s VERTEX Voice
61 Training and Career Development
Peter Webster explains why the Conservative Government’s latest move designed to appoint more small-to-medium sized enterprises for carrying out public sector contracts is well intentioned, but in some ways perhaps ill-thought out
Mark Harding examines the all-new Level 2 Certificate in Event Security Operations endorsed by HABC
17 BSIA Briefing
66 Technology in Focus
Adam Chandler reviews ways in which secure data destruction can assist the healthcare sector in protecting patients’ data
69 Appointments
20 Resilience: The Keystone Quality What must a given business and its senior management team do to make sure resilience is part of their collective fabric? David Rubens lists the answers for risk management professionals
64 Risk in Action
People moves in the security and fire business sectors
71 The Risk UK Directory ISSN 1740-3480
23 ‘Always Switched On, Always Ready’ Mike Osborne provides an overview on the key contents of a successful business continuity plan and relates why it’s vital that such policy documents are tested on a regular basis
26 Improving The Governance View Alister Esam outlines why and how technology is essential in helping senior executives meet their governance requirements
Risk UK is published monthly by Pro-Activ Publications Ltd and specifically aimed at security and risk management, loss prevention, business continuity and fire safety professionals operating within the UK’s largest commercial organisations © Pro-Activ Publications Ltd 2015 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical (including photocopying, recording or any information storage and retrieval system) without the prior written permission of the publisher The views expressed in Risk UK are not necessarily those of the publisher Risk UK is currently available for an annual subscription rate of £78.00 (UK only)
Editor Brian Sims BA (Hons) Hon FSyI Tel: 0208 295 8304 Mob: 07500 606013 e-mail: brian.sims@risk-uk.com Design and Production Matt Jarvis Tel: 0208 295 8310 Fax: 0870 429 2015 e-mail: matt.jarvis@proactivpubs.co.uk Advertisement Director Paul Amura Tel: 0208 295 8307 Fax: 01322 292295 e-mail: paul.amura@proactivpubs.co.uk Administration Tracey Beale Tel: 0208 295 8306 Fax: 01322 292295 e-mail: tracey.beale@proactivpubs.co.uk Managing Director Mark Quittenton
28 Access Control: ‘The Key Issue’ Nick Dooley on security and access control for multiple sites
Risk UK PO Box 332 Dartford DA1 9FF
Chairman Larry O’Leary
Editorial: 0208 295 8304 Advertising: 0208 295 8307
3 www.risk-uk.com
EditorialComment October2015_riskuk_jul14 05/10/2015 13:47 Page 1
Evacuate everyone
WINNER • (1 FHUWLÀHG EHDFRQ WHFKQRORJ\ • ([FHSWLRQDO OLJKW RXWSXW ZLWK PLQLPDO SRZHU • 0D[LPXP FRYHUDJH PHDQV IHZHU GHYLFHV DUH UHTXLUHG • Wide coverage pattern - one device can cover most rooms • (DV\ WR XSJUDGH H[LVWLQJ V\VWHPV QR DGGLWLRQDO FDEOLQJ
EditorialComment October2015_riskuk_jul14 05/10/2015 13:48 Page 2
Editorial Comment
Sonos Pulse Beacons feature:
Missing Links he Royal United Services Institute’s (RUSI) latest Briefing Paper warns of the risks engendered by any steep spending cuts across those UK departments and agencies directly responsible for tackling organised crime, managing migration flows and supporting diplomacy. Were the 25% or 40% reductions now being considered by Her Majesty’s Treasury in these areas to take place, the “implications for national security could be considerable”. Indeed, defence and security Think Tank RUSI feels such cuts would cast doubts on the “credibility and coherence” of the Government’s Strategic Defence and Security Review (SDSR) despite those assurances made on rising real terms budgets for both defence and aid. Entitled ‘The Missing Links in SDSR Financing: Organised Crime, Migration and Diplomacy’ and authored by Professor Malcolm Chalmers (RUSI’s research director), the Briefing Paper argues that, ahead of the forthcoming SDSR, the Conservative Government has made commitments towards the UK’s “willingness to devote the resources necessary to remain a serious power on the international stage, backing its ambitions with increases in funding for both defence and development.” However, if the SDSR were to be accompanied by steep reductions in spending on the diplomatic network, or by significant cuts in the resources available for combating organised crime, such moves could well risk undermining the wider coherence and credibility of the review. The Government might then be open to the criticism that it was prepared to devote substantial resources to meeting international norms for defence and aid spending while at the same time cutting monies in areas more directly related to national security, foreign policy and prosperity objectives. RUSI’s report highlights how the Government has “not been willing to match the budgetary protection for defence and official development assistance with similar commitments to other security-related departments” which, at least in part, also fall within the SDSR – specifically, the Home Office and the Foreign and Commonwealth Office. The Briefing Paper starkly points out how “no budgetary protection has been provided around Home Office capabilities for tackling organised crime”. For example, the National Crime Agency’s £427 million budget is considered to be part of the Home Office’s baseline budget, while local police forces have seen their own budgets fall by 25% in real terms. Both play a huge role, of course, in tackling organised crime. RUSI boldly estimates that an additional 2019-2020 allocation of £400 million would be required to provide real terms protection around the agencies with lead responsibility for combating organised crime, managing migration and conducting international diplomacy. “Such protection would not be a magic bullet,” suggests RUSI, “but, alongside the much larger investments now being promised for defence, development and counter-terrorism, it would go a long way towards financing the three ‘missing links’ in security provision that could otherwise emerge as a result of the Spending Review.” It’s certainly a compelling point of view.
T
Superior EN54-23 Coverage Standard VAD Coverage
11.5m
11.5m
Sonos Pulse Coverage
11.5m
11.5m
Freedom of Positioning Standard VAD
[ P URRP
Sonos Pulse
[ P URRP
5HGXFHG 1XPEHU RI 'HYLFHV Standard VAD
Sonos Pulse
C-3-7.5 4 Beacons
C-3-15 1 Beacon
Brian Sims BA (Hons) Hon FSyI Editor
Tel: +44 (0)1706 233879 ZZZ NOD[RQVLJQDOV FRP ÀUH
December 2012
5
www.risk-uk.com
NewsUpdate October2015_riskuk_nov14 05/10/2015 14:30 Page 1
“Security adds value which is vital for UK businesses” reveals new SRI sector study In its new report published as part of the influential Security Research Initiative (SRI) series, Perpetuity Research has explored the broader benefits of security beyond the protection of assets and found a number of ways in which security has generated income for host organisations. Findings in terms of how security adds value to a business include the following: *Excellent security is very often highly valued by clients and customers in their choice of whom to work with *By providing better security than competitors (although more often than not there’s a shared approach across security functions to prevent mutual threats) *By reducing insurance costs and other expenditures that come with being victimised *By creating safe and secure environments to enable the organisation to operate at all It wasn’t just security professionals that considered security to be important and likely to impact on key issues that affect organisational success (such as reputation, customer satisfaction, staff well-being and profitability). Professionals from other corporate departments also rated security highly and stated they believe the discipline makes a contribution to non-security departments in achieving other objectives for the host company.
The SRI report confirms that security can add value by preventing loss, particularly reputational and financial loss, and also identifies a range of ways in which it’s possible for security to enhance success (such as attracting, expanding and retaining business) and support operational success (ie enabling trust, contributing to staff well-being and influencing the now increasingly important domain of Corporate Social Responsibility). However, the new research also identifies a number of barriers to recognising the full benefits of security: *Security is viewed by some as an ‘intangible’ which complicates attempts to calculate a persuasive return on investment: success in security is defined as ‘nothing going wrong’ *Security is poorly understood by senior management and other corporate departments (while appreciation of the broader benefits of security can exist in pockets) *Typically, security adopts a somewhat selfdefeating stance Professor Martin Gill, who led the study, told Risk UK: “There are many proponents of the value of security who have long been arguing that security can do – and does – so much more for a business than purely protect its assets. This research suggests that these additional benefits are significant. What’s worrying is that this fact seems to be a very well-kept secret.”
“Radical proposals” for further Emergency Services collaboration unveiled by Prime Minister David Cameron and the Home Office Radical proposals underpinning transformation of the way in which the police service, the Fire and Rescue Services and the ambulance service work together have now been unveiled by Prime Minister David Cameron and the Home Office. Measures outlined in a Consultation Paper just published by the Government encompass: *Encouraging collaboration by introducing a new statutory duty on each of the three Emergency Services to look at all opportunities to work with one another on a better footing and thus improve efficiencies and effectiveness *Enabling Police and Crime Commissioners (PCCs) to take on the duties and responsibilities of Fire and Rescue Authorities (FRAs) where a local case is made *Where a PCC takes on the responsibilities of a local FRA, allowing them to create a single employer for police and fire staff such that it’s easier for them to share back office functions and streamline management *Enabling a PCC to be represented on their local FRA in areas where they do not take on the responsibility for Fire and Rescue Services *Abolishing the London Fire and Emergency Planning Authority and affording the Mayor of London direct responsibility for the Fire and Rescue Service in the capital, as will be the case for the new Mayor of Greater Manchester *Improving joint working between PCCs and NHS Ambulance Foundation Trusts by encouraging Trusts to consider PCC representation on their Council of Governors
6 www.risk-uk.com
NewsUpdate October2015_riskuk_nov14 05/10/2015 14:30 Page 2
News Update
Threat from terrorism “most serious facing Britain in security terms” urges MI5 director general On Thursday 17 September, MI5 director general Andrew Parker gave the first live interview by a serving head of the Security Service in the organisation’s 106-year history. Parker was interviewed at length on BBC Radio 4 and talked about the work of MI5 in keeping the nation safe, addressed some misconceptions about the organisation and outlined key security challenges ahead. In the coming months, Parliament will consider a new Bill to overhaul the existing laws that give intelligence agencies like MI5 their powers to protect national security. Now, ahead of those Parliamentary debates, MI5’s director general has spoken publicly in order to set some context around the threat posed by Syria and Iraq-related terrorism. “MI5 exists to keep the country safe,” asserted Parker. “There should be no more of MI5 – with no more powers – than is necessary to do that. Today, though, we are being stretched by a growing threat from terrorism, and from Syria in particular, combined with the constant challenge of technological change. These days, the way we work has altered as that technology has advanced. Our success depends on ourselves and our partner
Buckinghamshire New University’s Department of Security and Resilience celebrates record number of graduates A record number of students have graduated from the Department of Security and Resilience at Buckinghamshire New University, receiving their awards from the vice chancellor Professor Rebecca Bunting. Students have graduated at undergraduate and postgraduate levels in Protective Security Management, Crowd Safety Management, Security Consultancy and Organisational Resilience during a ceremony held at the Wycombe Swan Theatre in High Wycombe. The ceremony also saw students studying the Buckinghamshire New University-based Business Continuity Institute’s Diploma receiving their awards. Garry Evanson CSyP, chairman of The Security Institute and head of security at Westminster Abbey, was the Keynote Speaker at the event. Phil Wood MBE CSyP, head of the Department of Security and Resilience, said: “As a leading figure in the UK resilience sector, and with his wide overview of industry issues,
agencies having sufficiently up-to-date capabilities used within a clear framework of law against those who threaten this country.” Parker continued: “Accordingly, I welcome Government’s intent to update the legal framework and to make our powers more transparent. Making sure that our laws are upto-date in this area can only be a good process in a free and democratic country – the very thing that MI5 exists to protect. We need to be able to operate in secret if we’re to succeed against those who mean the UK harm, but it’s fair to suggest the capabilities we use can be described more fully in law.” The UK is facing an unprecedented level of threat at present, with Syria and Iraq increasingly at the forefront of MI5’s work. Together with its partners the SIS, GCHQ and the police service, Parker revealed that MI5 has thwarted six attempts to carry out an attack in the last 12 months alone, while intelligence has disrupted a further nine attack plots overseas during that same timeframe. In addition to plots either directed, enabled or supported by terrorists in Syria, MI5 is facing what Parker described as “a real challenge” in trying to thwart the actions of those inspired by ISIL ideology via the Internet. In the course of its investigations, MI5 has seen individuals radicalised to the point of violence “within weeks”.
Garry was able to provide sage advice and commentary to the graduating students about the importance of education, service and the need for security in a changing world. The graduates themselves came from many disciplines and parts of the world, with students travelling from as far afield as Canada to receive their awards. Wood added: “Unfortunately, and as is common with the types of roles that students in the sector fulfil, many could not attend due to work and operational requirements.” Buckinghamshire New University offers programmes across a range of security, continuity and resilience-related disciplines, including policing and criminology. In the coming academic year, the institution will focus on the launch of a Cyber Resilience Centre in Aylesbury as well as the continued introduction of special programmes for the Armed Services which allow serving personnel to accredit their experience and service qualifications to enter degree courses. The majority of the courses on offer to the Armed Services can be completed remotely. Indeed, many of this year’s graduates have qualified while in full-time jobs, in some cases on active service overseas.
7 www.risk-uk.com
NewsAnalysisPKFLittlejohnandBDOCorporateFraudReports October2015_riskuk_mar15 05/10/2015 14:28 Page 1
“40% of £103 billion loss to fraud at FTSE firms can be stopped” states PKF Littlejohn
Research results published by counter fraud specialists indicate that UK businesses typically lose around 5.6% of their total expenditures to fraud. The £103 billion figure is equivalent to 75% of those companies’ total profits, reports Brian Sims
KF Littlejohn partnered with the Centre for Counter Fraud Studies at the University of Portsmouth to produce the new report entitled ‘Countering Fraud for Competitive Advantage’*, the findings of which are based on a detailed analysis of 1,709 FTSE companies with a turnover of £1.84 trillion. The study focuses on the cost of fraud episodes to Britain’s FTSE-listed companies for 2013-2014 (the latest year for which data is available), and warns that only 1/30th of fraud is detected. Typically, it’s the attention-grabbing episodes not typical of most frauds**. The report examines total fraud (not just detected fraud) which, despite those headlinegrabbing cases, is typically systematic, low value and high volume in nature.
P
Headline findings of the study For Britain’s companies researched, the report reveals the following headline findings: *With total annual revenues of £1.84 trillion and pre-tax profits of £137.03 billion, these companies lost £103.23 billion to fraud in 20132014 alone (the equivalent of 75% of their total profits, in fact) *Reducing fraud by 40% (as has been achieved elsewhere) would effectively increase the pretax profitability of these businesses by £35 billion (ie over 22%) *Losses from fraud have increased by nearly 18% over the three years since 2010-2011, and by 29% since the onset of the recession in 2008-2009
8 www.risk-uk.com
A summary of 85 of the FTSE 100-listed companies for which data was available for 2013-2014 shows that those businesses which were profitable had: *Total annual revenues of £1.24 trillion (with pre-tax profits of £126.82 billion) *Fraud losses totalling £67.75 billion (equivalent to 54% of the total pre-tax profits of these companies) In addition, a summary of 182 of the FTSE 250-listed companies for which data was available for 2013-2014 shows that those which were profitable exhibited: *Total annual revenues of £223.05 billion (with pre-tax profits of £20.68 billion) *Fraud losses of £12.2 billion (equivalent to 59% of the total pre-tax profits of these companies) Jim Gee, co-author of the report and head of the Forensic and Counter Fraud Services Division at chartered accountant and counter fraud specialist PKF Littlejohn, explained to Risk UK: “It’s recognised that the total cost of fraud can be accurately measured and, because of this, it may now be managed and minimised like any other cost.” Gee continued: “Most fraud is high volume and low value in nature. On that basis, it’s difficult to detect and also expensive to investigate. Companies which have successfully reduced the cost of fraud have focused on preempting it. They’ve cultivated stronger antifraud cultures and more effective deterrence, in turn preventing fraud by designing weaknesses out of both processes and systems. Our report shows that a real competitive advantage can be gained from taking such an approach.” Emboldening that theme, Gee stated: “This is important because fraud has increased in recent times. There are many factors contributing to that upsurge, including the impact of the recession on incomes and heightened opportunities through the cyber world. Other factors are also important, such as reduced adherence to collective moral and ethical norms and the increasing pace of business life being unmatched by related developments around controls.” Gee concluded: “What’s notable is that we tend not to find big differences between companies in different countries. Instead, we find big differences between companies that accept fraud is happening and take this
NewsAnalysisPKFLittlejohnandBDOCorporateFraudReports October2015_riskuk_mar15 05/10/2015 14:28 Page 2
News Analysis: PKF Littlejohn and BDO Reports on Corporate Fraud
seriously and those who don’t, regardless of their country of operation.” Professor Mark Button (director of the Centre for Counter Fraud Studies at the University of Portsmouth) outlined: “Fraud represents a significant hidden cost for many organisations and, if average levels are experienced, this report shows the significant increase in profits from which companies could benefit if they were to invest in appropriate measures designed to reduce it.” *Copies of ‘Countering Fraud for Competitive Advantage’ are available at: www.pkflittlejohn.com/counteringfraudforcompetitive advantage2015.php **How is ‘undetected fraud’ measured if it isn’t identified? Research by Jim Gee’s team over the years has looked at the costs of numerous items of business expenditure, comparing what businesses should and actually did pay. This allows an accurate estimate of increased costs caused by fraud
Enhanced due diligence required In parallel, BDO UK’s 2015 interim FraudTrack report states that the total value of reported fraud in the UK during the first half of the year was a staggering £798 million. That figure represents a near £80 million rise on the amount noted for the same period last year. The FraudTrack document is based on all reported fraud cases worth over £50,000 between 1 December 2014 and 31 May this year. BDO has revealed that the average cost per fraud was £3.27 million, representing a 79% increase on the same period 12 months ago (when the corresponding figure stood at £1.82 million). It’s abundantly clear, then, that fraud remains big business, with many companies and individuals seemingly still not doing enough to protect themselves from members of the criminal fraternity. Nearly a third (32%, in fact) of the fraud cases reported were committed by employees, costing UK organisations more than £46 million. Running across all sectors from real estate to education and manufacturing, the most common types of fraud include the straight diversion of cash into bank accounts, changing supplier details to those of friends or family members’ bank details and direct payments to self/other bank accounts via either cheques or online payment systems. Commenting on the report’s findings, Kaley Crossthwaite – partner and head of fraud at BDO – explained: “Our analysis shows a resurgence in reported fraud cases, indicating that people are still not being vigilant enough and need to step back and think about how
either they personally or their business is susceptible to fraud.” Crossthwaite went on to state: “When it comes to fraud committed by employees, experience tells us that the culture existing within a company can have a significant effect on whether fraud is detected, and also in terms of the length of time it takes to detect that fraud. In some cases, this period may be as long as seven years. Detection can often take longer where there’s more than one employee engaging in fraudulent activities at the same time and when they’re all using the ‘light touch’ culture of the host business to conceal their illegal activities.” According to Crossthwaite, preventing the occurrence of fraud can be as simple a task as putting effective training regimes in place and regularly checking fraud controls. “The tone must be set at the top of the business,” suggested Crossthwaite, “and filter down into the organisation, in turn creating a culture of healthy scepticism.” Concentrating on the number of cases reported, BDO reports that employee fraud was followed by investment fraud (23%) such as Ponzi schemes and boiler room scams, third party fraud (including that committed by suppliers and customers) at 20% and noncorporate fraud (16%). Third party fraud (£309 million) and money laundering (£290 million) were the largest reported areas of fraud by value.
Kaley Crossthwaite: Partner and Head of Fraud at BDO UK
Third party fraud in the spotlight When it comes to third party fraud, the majority of cases involve phishing and changing supplier details. However, there are worrying new trends emerging and organisations need to be on the look-out for them. These include the creation of false employees and contractors and generating artificial inflation around costs. “Given all of this,” outlined Crossthwaite, “it’s clear that businesses need to be far more thorough in the due diligence procedures carried out, not only on sale and purchase transactions but also in relation to their existing and new suppliers, customers and new recruits in-house.” Levels of fraud differ across specific sectors, with the BDO research revealing that the public sector is falling prey to fraud most often. Onein-five (20%) cases of reported fraudulent activity occurred within public administration, accumulating a total value above £257 million. Fraud in the financial services sector was also relatively high with around one-in-seven (16%) cases being committed here, duly equating to a value of £210 million.
Professor Mark Button: Director of the Centre for Counter Fraud Studies at the University of Portsmouth
9 www.risk-uk.com
Project1_Layout 1 23/07/2015 17:10 Page 1
Track
Keep persons of interest in view, as they move – even at speed.
Locate
Gives you the ability to pinpoint persons of interest fast and accurately.
Zoom
Gives you the detail you need to make informed decisions.
Our focus is helping you to locate, track and zoom in on details. Bosch motion control cameras off er you total control of what you choose to see, and the level of zoom you use to identify objects over large distances, regardless of movement. Learn more at Tel: 01895 878095 | Email: security.systems@uk.bosch.com
NewsSpecialBCIWorldAnnualConference2015 October2015_riskuk_feb15 05/10/2015 14:29 Page 11
News Special: BCI World Conference 2015
Rising to the Resilience Challenge B
CI World is the largest business continuityfocused conference and exhibition in the UK and, indeed, one of the biggest on a global scale. This year, the event – which runs across Tuesday 10 and Wednesday 11 November at the Hilton London Metropole Hotel on Edgware Road – features a packed conference programme, an exhibition hall promoting the latest business continuity-centric products and services, a themed Gala Dinner and the BCI Global Awards Ceremony* designed to showcase the best in the industry. The varied conference programme – themed in 2015 under the banner: ‘How to Rise to the Resilience Challenge’ – includes much thought leadership discussion, themed debates, detail on new research, practical demonstrations and Case Studies centred on the real-world application of continuity activities**. The programme is suitable for all levels of practitioners from a wide range of sectors. In years gone by, this event has been attended by heads of emergency management, business continuity managers, company directors, senior executives, business continuity and risk consultants, operational specialists and risk managers representing – but not exclusive to – the oil and gas, Government, financial, manufacturing, retail, IT, utilities, transport and telecommunications sectors. Those with responsibility for business continuity, risk management, emergency management, crisis or incident management, disaster recovery, security, information security, Health and Safety, change management, procurement, facilities or environmental management will find much of interest. Attendees will be able to share good practice in business continuity and resilience with experts and improve both their knowledge and understanding such that they might enhance professional development. Practitioners can place themselves at the heart of global thought leadership, gain practical insights and then apply them to their organisation. They can benefit from excellent networking opportunities and view, compare and experience first-hand the very latest business continuity-related products, solutions and services from around the globe.
Keynote Speakers in 2015 There are five Keynote Speakers this year. Baroness Eliza Manningham-Buller led Britain’s Security Service (MI5) from 2002-2007. In this
The Business Continuity Institute’s annual BCI World Conference and Exhibition 2015 takes place at the Hilton London Metropole Hotel in November. Risk UK is an Official Media Partner for the event, previewed here by Brian Sims
presentation, the Baroness will draw on her experiences in the most demanding of working environments and stress the need for leaders in any walk of life to engage in frank dialogue while inviting constructive criticism. The Baroness is joined at BCI World 2015 by fellow Keynote Speakers Dr Melanie Irons (a specialist on the pros and cons of social media), Professor Dr Ulrich Winkler (consultant to Fortune 500 companies and a leader in the Higher Education world), Johannes Muellenberg AFBCI, director of global business continuity management at SAP SE in Germany, and – last but not least – renowned motivational speaker Steve Cunningham.
The Conference Programme The morning of Day One at conference features a Workshop on supply chain resilience (facilitated by David Windows MBCI) with input from Ray Hardy (programme director for business continuity at BT) and Duncan Ford MBCI, a partner at law firm Corpress LLP. There’s also a Panel Session centred on information security and business continuity management. Speaking here will be Niklas Henningsson (senior advisor on business continuity at PostNord) and David Hutcheson MBCI, managing director at Glenn Abbot. From 2.00 pm-3.30 pm, there’ll be a session about cyber resilience and how business continuity strategies are embracing technological change. The lead presenter is Steve Woolley MBCI, senior risk manager at Microsoft and a resilience specialist. Day Two on Wednesday 11 November sees Bill Chrichton FBCI facilitate a morning session in which Dr Rob McFarlane (assistant director for the Civil Contingencies Secretariat at the UK Home Office) reviews the last twelve months for BS 65000, the British Standards Institution’s guideline document aimed at realising Best Practice in organisational resilience. There’s also a consideration of ‘the human side of resilience’. Between 1.30 pm and 3.00 pm, Ian Clark FBCI presides over a talk from Sumit Dhar FBCI, the global head and practice lead for business continuity and risk management consulting at HP.
*The Gala Dinner and BCI Global Awards Ceremony takes place at the Hilton London Metropole Hotel on Tuesday 10 November **The online Booking Form for BCI World 2015 is available at: http://www.eventsregistration online.com/bci/event1446/ reg.asp
11 www.risk-uk.com
OpinionRiskManagementandValueEngineering October2015_riskuk_apr15 05/10/2015 14:31 Page 1
Working Together: Risk Management and Value Engineering U
Steve Martin examines the similarities between risk management and value engineering, and assesses how the two disciplines might work together in the real world with a view to enhancing security regimes for today’s organisations
pon an initial glance, risk management and value engineering may seem like two disciplines so different that they must surely contradict each other, not least because one may increase costs in the interests of efficiency while the other could seek to decrease them. As a result, it’s fair to suggest that these disciplines cannot co-exist in helping a business to function more effectively. Actually, that’s not the case. If correctly applied, both risk management and value engineering can help a business to run more efficiently and, if brought to bear on the commissioning of security technology, may help ensure the host concern selects the appropriate solutions for meeting its defined needs. How so, then? Well, that depends on how value engineering is actually applied in the real world. If applied in its purest form, it will complement the discipline of risk management and help end users make informed choices when it comes to the selection of specific security systems. However, the problem starts when the discipline of value engineering is either diluted or warped by a desire to cut costs. In its purest form, value engineering is employed to solve problems and identify and eliminate unwanted costs while always maintaining function and quality. The major issue when it comes to construction and construction projects, though, is that it’s more commonly used to cut costs. This is symptomatic of the construction market, where margins are low, tenders competitive and projects veer towards running over budget (not to mention close to the delivery timescales). This is at odds with the true idea of value engineering which places an equal emphasis on function and cost. The crucial question it asks is whether the most cost-effective solution will deliver the project’s objectives. While cutting back on initial costs may deliver savings, when it comes to security such an approach will often have longer term consequences for the business, its bottom line and, in some cases, its reputation in the wider world.
Greater risk for end users Steve Martin: Head of the Fire and Security Association
12
www.risk-uk.com
If this approach were applied in its purest form to commissioning security technology, it would duly result in a more expensive system being
replaced with one that delivers identical levels of functionality. That said, if cost rather than value was the deciding factor, the underpinning software within this technology that facilitates expansion, updates and firewalls may be less intelligent over time. That results in a greater risk for the end user of the software becoming obsolete more quickly, an increased risk of false alarms, inoperability with other components of the building management system and parallel ‘soak in’ problems which increase labour costs. There will also be longer term costs for the end user. As a result, the key question to ask in this scenario becomes: “What will it cost us if the security system doesn’t deliver?” rather than: “How much will it cost us now?”
What are the security goals? Given that better quality security systems are usually more expensive, the key driver in deciding which system to install usually depends on the client’s goals and desires for their building’s security. Typically, these will vary depending on the building and its users. For instance, hospitals may require little in the way of intruder alarms and preventative security devices, but may need to invest money in CCTV and access systems for their entire estate – and not just the buildings – as well as more high-end alarm and monitoring systems to protect those secure or otherwise sensitive areas where patient records are kept. Similarly, the sensitivity of medical data may require high-performing cyber security support to protect it from hackers, particularly so as hospitals move closer towards a less paperbased way of keeping records. In contrast, while a bank may have similar cyber security needs to a hospital, it might also require top-of-the-range monitoring, intruder alarm and hold-up systems due to the large amount of cash kept on the premises and the number of people using it on a daily basis. What’s clear from these two examples is that value engineering must remain true to its original purposes and not be used as a means of cutting costs. The repercussions of cutting costs on security systems in the two instances outlined above are serious. Imagine the damage done to a bank or hospital's reputation
OpinionRiskManagementandValueEngineering October2015_riskuk_apr15 05/10/2015 14:31 Page 2
Opinion: Risk Management and Value Engineering
if its data files were hacked, or if acts of fraud were committed and there was no way of identifying the perpetrators. How does this fit with the principles of risk management, though? It can be argued that risk management could be used to ensure that value engineering is employed in its purest form, not as a means of cost-cutting. For instance, the idea that everyone is part of the delivery team and that recruiting specialists help where necessary would allow for security professionals to be brought in at the design stage of a new facility or when it’s time to examine the redevelopment of an existing one. This would ensure that the decision-makers could make an informed choice on their security systems having consulted with the experts and understood that the functionality of a system may be compromised if it’s replaced by a cheaper model – resulting in a greater security risk for the business.
Value is subjective One key issue is that defining value in terms of security technology is very subjective and pretty much depends on the building’s function, but this is where risk management can help reach a decision that’s best for the business. The notion that security is part of every technology decision and should not be seen as ‘an expensive add-on’ is entirely in tune with value engineering’s idea that every pound spent should deliver the greatest return. In the event of a security threat, this informed approach to risk management would enable the decisions made to stand up to scrutiny if the systems were able to repel that danger. Equally true is that the decision to go with a cheaper system could be learned from and resolved quickly as there would be a record of the decision made and the rationale behind it.
Element within the supply chain One problem with the construction project process is the fact that specialist contractors – in this case security installers – are very often not in direct contact with the client, but rather part of a supply chain. As a result, when value engineering is carried out the focus is more often than not on cost reduction. Just as importantly, the perceived value of the systems is evaluated by the main contractor and client – or, in some cases, the designer – with little regard for the impact this will have on functionality. This may result in lower costs, but it may well not provide value for money in the long term if the cheaper system doesn’t deliver the kind of solution ultimately demanded by the host business.
The solution is to bring specialist contractors into the project team earlier and allow them to work directly with the client during the fledgling stages of the project. This means that the contractor who will ultimately be installing, commissioning and maintaining the system can provide its insight and expertise around what system best suits the client’s business needs. For their part, the end user customer can then make an informed choice about what security systems they want in their building. The approach outlined would mean the risks to a business have been mitigated due to advice having been offered by specialists and duly taken on board by the client, and that system functionalities have been the priority as opposed to the overall cost. In a sense, this highlights how the disciplines of risk management and value engineering can work together for the overall benefit of the building’s operation and its end users. Sadly, it’s a lesson many of today’s businesses end up learning the hard way.
“While cutting back on initial costs may deliver savings, when it comes to security such an approach will often have longer term consequences for the business, its bottom line and, in some cases, its reputation in the wider world” 13
www.risk-uk.com
OpinionSecurity'sVERTEXVoice September2015_riskuk_apr15 05/10/2015 14:32 Page 1
Public Sector Contracts: An Evaluation of Scale and Resources – in 2013-2014 terms – being channelled towards SMEs either directly or through the supply chain. At the time of the announcement, Matthew Hancock stated: “This is such an amazing opportunity for the country’s diverse and innovative small businesses. I urge them to ‘get stuck in’. From computers to uniforms, there are so many opportunities for small businesses to work with us. I want to see more of them providing value for money for the taxpayer and benefiting from our spending.” It sounds like a step in the right direction and was given support by, among others, the Federation of Small Businesses. Earlier this year, the Government made another announcement in which it committed to requiring the entire public sector supply chain to be paid within 30 days and abolished pre-qualification questionnaires for low value public sector contracts.
What’s the problem?
For some time now, the way in which central Government contracts are allocated, awarded and serviced has represented a cause of deep concern within the security sector. Peter Webster explains why the Conservative Government’s latest move designed to appoint more small-tomedium sized enterprises (SMEs) for carrying out public sector contracts is well intentioned, but in some ways potentially ill-thought out 14
www.risk-uk.com
he situation surrounding central Government contracts can be summed up quite simply. Small contracts go to smaller organisations, while major contracts usually end up in the hands of one single sector behemoth. Without wishing to go over old ground, the one thing that should have been learned from several well-publicised major contract failures of the recent past was that putting all of your eggs in one basket is foolhardy and may risk a disaster scenario. It’s a lesson that appeared to have been heeded when Matthew Hancock, minister for the UK Cabinet Office, recently announced an ambitious new target to have more SMEs working on central Government contracts. The headline is that £1 in every £3 of central Government spend will reside with smaller businesses by 2020. However, scratching the surface of this announcement means that, when it comes to larger ‘super’ contracts, very little will change. Let’s take a look at the figures. In 2013-2014, central Government spent £11.4 billion with SMEs. That statistic is equivalent to 26% of central Government spend. By 2020, the Government wants to increase this to a third. That would mean an extra £3 billion per annum
T
So what’s the problem? The simple answer is that what constitutes an SME in one industry doesn’t necessarily translate to another. The Government defines a company as an SME if it meets two out of three criteria: it must post a turnover of less than £25 million, employ fewer than 250 staff and/or have gross assets of less than £12.5 million. This means that 99.9% of the UK’s 4.5 million businesses are SMEs and, with an estimated turnover of £1,500 billion, they’re directly responsible for over 14 million private sector jobs while accounting for almost half of the net growth in employment. Data from the Office of National Statistics’ Annual Business Survey shows that, on average, SMEs create around £33 of gross value added to the UK economy for every £100 of turnover while large companies generate something in the region of £26. For certain business sectors such as IT, for example, this definition makes perfect sense. However, in light of the Government’s proposed action, within the security sector we find a significant number of businesses with well over 250 employees. That being so, for many organisations in our world – not to mention other sectors that are similarly labour intensive – this announcement could make an already bad situation far worse.
OpinionSecurity'sVERTEXVoice September2015_riskuk_apr15 05/10/2015 14:32 Page 2
Opinion: Security’s VERTEX Voice
In reality, a security company with less than 250 employees is likely to have a maximum turnover of around £6 million. Therefore, it would be unlikely to support a professional infrastructure for, say, compliance or HR. These are abilities a company will need in order to meet the rigors of public sector contracts. Essentially, what this latest development means is that security companies employing 250 members of staff or less are unlikely to benefit from a bigger slice of the pie due to their lack of professional specialist resources. At the other end of the scale, the sector’s biggest players will continue to gain the larger contracts due to their supposed ability to fulfil the large numbers required for certain activities. By definition, companies in the middle with between 2,000-3,000 employees and the specialist resources available will miss out on both ends of the spectrum.
Flawed logic in view Successive Governments have maintained a policy of issuing contracts so big in scope and scale that only a small number of huge service providers can possibly consider taking them on. To put this into perspective, and to highlight the scale of the problem, Government spending on contracts with G4S reached £394 million in 2012. The reason behind this flawed logic is that the more that’s done, the cheaper it becomes to do it. While this is fine for, say, manufacturing, the same principles cannot be applied to the service sector as it may lead to corners being cut in areas such as management and back office support. Inviting a greater number of companies that are bigger than SMEs – but not in the same league as, for example, G4S and Serco – to handle these larger contracts would increase attention to detail, transparency, competitiveness and innovation. Just as importantly, being able to benchmark across a whole range of suppliers would keep prices in check. This is in stark contrast to the status quo, which offers no impetus to innovate and simply engenders a culture of complacency. There’s also the problem of our credibility as an industry. Following a number of high profile failures by major support solutions companies, we’re now unfairly perceived by some as being unable to deliver the service quality required. However, a significant contributor to these problems has been the size of the contracts let by the public sector in the first place. The Government is well aware of this issue. Late last year, Parliament’s Public Accounts Committee said that it was too reliant on a small number of private sector contractors to
provide a swathe of public services. At the time, Margaret Hodge – chairman of the Public Accounts Committee – stated: “Government must guard against quasi-monopoly suppliers becoming too important to fail. It must also encourage competition through, for example, splitting up contracts to encourage SMEs to bid for work. Competition for Government business should bring with it a constant pressure to innovate and improve. For competition to be meaningful, there must be very real consequences for those contractors who fail to deliver and the realistic prospect that other companies can step in.”
Ignoring the logistical truth Although this sentiment is entirely appropriate, it singularly fails to recognise the logistical issues that must be addressed when awarding security contracts. It would be expensive and wholly impractical to invite numerous companies with less than 250 personnel to tender for contracts where 3,000 trained and Security Industry Authority-licensed security officers are required. On the other hand, it would make perfect sense to invite applications from three organisations that could provide 1,000 trained and fully-licensed officers. This is exactly the type of situation the latest Government initiative fails to recognise, and it’s one that could lead to problems in the future. These ‘bigger than SME’-sized companies combine the ability to carry out large-scale assignments with the kind of attention to detail that smaller organisations often display. It renders them able to hit a ‘sweet spot’ by offering the size to handle demanding contracts while still being flexible and responsive. It also means that companies working together can drive up standards, deliver on their promises and reduce the potential for problems. Although probably arrived at through accident rather than by design, the glaring omission in this initiative to have companies of all sizes working on Government contracts represents a missed opportunity for a significant proportion of the organisations resident within our business sector. Until such time that a more inclusive and wide-ranging procurement policy is put in place, it could well mean that history repeats itself. Perhaps now is the time for us to redefine what constitutes an SME in the security world.
Peter Webster: Chief Executive of Corps Security
*The author of Risk UK’s regular column Security’s VERTEX Voice is Peter Webster, CEO of Corps Security. This is the space where Peter examines current and often key-critical issues directly affecting the security industry. The thoughts and opinions expressed here are intended to generate debate among practitioners within the professional security and risk management sectors. Whether you agree or disagree with the views outlined, or would like to make comment, do let us know (e-mail: pwebster@corpssecurity.co.uk or brian.sims@risk-uk.com)
“Following a number of high profile failures by major support solutions companies, we’re now unfairly perceived by some as being unable to deliver the service quality required” 15
www.risk-uk.com
Project1_Layout 1 05/10/2015 14:51 Page 1
Fire prevention with OxyReduct®
ONE THING IN FOCUS: YOUR A D H E R E N C E T O D E L I V E R Y D AT E S !
Intelligent fire protection solutions for storage and logistics. In warehouses the material stored is usually densely packed. Coupled with easily flammable packing material this represents a heightened risk of fire. WAGNER’s intelligent fire protection systems reduce reliably risk by intervening long before the onset of fire. By adding nitrogen OxyReduct® decreases the oxygen level within warehouses permanently. Thus securing your goods and guaranteeing the ability to deliver 24/7. For more information visit www.wagner-uk.com/logistics. WAGNER sets standards for innovative and comprehensive solutions in fire protection: With TITANUS® for earliest fire detection, FirExting® for fire-extinguishing, with OxyReduct® to actively prevent fires from breaking out and VisuLAN® for hazard management.
BSIABriefing October2015_riskuk_mar15 05/10/2015 12:58 Page 2
BSIA Briefing
ate last year, the Information Commissioner’s Office (ICO) reported that it was nearing the £5 million milestone in terms of civil monetary penalties issued to public sector bodies, claiming that for each fine issued “a tale of negative headlines and undermined public confidence” was sure to follow1. This is particularly true for any organisation that harbours sensitive and/or personal information, although perhaps of all the public sector bodies it’s the healthcare sector that holds the most sensitive and personal information of all – details of our health records and medical histories. To reflect the important role played by the healthcare sector in keeping our data safe, a change in the law during the first part of 2015 made it possible for the ICO to subject public healthcare organisations to compulsory audit. Previously, this was an ICO power that only extended to central Government departments. Speaking at the time, Information Commissioner Christopher Graham explained: “The National Health Service (NHS) holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This new power allowing us to force our way into the poorest performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step forward for patients.”2
L
Exposing healthcare’s vulnerability With ICO fines issued to NHS organisations reaching £1.3 million by the beginning of 2015, research conducted by the British Security Industry Association (BSIA) reinforced the need for the law change. In a survey of healthcare professionals, the BSIA identified a number of issues and trends associated with the secure destruction of information, whether held on paper or data processing-related media such as hard drives or disks. Interestingly, 27% of those completing the survey were aware of a significant data loss incident in their organisation, with two thirds of these respondents claiming that the breach was caused by the incorrect disposal of data. As stated by the Information Commissioner, the healthcare sector is among the worst offenders for poor data security. Recent figures issued by the ICO reveal that the number of data breaches rose by 16% in one year, from 1,559 in the 12 months to April 2014 to 1,814 in the following 12 months. The healthcare sector – including both public and privately-run organisations – is revealed as one of the biggest culprits for poor data
Data and Information Security: The Healthy Approach to Risk With data protection fines issued to public sector bodies by the Information Commissioner’s Office now approaching the £5 million mark, healthcare professionals are under particular pressure to ensure that data security is top of the agenda. Adam Chandler explores ways in which secure data destruction can assist today’s practising risk managers security. In the first three months of this year alone, it was behind 184 of the 459 breaches reported to the ICO3. This trend continued despite a warning issued by the ICO in December last year, when data breaches in Britain’s healthcare sector were reported to have doubled since 20134. How, then, might healthcare organisations protect themselves against the future risk of data breaches and subsequent ICO fines? The secure disposal of sensitive data is clearly one area in which decisive action can result in an immediate improvement when it comes to security. By appointing a professional and accredited information destruction supplier, healthcare organisations can afford themselves an additional layer of protection against the risk of a breach, while at the same time providing added peace of mind for both themselves and their patients.
A confusing landscape Despite the urgent need for the healthcare sector to improve its data security, guidance on the subject has been frustratingly confusing
Adam Chandler: Chairman of the British Security Industry Association’s Information Destruction Section
17
www.risk-uk.com
BSIABriefing October2015_riskuk_mar15 05/10/2015 12:59 Page 3
BSIA Briefing
References 1‘NHS Trust visits show positive results’, Information Commissioner’s Office (1 October 2014), https://iconewsblog.word press.com/2014/10/01/nhstrust-visits-show-positiveresults/ (Accessed 14.9.2015) 2‘ICO given new powers to audit NHS’, Information Commissioner’s Office (2 February 2015), https://ico.org.uk/about-theico/news-and-events/newsand-blogs/2015/02/icogiven-new-powers-to-auditnhs/ (Accessed 14.9.2015) 3‘Healthcare helps data breaches soar 16%’, Contractor UK (18 August 2015), http://www.contractoruk.com /news/0012184healthcare_ helps_data_breaches_soar_ 16_cent.html 4‘ICO warns of surge in UK healthcare data breaches’, IT Pro (5 December 2014), http://www.itpro.co.uk/dataprotection/23669/ico-warnsof-surge-in-uk-healthcaredata-breaches
and contradictory, with references to top-level Government security classifications often leading to public sector organisations ‘overspecifying’ in the data destruction procurement process, resulting in a more costly service that provides levels of security too far over and above what they actually require. In August 2013, the Centre for the Protection of National Infrastructure (CPNI) published a new standard intended to be applied to sensitive items assigned a protective marking of ‘Secret’ and ‘Top Secret’ (as defined by the UK Cabinet Office). Meanwhile, in April 2014, the Cabinet Office published new Government security classifications, in turn leading to a reclassification of existing marking levels across the public sector – a relatively simple task for those operating at the very highest and lowest classifications but more difficult for those residing somewhere in-between.
New BSIA guidance document With these changes causing confusion for many public sector organisations, the BSIA’s Information Destruction Section published a new guidance document back in June. The publication aims to enable such organisations to clearly determine the classification of data and then adequately specify the correct levels of secure data destruction required. Entitled ‘Information Destruction in the Public Sector’, the guide fully explains the various classifications of sensitive data and the type of data destruction solution deemed suitable for each. According to the guide, the majority (95%, in fact) of information that’s created or processed by the public sector – including medical records and x-rays – falls within the ‘Official’ category, whereby data isn’t subject to a heightened threat profile but could result in damaging consequences if lost, stolen or published. As stipulated within the Data Protection Act, every data controller employing the services of an information destruction company is required to choose a supplier which provides sufficient guarantees of security measures, including destruction being carried out under contract and evidenced in writing. Where ‘Official’ data is concerned, data owners are responsible for identifying any sensitive information and for putting in place appropriate business procedures to ensure that
“The healthcare sector is among the worst offenders for poor data security. Recent figures issued by the ICO reveal that the number of data breaches rose by 16% in one year” 18
www.risk-uk.com
it’s securely handled, in turn reflecting the potential impact from compromise or loss. Using the services of a professional data destruction company can help data owners fulfil their legal obligations, but what should healthcare organisations look for when it comes to selecting a potential supplier? According to the BSIA’s guidelines, those working with data classified as ‘Official’ should refer to the European Code of Practice for the Secure Destruction of Confidential Material – otherwise known as BS EN 15713:2009 – to help establish their baseline and fundamental set of security controls.
Regulating information destruction BS EN 15713:2009 is used to regulate the information destruction industry and duly recognised as the primary standard that information destruction providers should meet. Setting the benchmark for European providers, BS EN 15713:2009 is an ideal benchmark for public sector organisations in the UK to set as part of their tender process as most UK providers are aligned behind a maximum shred size of 16 mm. This is deemed appropriate for commercial confidential shredding, including documents that adhere to the aforementioned ‘Official’ classification. By ensuring that potential information destruction suppliers comply with BS EN 15713:2009, healthcare institutions can gain added peace of mind that their suppliers meet a range of additional security requirements. For example, that their premises will be secured by a combination of intruder alarms and CCTV, that members of staff have all been fully vetted and background checked and that the necessary processes are in place to ensure confidential waste is secure from collection through to its point of eventual destruction.
Guarantee of full compliance With a range of suppliers operating in the information destruction sector – and a number of considerations to make regarding data security – choosing the right supplier is often a challenge for healthcare organisations. As such, the BSIA’s website is an ideal place to start. All BSIA Information Destruction Section companies offer the quality guarantee of compliance with both the Data Protection Act and BS EN 15713, while the website provides impartial advice on what risk managers should be looking for from a potential supplier. *The BSIA’s guide ‘Information Destruction in the Public Sector’ can be downloaded from the following link: http://bit.ly/1UPvxDL
Project2_Layout 1 02/10/2015 13:44 Page 1
BusinessResilienceTheKeystoneQuality October2015_riskuk_apr15 05/10/2015 13:42 Page 1
Resilience: The Keystone Quality Most of us concur in the belief that resilience is a great quality for any organisation to harbour, but how much understanding is there around what that term means in the real world? What must a given business and its senior management team do to make sure resilience is part of the collective fabric? David Rubens lists the answers for security and risk management professionals
20
www.risk-uk.com
esilience is a word that has become fundamental to many aspects of our society outside of traditional security and risk management. Transport systems need to be resilient, as do supply chains. Whole national economies have to be resilient, as does technology or the Barclays Premier League team that finds itself on a losing streak and in danger of relegation to the less cash-rich Sky Bet Football League Championship. Everyone, it seems, agrees on resilience being a quality that’s really good to have, but there seems to be little understanding of what that actually means and even less comprehension of what a business and its management team needs in order to ensure they possess it. As is the case with much terminology cropping up inside ‘Buzz Phrases of the Day’, many of the individuals using said words and phrases would have difficulty in explaining them, although they know what they think they mean when they use them. In its simplest terms, the word ‘resilience’ is used to denote the quality of being able to adapt to changes in the surrounding environment and duly maintain operational functionality in sub-prime conditions. It also includes the ability to recover and subsequently return to a normal operating position without permanent harm. Put simply, a rubber ball is classed as resilient whereas a china plate is not. To use a phrase made famous by Iain Dowie, ex-manager of Crystal Palace FC and a former striker at West Ham United, resilience is the quality of ‘bouncebackability’.
R
From a risk management perspective, resilience is perhaps the all-embracing quality that you would like to see in your organisation. It means that your business is able to adapt and respond, continue to operate, deal with problems effectively and, at the end of the day, exit the storm and find safe waters on the other side of a crisis. If the one quality that Napoleon wanted in his generals was that they should be lucky, then the one quality we should absolutely look for in today’s organisations is that they should be resilient.
Four corners of resilience There have been many books and articles written on the qualities associated with resilience, but the qualities widely used when describing how an organisation can become resilient usually refer to those listed by the Resilience Multidisciplinary Centre for Earthquake Engineering Research (MCEER). They are: Robustness, Resourcefulness, Redundancy and Rapidity. Robustness describes the general toughness of an organisation, its preparedness to take a bit of pain, the way in which it understands that things will not always be smooth or easy and its acceptance that the ability to roll with the punches is all part of building its success. There are many great footballers and rugby players considered to be at the top of the tree in terms of skill, but their managers might be concerned that they’re not ‘robust’ enough. They’re prone to injury, and small injuries tend to disrupt their availability. Other players with less skill would be considered much more robust: able to play week in, week out with all of the minor aches and pains that are part and parcel of a professional sportsman’s life. Resourcefulness describes the quality of being able to find solutions, work things out and make things happen. Resourcefulness is a quality that needs to be embedded at every level of an operation, from the C-Suite to the front line operator. Anyone who has been involved in security operations – and notably those moving towards emergency response – knows resourcefulness is something that’s absolutely critical to operating in the fast-moving, high pressure environment associated with any sort of crisis. However good your planning and preparation may have been, once the situation takes on a life of its own, it’s the ability of everyone
BusinessResilienceTheKeystoneQuality October2015_riskuk_apr15 05/10/2015 13:42 Page 2
Business Resilience: Robustness, Resourcefulness, Redundancy, Rapidity
involved to find innovative solutions to immediate problems that will decide the success of the response operations or otherwise, whether it’s the tactical commander, logistics manager, communications engineer, lighting technician or the person responsible for ensuring that food and drink is readily available for those in immediate need. Redundancy is the quality that allows the organisation to continue functioning despite the failure of any particular part of the operation. Redundancy (or spare capacity) is one of the crucial aspects of organisational management ensuring critical failure points have multiple alternative delivery pathways that will allow operational status and service delivery to be maintained. It’s a surprising aspect of many emergency plans that they’re actually full of ‘single path critical failure points’. This means that, if one aspect of the operation fails, then the operation itself becomes non-viable. Rapidity is the ability of the organisation to adapt to changing circumstances in a speedy manner, developing innovative solutions and integrating them within the wider operating framework so as to minimise any potential disruption. It’s always amazing to see how organisations considered world class in their core areas of operation have a genuine lack of understanding as to how crisis events escalate, and the demands that this will make on them. The ability to acknowledge problems as early as possible in their development cycle – and then to develop solutions that can be delivered swiftly in order to minimise disruption and harm – is crucial when it comes to ‘remaining ahead of the curve’ in crisis management rather than responding once events have moved on and playing ‘catch up’ is the order of the day.
Development of Community Capital A further quality associated with successful response is Community Capital. This encompasses all aspects of interaction between the various people involved in a response and presumes that, if they’ve already met each other, recognise each other as dedicated and capable professionals and have a good working relationship, then the likelihood is that they’ll manage the response together better than if they’ve either never met each other before or come to the situation with an active distrust of one another. Community Capital can be developed in many ways, for instance through shared training programmes, cultural events, charity activities or something as basic as a shared dining room. As always, it’s something that can be
enhanced through active management policies based on a clear understanding of the value that shared experience brings. A good Case Study of a successful emergency management operation that undoubtedly benefited from a strong Community Capital was the Fort Worth tornado that struck Texas fifteen years ago. Although not a spectacular event in its own right, the tornado caused significant damage in the area, but the fact that the directors of the various response agencies knew each other through local clubs – and had a good social relationship – pretty much underpinned everything else that happened. Located in a relatively small town, the different agencies worked together on a regular basis and they both liked and respected each other. As one individual commented at the time: “It was so nice to pick up the phone and say ‘I need 500 mats’ with the reply being ‘When and where do you want them?” The truth about resilience is that it’s a reflection of what an organisation is rather than of what it does. Also, resilience cannot be added on as an afterthought, or left to one particular department to be responsible for its development and ongoing management. However good your crisis and risk management plans may be, it’s their overriding ability to survive in the challenging and unstable environment intrinsic to any crisis event that will serve as their true test of value.
David Rubens MSc CSyP FSyI: Risk Management Consultant and Main Board Director of The Security Institute
“The ability to acknowledge problems as early as possible in their development cycle is crucial when it comes to ‘remaining ahead of the curve’ in crisis management” 21
www.risk-uk.com
Project2_Layout 1 02/10/2015 13:47 Page 1
BusinessContinuityPlanningandTestingProcedures October2015_riskuk_apr15 05/10/2015 12:59 Page 2
Business Continuity Planning and Testing Procedures
‘Always Switched On, Always Ready’ hile there’s nothing new in this observation, the period of acceptable ‘downtime’ for a business is certainly changing. A decade ago, taking 24 hours to recover from an incident would have been acceptable. Now, even just a few hours of downtime can be hugely damaging. If not damaging financially, reputations can be won or lost via social media commentary and coverage in those few short hours. In fact, Forrester Research recently found that the typical business interruption can cost an organisation more than £1 million. Today’s commercial environment – wherein lies a heady combination of high expectations, instant protest and intense competition – means that modern businesses need effective business continuity plans in place that cater for more than disaster. Rather, those plans have to be designed to ensure that companies are ‘always on’ and able to demonstrably recover from an unforeseen business disruption both quickly and effectively.
W
Important to the business Traditionally, business continuity means having a plan that maintains business functions or facilitates getting them back up-and-running as quickly as possible in the event of major disruption which may result from a wide range of events, among them fires, floods, pandemics or malicious cyber attacks. While preparing for disaster to strike, the business continuity planning process also accumulates a huge amount of insight into what makes a business function. What’s actually important? How people, processes and technology interact and where the interdependencies exist are absolutely key. While the end result is a business continuity plan that provides the step-by-step procedure an organisation should follow in the face of disaster, the information gathered during its creation is invaluable when it comes to highlighting potential weaknesses and building the resiliency required. Also, by identifying critical functions, a business can work out how best to achieve dayto-day operational efficiencies without damaging the end product or service. The business continuity process suddenly helps drive organisational strategy and customer service levels. It’s no longer just an insurance. The first step in making sure that you have a winning business continuity plan is ensuring
One of the most fundamental issues for businesses in the digital age is the ability to maintain operations and keep customers satisfied. Put simply, today’s companies can no longer afford any ‘downtime’. That being so, Mike Osborne reviews the key contents of a successful business continuity plan and why such policies must be regularly tested that you have one! There are many surveys that still highlight the lack of awareness and preparedness here. The best place to start is with the basics, by assessing business processes, determining which areas are vulnerable and the potential impact/losses if certain processes go ‘down’. Creating a list of those areas of the business that are ‘must have’ and should be recovered as a matter of urgency is a great starting point in building a business continuity plan. It’s important to identify the people, staff, customers and suppliers that you will need to contact during any incident. Simple lists with contact details, stored in a location that can be quickly accessed and not impacted by the incident can serve as a quick win. Good, early communication might buy companies valuable customer understanding and recovery time. From an IT perspective, the common flaw is assuming that everything’s needed. This approach takes time and can be expensive. Instead, identify the applications which are not business-critical and can remain offline for hours – or even days – with minimal business impact. Being able to differentiate between these applications can save your company time and money if a disaster should strike. Ensure that you’re able to automate as many aspects of a business continuity plan as possible. Simply relying on staff to implement
Mike Osborne: Head of Business Continuity at Phoenix (Part of The Daisy Group)
23
www.risk-uk.com
BusinessContinuityPlanningandTestingProcedures October2015_riskuk_apr15 05/10/2015 13:00 Page 3
Business Continuity Planning and Testing Procedures
“Test teams are best composed of a dedicated recovery coordinator with responsibility for company-wide business continuity as well as members from each business unit” recovery processes following business interruption could lead to delays if those responsible for certain operations are also affected by the disaster causing the outage. With this in mind, businesses could consider the role of a ‘full-service’ business continuity provider who can help with physical disaster recovery, IT services, telephony and network services restoration. This approach is becoming more common as companies of all sizes consider business continuity as a managed service or working with the support of a specialist provider harbouring proven experience of building plans that work. Such experience makes it much easier and quicker to craft and then maintain plans for your specific business’ needs by avoiding the experience gap that can sometimes hamper inhouse approaches. In each case, you still own the risk appetite and make the decisions as they arise, but the business continuity process itself is run by experts and delivered to a fixed cost and service levels.
Test and stress your plan There’s only one thing worse than not having a plan and that’s thinking you have a plan and finding out that it really doesn’t work. Less than 40% of companies with a business continuity plan in place test them regularly. Failure to test a business continuity plan can create false hope and expectations of what’s achievable. While the creation of the plan is clearly important in establishing knowledge of the organisation and how to build resilience, it’s vital to ensure those plans actually work. You have to rigorously test a plan to ensure that it’s complete and can fulfil its intended purpose in the timeframe expected. Every rehearsal brings with it areas for improvement. A good number of tests fail and companies find they cannot recover in the time expected. Forward-thinking organisations will test their business continuity plan several times each year. A few common business continuity tests include table-top exercises, situational walkthroughs and disaster simulations. Test teams are best composed of a dedicated recovery co-ordinator with responsibility for company-wide business continuity as well as members from each business unit. The key here is to have senior management sponsorship and company-wide awareness (if not participation).
24
www.risk-uk.com
The more ‘business continuity-savvy’ companies undertake a full rehearsal during which they completely recover the necessary infrastructure, applications and communications into a back-up facility. They relocate critical staff to a recovery site and actually fulfil live operations during the rehearsal. This not only proves the plan itself works, but will also familiarise members of staff with the recovery environment.
Review, update and improve Considering the amount of effort that goes into creating and testing a business continuity plan it’s vital that, once the job is complete, the plan isn’t allowed to sit gathering dust while other business tasks take over. Plans quickly become irrelevant if they’re not treated as ‘live’. One key aspect to take into account for the testing of a business continuity plan is the number of business processes and IT changes that have occurred since the last round of testing. A common experience for many is that the sheer volume of modern system and customer data required for recovery grows so quickly that last year’s acceptable recovery timings could become this year’s failed test. It’s important to look into the role that mobility and remote working can play as an aspect of your business continuity plan. Allowing employees access to business data securely on smart devices and from home computers by way of the cloud could be an efficient way of keeping the company going. The cloud can be used for backing-up data as well as allowing for much faster recovery, with critical systems being restored rapidly without the need to locate and ship tape-based backups. Cloud technology also makes it much easier to test your back-up plan. You may also use the cloud to ensure that your members of staff have ready access to the latest business continuity plan stored on their mobile devices and can be easily reached via an integrated emergency contact system. The introduction of such technological enhancements has been key to the progression from ‘recovery to resilience’ that the business continuity profession has embarked upon. The industry as a whole is working to encapsulate this journey in a way that will allow companies to understand how to build resiliency and, ultimately, demonstrate to stakeholders that they are indeed resilient. The British Standard BS 65000 Guidance for Organisational Resilience is a precursor to ISO 22316 due in 2016. This should create the benchmark for the ‘always available business with an always ready plan’.
Project2_Layout 1 02/10/2015 13:54 Page 1
CorporateGovernanceBestPracticeTechniques October2015_riskuk_sep14 05/10/2015 13:45 Page 1
Improving The Governance View Corporate governance is now the very highest priority for all organisations. Responsibility for it begins – and ends – at the very top. Alister Esam outlines why and how technology is essential in helping senior executives meet their governance requirements in today’s fast-moving business environment hen media mogul Rupert Murdoch argued at the height of the News International ’phone hacking allegations that he couldn’t be expected to know what all 53,000 of his employees were up to, senior executives from the wider business community may have empathised with his predicament. Taken at face value, such an assertion would appear to be a reasonable defence, but as global scrutiny of corporate behaviours intensifies following a stream of high-profile incidents, it’s fair to suggest that Board-level ignorance is no longer an acceptable excuse. Likewise, apportioning blame to those on the front line is unlikely to succeed though it doesn’t stop some from trying. The sands have shifted. When crisis strikes, the buck stops with the Board. The highest price of all is the long-term damage to corporate reputation and profitability. The reality of the situation is far from being all doom and gloom, though. With the right culture and good technology in place, the risk of exposure can be significantly reduced.
W
Top-down accountability Corporate governance is now the highest priority for all organisations. Responsibility for it begins – and ends – at the very top. This is typified by the outcomes of some of the most recent examples of corporate wrongdoing.
When the £250 million ‘black hole’ in Tesco’s accounts was exposed last September following an overestimation on expected halfyear profits – wiping £2 billion from the company’s share price in the process – it was senior executives (among them the chairman Sir Richard Broadbent, who resigned the following month) who had to face the music. More recently, when the FBI indicted senior FIFA officials on allegations of corruption, the global media spotlight fell on Sepp Blatter, the organisation’s eighth president who has been in office since 1998. Blatter continues to voice his innocence in the face of the Swiss Attorney General opening an investigation on “suspicion of criminal mismanagement”, but the FIFA brand is now in tatters and, for many, the rebuilding process can only begin with the appointment of a new executive. From Barings to Barclays, BP to Bear Stearns and Toshiba to Toyota, the history of alleged corporate misconduct is long and wide-ranging. Despite modern scrutiny, tomorrow will almost certainly bring new offenders. Instead of burying their heads in the sand and pretending that their organisations are immune to scandal, Boards now know they’re not only accountable for the effective running of their businesses, but they’re also ultimately culpable when things go wrong. Boards of Directors need greater visibility of what’s happening at every level across their organisations and a robust means of holding senior executives to account. As such, the development of a strong corporate governance infrastructure is now business-critical. Corporations are working hard to define the mechanisms, processes and relations by which they are controlled and directed. Moreover, they’re establishing transparent frameworks that distribute the appropriate rights and responsibilities to all stakeholders across their enterprise, and embedding rules and procedures to ensure governance is rigidly enforced and enacted. Best Practice in corporate governance requires the development of a clear constitution for an organisation’s ethics, the alignment of business objectives, strategic management, structures and reporting systems. This mandate must cascade down throughout the entire company.
Long-distance view required The problem of instilling better corporate governance isn’t solved by regulation alone.
26
www.risk-uk.com
CorporateGovernanceBestPracticeTechniques October2015_riskuk_sep14 05/10/2015 13:46 Page 2
Corporate Governance: Best Practice Techniques
Although the introduction of new industry guidelines is often a natural response to a systemic failure, effective governance is a cultural challenge that’s specific to every individual organisation. To mitigate risk, Boards need to instil a culture of transparency across their businesses. Crucially, however, that transparency must be extended to the Board’s own activities, meetings and actions. The King Report on Corporate Governance recommends that companies’ governance mandates should be developed and monitored by key directors, but in large multinationals how do those key directors – such as the owner or the chairman – know what’s going on at the top level in subsidiary companies? Senior Board executives naturally delegate responsibilities to other sub-Boards, but need to have proper oversight to know that all of their companies are being properly run. How do they know that their sub-Boards are having meetings and that the processes for them are appropriately enforced? How can they ensure that the audit trail of those meetings is accurate, that decisions were based on having access to the right information and that all known precedents were considered?
A transparent solution The answer is good technology – a prerequisite of Best Practice corporate governance. Usable technology can help ensure that all Boards have efficient and effective access to the right information and make that information searchable and available at every stage of the meeting cycle. Historically, senior Board members have excluded themselves from the technology revolution and, instead, built superlative administration operations in a brave bid to manage meetings and the information flow that was necessarily generated. However, as Board management accountability has increasingly fallen under the gaze of the public microscope, many senior executives have recognised the valuable role that technology can play in empowering Boards with vital intelligence. As a direct result, many are now using that technology as an important corporate governance tool to provide an holistic oversight of operations and hold sub-Boards and Management Committees to account. Organisations are increasingly moving their Board meeting papers online, giving Board members and leadership teams easy, yet secure access to key business information ahead of gatherings. This approach, which has
also driven significant productivity and efficiency gains, is reinforcing companies’ corporate governance infrastructures and providing senior executives with secure and reliable visibility of Board activity. Centrally-managed digital meeting papers can assist in ensuring proactive attendees are better prepared for Board discussions and help maintain consistent enterprise-wide communications. What’s more, in an era where companies need to be agile and responsive, online tools help them to cope with the dynamic flow of information in an evolving business environment. Likewise, technology can play a major role in assuring strong governance flows throughout an organisational structure. The right technology can provide a comprehensive audit trail of activity, effortlessly capturing the information needed to make certain businesses are being managed and run effectively.
Improvements on visibility For senior executives determined to mitigate risk and preserve their corporate reputation, the importance of improving their organisational visibility is indisputable. The key question is: ‘Does your current approach give you sufficient oversight to know your companies are being managed optimally?’ In the modern climate, it really must. It’s a complex challenge, but getting the basics right is imperative. Do you have an effective means of receiving accurate and reliable Board, subBoard and Management Committee meeting papers? Do you have a single view of these papers to support your meetings or a confusing array of multiple drafts? Is critical information freely available and presented in a way that enables you to operate efficiently? Does your current approach allow for online decision-making and shared annotations that can save time and money? Can you collaborate effectively with senior colleagues pre-meeting – and, importantly, monitor their performance beyond it? Technology can help with all of these challenges. The best tools will be simple, intuitive and easy to use and, despite the common perception that implementation is time-consuming, the smartest solutions can be ready-to-use in just a few clicks.
Alister Esam: Managing Director of BoardPacks
“To mitigate risk, Boards need to instil a culture of transparency across their businesses. Crucially, however, that transparency must be extended to the Board’s own activities, meetings and actions” 27
www.risk-uk.com
AccessControlandSecurityforMultipleSites October2015_riskuk_apr15 05/10/2015 12:56 Page 1
Access Control: ‘The Key Issue’ access at the right time can adversely affect the operation of any infrastructure. Guaranteeing the sustainability of the locks themselves – which, over time, can become damaged due to exposure to adverse weather conditions – is also of considerable importance.
Restrictive infrastructures
The challenges involved with securing multi-sites, where access is required by a variety of authorised personnel, have perhaps never been greater than they are today. Nick Dooley discusses some of the key security issues that large and multisite businesses face and offers salient advice on both reliable and robust access control regimes
28
www.risk-uk.com
oday’s businesses need their property, assets, staff, service providers and customers to operate in a safe and secure environment, backed up by a robust and traceable access control solution. The next generation of security devices must necessarily reach ever-higher standards of system intelligence and flexibility while also delivering value for money. The priority is ensuring the safety of people and the security of goods while at the same time providing maximum productivity. Monitoring and controlling restricted access facilities are also paramount, with data capture and analysis providing vital information in the event of a security breach. Multi-sites, such as water treatment facilities, electricity operations and telecommunications points are at risk of a number of threats including terrorism, vandalism and theft. That being so, they require greater surveillance and a higher level of security. The rising numbers of subcontractors operating in these sectors only increases the risk, making monitoring and controlling access points more prevalent than ever in order to guarantee the quality of the services provided. The key challenge that affects security in such industry sectors is that sites are often isolated and located a considerable distance from one another. Another main issue is guaranteeing access to authorised users at all approved times. An authorised individual who’s unable to gain
T
One of the main problems with traditional electronic access control solutions is the need to deploy a cable network to transport the energy and necessary Internet Protocol (IP). This type of infrastructure is restrictive and expensive to maintain. Today, two major solutions without cable coexist: the lock-centric solution (focused on the lock and with intelligence and energy concentrated in the cylinder/lock/door) and the key-centric solution (with intelligence and energy communicated to the cylinder/lock/door through microprocessors inside the key). Key-centric solutions are ideal for larger sites and those with remote locations. Unlike the lock-centric system, the cylinders don’t require maintenance. It’s not necessary to visit sites to either update information on doors or perform battery changes as these will be implemented on the key. It always remains easily accessible. Reliability is vital to any access control solution. The system must be able to provide the correct access rights, at the right times and to the right people in order to ensure the continued operation of the business. The most reliable and robust access control solutions are centred on the advanced system intelligence within the key, incorporating the power source, access control and tracking in one smart electronic device. Without a mechanical profile, each smart key possesses a unique serial number that cannot be duplicated but can be reprogrammed, enabling it to open one or all access points. Reliable in terms of enabling access, powerfree electronic cylinders and padlocks can also deter burglars as they cannot be picked. With admission rights provided by the key and data recorded internally, electronic locks afford much increased security compared to any other access solution. In the event of loss or theft, they may be quickly disabled.
What about flexibility? Large businesses and companies with multiple sites often have hundreds of employees, as well as subcontractors and visitors walking through the doors every day, and in some cases
AccessControlandSecurityforMultipleSites October2015_riskuk_apr15 05/10/2015 12:56 Page 2
Access Control and Security for Multiple Sites
24 hours a day, seven days per week. For some of them, it’s therefore essential that access authorisations can be edited, updated and tracked at any time and from any location. Increasing intelligence in mobile devices means that access control solutions can now tap into new technologies to facilitate the data transmission. In addition to fixed terminals, a computer connected to the Internet or a mobile phone, access authorisation and audit trails can now be carried out directly from a Wi-Fi key. With a rapid incline in technological advancements, the flexibility of the digital key device will offer the most innovative solution today and into the future. It’s also important to note that every business is different. As such, the solution that each business requires will be different, too. Therefore, the most effective access control system will be tailored in collaboration between the supplier and customer with a view to ensuring optimum security. With high volumes of people entering and exiting different areas of a business, it’s vital to be able to trace who has been where, when and for how long. Advanced software suites can provide access to all operations performed by users, including a complete audit trail. This information is often employed by business owners or managers for audits, improvements or compliance. When initiating a new access control system, it’s important that the supplier and customer work together to understand who can enter a secure area, where in the building each individual is allowed access, when an individual can enter a secure area and how an individual will gain access to a secure zone. This information can be crucial in the event of a security breach, enabling investigators to pinpoint who was the last known key holder in the building and what their movements were while on the premises.
“Among all categories of today’s security systems, access control is the one that represents the most profound impact on operations for the host organisation” profiles: multi-level, multi-geographical and multi-functional. While every business wants the tools to secure its people, assets and data, they also require a robust and reliable support system and advice from experts behind the security solution. This is fundamental in ensuring the highest level of access control and business continuity at all times. It’s a mistake to consider security and access control as a mere cost centre. Among all categories of today’s security systems, access control is the one that represents the most profound impact on operations. The most important decision for any business is to choose the right solution that can be adapted to suit its individual requirements. With this in mind, a careful distinction should be recognised between an online access control solution and a battery and cable-free access regime. Both have similar functionalities but the implementation cost of the cable-free solution is far lower as it requires considerably less infrastructure and maintenance. An intelligent co-ordination between access policy and the management of operational tasks will immediately result in increased business efficiency. This rise is visible and measurable from the very system implementation by dint of reduced response times in remote interventions. In the same way, implementation of an access control solution will provide complete traceability of workflows, enabling security and risk managers to evaluate, refine and optimise certain internal processes.
Nick Dooley: Managing Director of LOCKEN UK
Cost-effective solutions All businesses will have some form of security solution in place, so the question for owners or managers is not whether to secure their business, but rather the most appropriate and cost-effective way in which they can do so. The flexibility of digital access control systems means that they can adapt to each requirement from a simple ‘plug-and-play’-style approach to complete integration within existing systems. In any case, a simple and user-friendly application suite will provide comprehensive access management. Via secured application access, the software can enable definition and management of user
29
www.risk-uk.com
Project4_Layout 1 07/11/2014 16:05 Page 1
Securitas, a true focus on Security The skills of our people, alongside the best in technology produce total integrated solutions that safeguard your business.
0800 716 586 www.securitas.com
HealthcareSecuritySolutionsFrontCover October2015_001 05/10/2015 15:53 Page 1
October 2015
Security and Fire Management
Theatre of Operations Risk Management in the Healthcare Sector NAHS Conference: ‘Safeguarding Patients and Staff’ Security in Open Environments: Taking Care of Compliance Healthy ID: Access Control Solutions Examined Caught on Camera: CCTV and IP Video Surveillance
Project2_Layout 1 02/10/2015 13:45 Page 1
Innovating for a
smarter, safer world. Axis offers a wide portfolio of intelligent security solutions:
Video encoders Network cameras
Physical access control Network video recorders
Video management software Audio and accessories
Visit www.axis.com
HealthcareSecuritySolutionsNAHSAnnualConference October2015_riskuk_feb15 05/10/2015 14:25 Page 11
Healthcare Security Solutions: NAHS Annual Conference 2015
‘Safeguarding Patients and Staff’ he 2015 National Association for Healthcare Security (NAHS) Conference aims to bring together like-minded delegates from this sector and address some of the key challenges they’re now facing on a daily basis. The conference – which this year runs under the banner: ‘Safeguarding Patients and Staff’ and is once again organised by Ascent Events – will enable delegates to network with colleagues from right across the country. The contents will be of particular interest to healthcare security managers, mental health and dementia leads and all those interested in methods dealing with challenging behaviour. Following on from a Welcoming Address by NAHS chairman Simon Whitehorn, confirmed speakers include Colin Holland (public sector security specialist at MITIE Total Security Management) who’ll be leading on the subject of ‘The Total Security Management Approach’ within the healthcare environment. Also, Chris Jones and Oliver Lacey from Fibre Technologies will review the future of biometric security solutions for healthcare projects before Lynne Owen CBE QPM, the chief constable of Surrey Police, examines the police service’s support to the NHS in austere times. In addition, there’ll be a presentation from CEM Systems’ specialist Graham Easthope. Easthope is scheduled to examine the protection of premises, staff and patients by dint of advanced, future-proof access control and security management solutions. After luncheon and an opportunity to visit exhibitors at the event – including ASIS International, Corps Security, Cortech Developments and The Security Institute – conference delegates can then listen to presentations on combating violence within the NHS, the mechanics of restraint (this session being presented by Dr John Parkes from Coventry University), interoperability (seen as the key to increased workplace safety, security and building efficiencies) and methods for preventing data breaches. The 2015 Annual Conference commences with registration from 9.30 am. Luncheon is included for all delegates, with the day’s proceedings scheduled to conclude at 5.30 pm following a speech from NAHS president Peter Finch CSyP and a drinks reception.
T
Training and information exchange The NAHS was formed in 1994 as a non-profit making professional organisation in the UK.
The National Association for Healthcare Security’s Annual Conference runs at Stamford Bridge, the home of current Barclays Premier League champions Chelsea FC, on Thursday 12 November. Risk UK is an Official Media Partner for this year’s Mitie-sponsored event, previewed here by Brian Sims
The NAHS works to continually improve security in healthcare facilities through training and the exchange of information and experiences. A key aim is to promote co-operation and development among NAHS members and provide them with current information through the organisation’s website, conferences, meetings and events designed to meet the challenges and complexities of protecting modern medical facilities. Healthcare security is one of the most complex of security functions. On that basis, the NAHS aims to support and enable healthcare provision through the delivery of professional security. Ultimately, it’s about enhancing the healthcare environment. As a stakeholder in healthcare security, the NAHS supports NHS Protect as it develops the strategic direction and development of NHSfocused healthcare security. This is reflected in NAHS membership of NHS Protect Working Groups as a key stakeholder. The NAHS operates in a single national network headed by the Association’s chairman and supported by a Board of Directors who form the NAHS’ Executive Committee.
*For further information and to book your place, visit: http://www.nahs.org.uk/ index.php/nahsconferences/2015-conference **Those organisations who wish to sponsor the NAHS Annual Conference should contact Guy Whiffen at Ascent Events on (telephone) 01892 530027. Alternatively, send an e-mail to: guywhiffen@ ascentevents.co.uk
33 www.risk-uk.com
HealthcareSecuritySolutionsComplianceCostandAccessibility October2015_riskuk_apr15 05/10/2015 14:23 Page 1
Healthcare Security Solutions: Compliance and Accessibility
Security in Open Environments
As Philip Verner rightly states, open environments like hospitals require an extremely high level of protection to safeguard not only property but also patients, staff and high security areas such as pharmacies and maternity wards
Philip Verner: Regional Sales Director (EMEA) at CEM Systems (Part of Tyco Security Products)
34
www.risk-uk.com
ccess control and security management systems can provide sophisticated and reliable security and, in some cases, enhance operations while also affording cost savings in the short and longer terms. When looking at a new access control and security management system or an update to an existing regime, there are many requirements that need to be considered to ensure the safety of patients and staff while also improving operational efficiencies. Given the number of different staff groups within a healthcare environment, ranging from hospital cleaners to surgeons, a major security challenge is controlling, maintaining and assigning access levels with the ability to link card holders to certain access groups such as Day Surgery, A&E and Intensive Care, etc. Doing so ensures that each individual cardholder has the appropriate level of access to required areas and cannot enter unauthorised zones. For highly restricted areas, additional levels of security may be achieved by adding biometric verification to card readers with integrated fingerprint scanners or image on swipe functionality to card readers with LCD displays at guarded checkpoints. With image on swipe, a cardholder’s image can be displayed and act as a simple biometric check enabling security personnel to verify the individual’s identity. Staff ID badges can also be used by security personnel to visually verify if a card holder is in a restricted area by having staff photographs on the badges. As is the case in many sectors, healthcare security professionals must consider cost and accessibility when deploying a security systems
A
network. IP-based technology is now widespread, and particularly so in new builds with Ethernet infrastructures. This opens up the possibility of using Power over Ethernet (PoE) technology which can bring significant cost savings to a new build project. PoE technology allows card readers, terminals and additional door furniture to be powered via a single Cat 5e/6 cable at the door. This can significantly reduce the cost and complexity of deploying a security system where an existing network infrastructure may already be in place. Central Command and Control interfaces mean that hospital security personnel can quickly assess and deal with any alarms all from one central system. At a physical peripheral level, the access control system may also control such elements as car park barriers and car park access.
Issues around compliance Compliance in the areas of Health and Safety, food hygiene and security, etc can also be addressed by access control and security management systems with a Checklist Mode on a card reader/terminal boasting an LCD display. Configurable sequences of images and questions may be displayed. These images and questions can be adapted for hospitals, duly displaying such messages as: ‘Have you washed your hands?’ and ‘Are you wearing appropriate clothing?’ The user must answer ‘Yes’ to all questions before the door will open. The healthcare sector is now starting to use security management systems like other IT systems within facilities, ensuring that these solutions provide maximum return on investment: reducing resources, improving operations and enhancing business efficiency. Security management systems can be used to turn specific equipment on and off when a card is swiped, saving on energy costs and increasing efficiencies in ways that may not have traditionally been viewed as being within the remit of such systems. Deploying access control hardware that offers more functionality and features at the door is another way of improving business operations and improving efficiencies. In addition to being a card reader and controller in one, with PIN functionality for an additional layer of security, specific systems also have a fully-integrated intercom, enabling cost savings by removing the requirement for a separate intercom unit at the door.
Project1_Layout 1 05/02/2014 17:39 Page 1
Have you tried Integriti yet?
Sophistication is not about size The Integriti Security Management System is an IP connected access control and intruder security system that offers sophisticated centralised management for both small systems on a single site, or large systems distributed across the country or across the globe.
With a growing list of new installations take a moment to think of what you’re missing! The Integriti system offers an advanced suite of software, hardware and integrated solutions to deliver complete management of your entire integrated system.
Inner Range Europe Limited Units 10-11 Theale Lakes Business Park Moulden Way, Sulhampstead Reading, Berkshire RG74GB UNITED KINGDOM
integriti@innerrange.co.uk a4 integriti 0ne page UK.indd 1
+44 (0) 845 470 5000 www.innerrange.com 4/12/2013 8:40 am
HealthcareSecuritySolutionsSurveillanceSystems October2015_riskuk_apr15 05/10/2015 14:26 Page 1
Healthcare Security Solutions: Surveillance Systems
Surveillance and ‘The Human Element’ a central basis, in turn reducing manpower needs and shortening response times. The system rationalises the use of resources, improves daily logistics, enhances patient security and reduces waiting time.
Considering camera design
Healthcare sector facilities are often environments where large numbers of people are either visiting or leaving, while the premises themselves can have any number of spaces requiring different surveillance needs. Daren Lang searches for network-based video solutions
Daren Lang: Business Development Manager (Northern Europe) at Axis Communications
36
www.risk-uk.com
he healthcare sector’s essential focus is on humans. The needs of patients, their relatives and the hospital staff come first – and rightly so. When it comes to the patients, they should feel safe in what is an already vulnerable situation for them. That feeling of safety embodies the basic need to be secured from the surrounding world as well as the need to be safe when their health and well-being rest in the hands of doctors and nursing staff. For their part, the relatives need to be certain of patients’ well-being and safety, knowing that they will receive the best care available. For the staff, the main objective is to be able to manage their work in an efficient and qualitative manner both in terms of treatment and nursing as well as the overall service. Synonymous with healthcare facilities is the overriding imperative for first class surveillance when it comes to monitoring and controlling people movements on the premises. A hospital contains advanced technical equipment as well as theft-attracting medication. This poses a challenge to the surveillance systems both in terms of patient and staff safety and the safeguarding of assets. With a modern network video surveillance system, it’s easy to encompass crime prevention as well as take the right actions on an incident and identify suspicious activities or individuals. Such systems work simultaneously throughout the premises, connecting different areas and enabling control of people movements which may be monitored both centrally and remotely. Network video surveillance systems make it possible to monitor post-operative patients on
T
It’s particularly important to consider which camera design to use. In patient rooms, for instance, a discreet camera model is preferable. In the same way, the cameras installed throughout the facility can be positioned in such a fashion that their presence is not so readily apparent, reducing the feeling of patients being monitored but yet visible enough to deter criminal activity by ‘outsiders’. An upgrade of an existing surveillance system comes with a number of benefits, but it must be recognised at all times these are projects requiring detailed attention such that budget constraints are considered while the end user’s needs are matched (or indeed exceeded where and when possible). A network video surveillance system is both scalable and future proof. Correspondingly, the new IP-based systems can be connected to existing analogue surveillance set-ups thanks to video encoders which can cut costs. Built on open standard rather than proprietary systems, networked-based video surveillance systems easily integrate with other solutions such as access control, intrusion and fire detection and building control regimes, etc. It’s somewhat difficult to give a general recommendation in terms of specific products that ought to be installed in a healthcare facility. It really all depends on the particular needs of each facility and its end users.
Future trends in the vertical As the world’s population continues to grow and hospitals find it increasingly difficult to provide rooms for all of their patients, this will eventually realise the need for a new market. It will likely become more commonplace for the elderly and sick people to stay at home and receive treatment and support from the comfort of their own environment. The use of network video surveillance plays an important role within the home care sector, making it possible for hospital staff to monitor patients remotely and take appropriate action where necessary. The use of network video surveillance cameras is seen as a flexible option for hospital deployments, and there’s no doubt that they do provide a picture of what the future holds.
HealthcareSecuritySolutionsAccessControl October2015_riskuk_sep14 05/10/2015 14:10 Page 59
Healthcare Security Solutions: Access Control
Healthy ID in Focus Charles Balcomb outlines solutions specifically designed to help hospital and healthcare institution managers identify staff, patients and visitors, control access to sensitive areas and keep track of valuable assets oday’s fully-automated systems allow hospitals and clinics to manage the issuance of ID cards. These come with software which securely stores personal data and photos and enables the operator to issue cards using a dedicated card printer/encoder. The cards are able to carry any number of ID technologies, such as magnetic stripe, barcode and smart/contactless chips. Incorporating more than one technology enables the cards to work with multiple systems such as access control, time recording, cashless vending and even loyalty/incentive systems. For their part, high-end card printers allow operators to encode the cards in-house. Hospital RFID wristbands enable the easy reading of details without the need for moving patients. These, too, are usually provided with software to print directly or on to labels affixed to the wristbands. For cleaners and contractors, rewritable cards offer a smart solution for significant savings in plastic card usage. These cards are made with a thermal recording material which allows them to be printed, erased and reprinted many times using a rewritable card printer. Minimal wastage and ribbon-free operation also helps reduce the hospital’s environmental footprint. Pre-printing the cards with the hospital’s graphics and security backgrounds will make them harder to counterfeit.
T
Securing areas and equipment For access to highly-sensitive areas, biometric systems offer a secure solution by way of fingerprint, palm, palm vein or facial recognition. Some of these systems work in conjunction with a card, whereby the data scanned by the reader is checked against the information held on that card. Equipment may be protected through asset tagging. Hospitals play host to a wide range of assets, from high-value medical equipment through to medicines, all of which can be securely tagged and tracked using barcode and RF labels, cards and tags. Today’s technology makes the challenge of securing hospitals readily achievable. There’s a solution for every aspect of security, and it’s particularly important for security and risk management professionals to take a global view of their own requirements. Charles Balcomb is Managing Director of Databac Group
37
www.risk-uk.com
HealthcareSecuritySolutionsLoneWorkerProtection October2015_riskuk_apr15 05/10/2015 14:24 Page 1
Healthcare Security Solutions: Lone Worker Protection
Calling for Consistency
As health workers become more mobile and provide further services out in the community, NHS Protect has completed a comprehensive survey of lone worker protection across the NHS in England. Unfortunately, there appears to be a wide variance in provision. Brian Sims reports
e needed a comprehensive overview of the full range of lone worker protection systems and user groups out there in the National Health Service,” explained Sue Frith, managing director of NHS Protect in a recent statement. “This refreshes our understanding of the fast-changing lone worker services market and will inform important decisions in the years ahead.” Pleasingly, Frith recounted that the level of response was excellent, particularly so in terms of feedback from acute trusts, mental health trusts and Clinical Commissioning Groups. Over 2,000 stakeholders in the NHS were contacted by the Health and Social Care Information Centre (HSCIC) while over 700 commissioned services were invited by NHS Protect to complete the survey. Data collection took place from January to April this year and the exercise was approved by the Standardisation Committee for Care Information (SCCI). The data received was analysed for trends and several key findings noted. For example, badge holder-type lone worker devices (representing over 60% of the NHS market, in fact) remain more popular than key fob devices.
W
Assaults on NHS staff Different sectors are experiencing very different levels of assaults on workers. According to this current survey, the sector with the lowest number of assaults (acute) has the highest usage of devices (at 73.83%), but many other factors may be contributing to that statistic. For its part, the ambulance sector has the lowest rate of lone worker device usage
38
www.risk-uk.com
(41.67%). The mental health sector – where NHS staff suffer the highest assault rate – doesn’t have a higher rate of lone worker device usage to reflect that fact. When it comes to their lone worker protection planning for the next two years, most NHS organisations are looking at lone worker devices (41%), training (40%), management systems (28%) and CCTV (31%). The lowest level of intention to improve lone worker protection is found among those organisations with the lowest level of current protection (29.4% for no devices versus 52.9% for some devices). On that basis, there’s a risk that the majority improve protection but a few organisations retain an insufficient level of protection without the desire to improve. Employers identified their main barriers to improving lone worker protection in the near future as being a lack of funding (61.8%) and a scarcity of available resources (43.4%). Sue Frith added: “These survey findings do suggest that there’s more work to be done such that the importance of lone worker protection is recognised and to ensure that a range of solutions are available. The national picture is that there are holes in the NHS safety net for lone workers. Employers across the NHS can be assured they will continue to have our full support in order to fix them.”
Specific recommendations NHS Protect is now looking at the reasons behind differences in regional protection and aiming to highlight both Best Practice and risks by involving a number of organisations in the NHS and asking them specific questions. One of the options is to address these questions to the Lone Worker Steering Group organised by NHS Protect. There’s also a desire to encourage organisations to understand the system they have in place and reassess it on a regular basis. NHS Protect could improve existing support and guidance and regularly review the relevant standards for providers of NHS services. NHS Protect states that it’s key to find out why lone worker mobile phone apps are not always being used, and make organisations aware of their usefulness. NHS Protect actively engages with the Lone Worker Steering Group and suppliers to examine the effectiveness of systems and understand their scope. Investigating and targeting specific sectors to ensure that they have sufficient levels of lone worker protection is another point on the radar.
Project2_Layout 1 02/10/2015 13:52 Page 1
A world of possibilities DW \RXU ÀQJHUWLSV
VoIP Intercom
IP Reader & Controller
Remote Applications
Intelligent Touch Terminal
Integrated Fingerprint Biometric*
7KH PXOWL IXQFWLRQDO LQWHOOLJHQW DFFHVV WHUPLQDO ZLWK ELRPHWULF YHULÀFDWLRQ CEM Systems is pleased to announce the expansion of the award winning emerald range with the introduction of the emerald TS300f Intelligent Fingerprint Terminal. emerald TS300f features VoIP Intercom, IP Reader & Controller, Remote Applications and Fully Integrated Fingerprint Biometric, all in one powerful device that controls access to restricted areas where an additional biometric layer of security is required. Designed for use with the CEM AC2000 Security Management System, emerald TS300f not only controls access to restricted DUHDV EXW DOVR RSHQV XS D ZRUOG RI LQÀQLWH SRVVLELOLWLHV E\ EULQJLQJ &(0 $& LQWHOOLJHQFH GLUHFWO\ WR WKH HGJH
For more information:
Call: +44 (0)28 9045 6767 Email: cem.info@tycoint.com Visit: www.cemsys.com/emerald © 2015 Tyco Security Products and its Respective Companies. All Rights Reserved.
*Available with TS300f only.
HealthcareSecuritySolutionsSecurityManagement October2015_riskuk_apr15 05/10/2015 14:25 Page 1
Healthcare Security Solutions: Security Management
The Complexities of Hospital Security buttons can allow a central security team to gain instant visibility of all access points and respond immediately to any panic alerts or reported incidents.
Protecting high-value assets
Multiple security systems that cannot communicate with each other waste hospital budgets and can also increase the possibility of security breaches. How, then, should hospital risk specialists approach the management of security? Tim Northwood offers some timely solutions
Tim Northwood: General Manager of Inner Range Europe
40
www.risk-uk.com
anaging security within a hospital environment is extremely difficult. In essence, hospitals need to ensure their chosen security system can deliver a safe and secure environment for patients and staff, ensure that high-value assets and secure areas are protected, allow flexible access control that can be overridden in emergency situations, provide the ability to centrally manage security across multiple sites and offer scalability for building or site expansion. Burgeoning populations in many towns and cities across the UK have seen a great many hospitals outgrow their original buildings and facilities, leading to the construction of new blocks and sites located in different areas. This sporadic development has resulted in these hospitals having to manage and maintain a variety of access control and intruder detection systems, all working independently of each other with no central management. With thousands of citizens visiting their local hospital on a daily basis, NHS Trusts need to ensure that they have efficient security in place to deliver a safe and secure environment. Unlike a corporate building, hospitals will have multiple entrance points, all of them requiring vigilant management. Without sufficient security such as CCTV monitoring or even panic buttons in place, staff and visitors can be left vulnerable, and particularly so during the hours of darkness. Implementing a robust security system that can manage and control thousands of access points is critical for hospital environments. Integrating third party systems such as the aforementioned CCTV monitoring and panic
M
Implementing a role-based access control and intruder detection system as well as asset tagging is a simple way in which hospitals can manage the security of high-value assets and restricted areas. Asset tagging also provides an effective method for protecting such assets, notably those located on hospital wards where security needs to be that bit smarter. Sophisticated security systems have the ability to alert security teams if somebody attempts to take a tagged asset off site. The same technology can be employed to tag babies in Maternity Units. If an incident occurred, the system would have the ability to automatically lock all exit doors to the Maternity Ward, thereby substantially reducing the possibility of any abduction incidents. Although security is essential to a hospital environment, a system that’s too restrictive could endanger lives. In an emergency situation, staff may lose critical time if they have to request access through multiple doors. A suitable system can be set such that, in the event of a ‘Crash Alarm’ being activated, the system would intelligently unlock the correct series of doors.
Security across multiple sites For hospitals with various sites, the cost of security can be high. If they don’t possess a central Security Operations Room from which all buildings may be monitored, hospitals will carry the expense of numerous security teams. Implementing an intelligent security system that’s able to manage multiple sites can substantially reduce the number of security personnel needed by hospitals. Furthermore, with just one Control Centre, the security team gains greater visibility of all security incidents and enjoys improved reporting functionality that can further reduce the loss and/or misuse of hospital assets. Today’s superior systems will allow security solutions to be administered via smart phones and tablets, representing a highly desirable scenario for those hospitals with multiple sites where the security staff need to be mobile. Importantly, intelligent security systems will also allow third party integrations with other security and building management tools.
HealthcareSecuritySolutionsCCTV October2015_riskuk_sep14 05/10/2015 15:01 Page 59
Healthcare Security Solutions: CCTV and IP Video
Caught on Camera Theft, disputes over alleged malpractice or even the kidnapping of infants are just some of the threats posed within healthcare establishments. James Walker describes how CCTV/IP video surveillance can prevent or resolve criminality orking from the outside in, surveillance systems are already used for perimeter protection. High-resolution surveillance cameras and multifocal sensor systems watch over every space and ensure that no unauthorised individuals enter hospital compounds. In most cases, the CCTV will be monitored by a designated gatekeeper or a member of the security team. The openly accessible and mostly unlocked rooms in hospitals can make it an easy task for potential thieves to steal either equipment or patients’ personal belongings. Detailed images from high-quality surveillance cameras located in hallways, at emergency exits or near elevators will deter – or lead to a positive identification of – the perpetrator(s). Some systems incorporate intelligent search for motion within pictures such that the relevant image sequences may be found quickly and easily. It’s obviously key that the images recorded are accepted for evidential purposes in Courts of Law. Too frequently, it seems, cases of new-born children being kidnapped from nurseries hit the headlines. Many hospitals will now employ designated video surveillance systems to make sure that no-one enters Maternity Wards unnoticed.
W
Flexibility allows for the monitoring system to be connected to an access control solution such that no unauthorised individuals are permitted to gain access to the premises.
Malpractice or not? Often, in the aftermath of failed surgeries or complicated births the question arises as to whether or not mistakes were made during procedures. Any such disputes can be resolved quickly and conclusively thanks to advanced video surveillance. Digital recording systems are frequently being used during surgeries for detailed post-op reviews at a later date. In compliance with sanitary regulations, the recorder is not located in the operating theatre but usually in a separate room. Data protection is also guaranteed at all times. With regards to the pre-op discussion (which must take place before every surgery), the patient is made aware of the possibility to record the surgery and then decides whether or not he or she wants to make use of this facility. James Walker is Managing Director of Dallmeier UK
,' VROXWLRQV IRU KHDOWKFDUH
,' VROXWLRQV IRU KHDOWKFDUH +RZ FDQ ZH KHOS" • ,GHQWLI\ VWDII • ,GHQWLI\ SDWLHQWV • ,GHQWLI\ YLVLWRUV • .HHS WUDFN RI YDOXDEOH DVVHWV • &RQWURO DFFHVV WR VHQVLWLYH DUHDV
/DQ\DUGV ZULVWEDQGV KROGHUV DQG \R\RV FDQ EH FXVWRP SULQWHG ZLWK \RXU ORJR DQG JUDSKLFV
'DWDEDF SURYLGHV V\VWHPV WKDW DOORZ KRVSLWDOV DQG FOLQLFV WR PDQDJH WKH LVVXDQFH RI ,' FDUGV HIIHFWLYHO\ DQG HQVXUH VHFXULW\ ZLWKLQ WKH EXLOGLQJ
2XU SRSXODU 'DWDLPDJH ,' VRIWZDUH VWRUHV DOO SHUVRQDO GDWD DQG SKRWRV DQG HQDEOHV \RX WR LVVXH /DQ\DUGV ZULVWEDQGV KROGHUV DQG \R\RV FDQ EH VHFXUH ,' DQG WHFKQRORJ\ FDUGV XVLQJ D GHGLFDWHG FDUG SULQWHU HQFRGHU FXVWRP SULQWHG ZLWK \RXU ORJR DQG JUDSKLFV
'DWDEDF ² FHOHEUDWLQJ \HDUV LQ WKH ,' EXVLQHVV ,I \RX UH VHFXULW\ FRQVFLRXV \RX OO LGHQWLI\ ZLWK XV Databac Group Limited, 1 The Ashway Centre, Elm Crescent, Kingston upon Thames, Surrey KT2 6HH UK Tel: 020 8546 9826 www.databac.com HQTXLULHV#GDWDEDF FRP
Project1_Layout 1 26/03/2015 21:24 Page 1
<USLHZO [OL M\SS JVUULJ[P]P[` KL[LJ[PVU ]LYPÃ&#x201E;JH[PVU [YHUZTPZZPVU and response capabilities of the award-winning ADPRO 9LTV[LS` 4HUHNLK 4\S[P ZLY]PJL .H[L^H`Z 94.
1 3LHYU TVYL =PZP[ ^^^ _[YHSPZ JVT
GateSafeCampaignQ&AUpdate October2015_riskuk_feb15 05/10/2015 13:52 Page 32
Gate Safe Campaign Update: The Fifth Anniversary
Risk UK: What are you hoping to achieve by publicising the fifth anniversary of Gate Safe? Richard Jackson: Since launch in September 2010, we’ve never really stopped our campaigning and, in many ways, last month was actually no different to any of the September months between then and now. However, we did recognise that September 2015 offered a valuable opportunity to reignite interest in the importance of automated gate safety and remind anyone who has responsibility for such a device to seek out the installation or maintenance services of a suitably qualified engineer. At present, industry experts estimate that over 90% of automated gate installations fail to comply with the latest legislation and could well pose a serious safety risk. On that basis, anything we can do to highlight the severity of the problem absolutely represents a worthwhile investment of our time. Risk UK: Since the initial accidents reported back in September 2010, has interest in the campaign waned at any point? Richard Jackson: At the outset, it’s fair to say the media spotlight was firmly on the subject of automated gate safety and Gate Safe’s campaign met with a very positive response. However, as time has gone on and other strong news stories have risen to the top of the national media’s agenda, sadly the issue of safety requirements for automated gates has fallen off the radar a little. This is despite the fact that, since those two first reported incidents, there have been five further deaths and seven ‘near miss’ accidents in the UK, not to mention 15 automated gaterelated deaths overseas. These are just the cases which we have picked up on. In truth, there are likely to be countless more that have managed to avoid the media’s attention. From the independent audits that Gate Safe has undertaken, we’re fully aware that there are very few gates in the field that satisfy all the criteria necessary for delivering a totally safe installation. We know that another accident is just waiting to happen. Risk UK: Given that scenario, what activity does Gate Safe have planned to embolden and spread the message? Richard Jackson: We have put together a year’s worth of activity designed to highlight increased interest in the campaign. We kickstarted that programme last month by releasing a series of downloadable guides for end users in schools, architects, electricians and security system installers. Those guides provide outline
Making Gates Safe September 2015 witnessed the fifth anniversary of Gate Safe, the charity founded to address the need for a heightened awareness around the protocols required for delivering safe automated gates on site. By way of marking that five-year milestone, and following on from our March 2015 Q&A (‘Safety first’, pp31-32), Risk UK interviews Gate Safe’s founder and chairman Richard Jackson about the campaign’s plans for future development instruction on the use of automated gates and the steps to be taken for a safe and legallycompliant installation. We will also be launching our Safe Gate Visualiser. This is an interactive infographic designed to help architects and specifiers identify the right form of safety for a range of automated gate applications. In terms of the media, a series of blogs were prepared for publication during September and beyond. We hope that our loyal supporters will share this content among their networks. Also, we’re working in conjunction with the Royal Society for the Prevention of Accidents on developing an educational video. We hope to be able to make an exciting announcement very soon following the launch of an online petition Finally, it goes without saying that we’ll be heavily promoting our IOSH-accredited Gate Safe Aware training course throughout the next 12 months and more.
Richard Jackson: Founder and Chairman of Gate Safe
Risk UK: Have there been any subsequent developments in terms of the petition you organised and conveyed to 10 Downing Street in 2010? Richard Jackson: One of the first outcomes of the initial Gate Safe Summit back in September 2010 was that petition to 10 Downing Street. In essence, we were asking for Prime Minister David Cameron’s support and guidance on the important matter of automated gate safety. Fast forward five years and we’re now requesting specific action. We believe that all new automated gates should be subject to planning permission and only installed by a suitably qualified professional. This would be a significant step towards regulating the industry and ensuring that new gates represent a safe and legally-compliant installation. In our opinion, it’s incredible that you need Building Regulations approval for cavity wall insulation, minor electrical work and replacing
43
www.risk-uk.com
GateSafeCampaignQ&AUpdate October2015_riskuk_feb15 05/10/2015 13:53 Page 33
Gate Safe Campaign Update: The Fifth Anniversary
a boiler, etc but not for installing major equipment such as electronically-powered security and access gates. If the correct installation guidance isn’t followed to the letter, such gates represent a significant and proven safety hazard. As stated, Gate Safe has launched an online petition to Government outlining our belief that automated gates should require planning permission. We’re hoping to gain as many signatures as possible and, ultimately, we would like to revisit Downing Street and hand deliver that petition to the Prime Minister. Any of Risk UK’s readers wishing to lend their support can sign up by visiting: https://goo.gl/9HCfVd Risk UK: Does Gate Safe anticipate any forthcoming changes in the legal requirements for automated gates? Richard Jackson: There are plans to review the EU Machinery Directive which applies to automated gates and, as such, we’ve already been involved in some detailed discussions with the relevant industry bodies as well as the Health and Safety Executive to canvass views on what we perceive to be critical factors that should be considered in any future amendments to the legislation. All that said, at this stage it’s too early to report on any planned changes. Risk UK: Do you feel the Gate Safe message for 2015 differs in any way to that initially communicated back in September 2010? Richard Jackson: Our core message remains the same. We’re still campaigning to make gates safer, and it’s very much the case that we’re continuing to encourage all those professionals involved in an automated gate installation to accept responsibility. In other words, we’re not just focusing on the installer community. It’s about messaging and informing anyone who has a professional
44 www.risk-uk.com
association with the industry. This includes architects and specifiers, gate manufacturers, gate installers, construction companies, surveyors, property management professionals, electricians and housing developers, etc. The court proceedings following the accident involving Karolina Golabek have provided Gate Safe with an even stronger ‘Call To Action’, since the case clearly reinforced the accountability of a number of ‘duty holders’ to ensure the safety of the gate. These included the architect, the main contractor, the installation business, the landlord and the maintenance company. In addition, the significant fines imposed on two companies – the company that installed the gate and the company responsible for the maintenance of that gate – for the part they played in breaching safety laws has sent out a powerful message to the industry. Those fines totalled £110,000 with an additional £80,000 levied in court costs. We’re now able to cite the moral, legal and financial implications for any business in the event that it’s held accountable for the legally proven part it has played in the delivery of an unsafe automated gate installation. Risk UK: What’s immediately around the corner for the Gate Safe campaign? Richard Jackson: Our ultimate goal is that we wish to see the Gate Safe campaign enjoying the same degree of widespread success that has been achieved to date by Gas Safe. We most certainly want a legal requirement put in place for automated gates which means that such security and perimeter protection solutions may only be installed by suitably qualified personnel. We would also like to see a system instigated whereby all automated gate installations require a safety certification scheme to be administered and include mandatory and regular routine maintenance checks.
Project2_Layout 1 02/10/2015 13:47 Page 1
Tested, Certified, Approved and Preferred. LPS 1175 SR1 to SR5 CERTIFIED
APPROVED FOR UK GOVERNMENT USE
PAS 68 CERTIFIED
Perimeter Intrusion Detection Systems
SBD POLICE PREFERRED SPECIFICATION
Innovative and proven perimeter security solutions from the experts. In the last 10 years, we have done more to respond to the changing landscape of physical perimeter security than any other company in the UK. That’s why today, we can offer the widest selection of LPS1175 and PAS68 certified, approved for UK Government Use and Secure by Design preferred fencing and gate solutions available; including unique designs combining timber with steel.
Timber and steel fencing
Vehicle and pedestrian gates
HVM
Bespoke solutions
Noise barriers
Pedestrian safety
Vehicle access and parking control
Access control
Secure storage
Find out more about how we can help secure your perimeter against a variety of threats by calling an expert on 0800 41 43 43 or visit us at jacksons-security.co.uk
E
MONTH
E
AU
E E
SE
T
E
E
AR NT A
M AT I
ON
YEARS
TO
GU
YEARS
AR NT A
I CE LI
FE
GU
Head Office: 402 Stowting Common, Ashford TN25 6BN.
RV
GU
AT ME N T
RE
AR NT A
www.jacksons-fencing.co.uk
TheSecurityInstitute'sView October2015_riskuk_apr15 05/10/2015 14:36 Page 1
ISO 27001: Managing Risk in Cyber Space
agenda. There has been a long enquiry by the United Nations into Hacking Team’s alleged dealings with Sudan. This is the second known hack of this nature in recent times, with 2014 witnessing the attack on Gamma International (a subsidiary of the Gamma Group) – a business with a similar profile – and its FinFisher product. The full content of the Hacking Team data exfiltration is not yet known, but this incident does already give rise to some burning questions. We cannot examine all of them here, but there are some that we certainly can address from a risk management perspective.
Successful attack vector
How prepared would your business be if it were forced to handle a potentially explosive data breach and the possible leaking of highly sensitive company information into the public domain? In reviewing last July’s muchpublicised cyber attack on Hacking Team, Mike Gillespie assesses the fall-out from that episode and why companies should adhere to the contents of ISO 27001
46
www.risk-uk.com
acking Team – the Milan-based IT business that sells intrusion and surveillance capabilities to Governments, law enforcement agencies and corporations – was itself attacked in early July when the company’s Twitter account was infiltrated by an unknown individual (a character by the name of Phineas Fisher later claimed responsibility) who published an announcement of a data breach against Hacking Team’s computer systems. That initial message provided links to more than 400 Gb of data, including alleged internal e-mails and invoices. The first release of Hacking Team’s files and e-mails appeared to reveal highly sensitive information, including client base and source code details that then appeared in the public domain. What was already a tricky situation for the company was then compounded by Hacking Team member Christian Pozzi’s rather hasty assertion that the torrent file being shared, and allegedly containing the aforementioned information, was laced with a virus and contained false information. In terms of the virus, some commentators on the matter have suggested that wasn’t the case. Hacking Team represents an attractive target for would-be hackers, particularly so those who are ideologically driven. There have been allegations that Hacking Team may have dealt with the Lebanese Army and Sudan in addition to Bahrain and Kazakhstan. Hacking Team has always refuted such links and denied dealings with regimes and countries that do not, for instance, have Human Rights high on their
H
The name of the alleged hacker, Phineas Fisher, makes it sound as though he/she has used some form of phishing attack in order to penetrate Hacking Team. This is, after all, the most successful attack vector currently in use. It seems hard to believe that a security business could be ‘bested’ by a phishing email, but spear phishes can be well crafted. Once inside, it appears as though the hacker had free rein in the network and there was no protective monitoring in place to notify Hacking Team security of the exfiltration of that 415 Gb of data. As stated, the hack was announced on Twitter via Hacking Team’s own hacked Twitter account and on data dump site Pastebin, with the source code appearing on Github. Thus far, there are three main issues and a couple of ancillary areas of concern that we’ve been able to establish. The former centre on apparently poor password hygiene, seemingly poor data segregation and the potential lack of an effective protective monitoring and/or possible Incident Response Plan. It’s also possible there’s a training issue if the quality of the phishing – if indeed it was a phish – was nothing less than flawless. Clearly, there’s a training lesson to be learned around general security awareness. If national media coverage of this incident is accurate to date then the reputational damage for Hacking Team is – potentially, at least – immeasurable. Many of the company’s clients will now be fire-fighting the resulting fall-out.
Potentially explosive breach How prepared is your business when it comes to handling a potentially explosive data breach and the possible leaking of highly sensitive information? There’s no suggestion here, of course, that any readers of Risk UK are involved in nefarious activities, alleged or otherwise, but there surely must be some lessons we can all learn from this incident?
TheSecurityInstitute'sView October2015_riskuk_apr15 05/10/2015 14:37 Page 2
The Security Institute’s View
What might businesses do to mitigate the risk that we’ve seen so comprehensively realised by this attack on Hacking Team? Let’s start by looking at the threat. We cannot build an accurate picture of the risk that anything represents if we’ve not first established it’s a threat. A comprehensive threat assessment that considers areas like activism and hacktivism as part of a range of realistic risks is essential. Many organisations could find themselves targeted in this way. For their part, tech businesses have generally become considered quite mature targets, tending to have more evolved and robust security postures and so representing a greater challenge for their would-be attackers. Sectors like pharma, the media and legal often find themselves targeted by politically or ideologically-charged attackers. Knowing what to do next is the challenge because you now have to decide on the risk that each of these threats represents and build a mitigation plan. It would be of great help to have a security framework on which to hang this activity, make sure nothing is missed and ensure that it’s absolutely fit for purpose and usable. An annual threat assessment is a bare minimum requirement to identify sources and their modus operandi. Without this, future risk assessments are flawed and not fit for purpose.
ISO 27001: the key detail ISO 27001 has been with us since the mid1990s and subsequently become the de facto standard for information security. Constantly reviewed and refined by a global group of security specialists, ISO 27001 looks at security holistically, covering people, places, policy, process and technology. It views security as a business issue with risk management at its heart and removes assumption from the process of addressing vulnerabilities to secure information assets. Indeed, assumption and apathy are the enemies of good quality security. For its part, ISO 27001 includes security principles on a number of key elements. Classification of information assets by the asset owners so that more sensitive information receives a greater layer of protection as appropriate is a ‘must’. This should include network segregation and limiting access to certain areas of the network or only to those who need it. Password quality and hygiene is a key part of ISO 27001. Ensuring users have complex, nonrepeated passwords that are regularly changed is a security basic. Placing them in plain text in a .txt file is not a good way to keep them.
There are a variety of password keeper applications available if required, or a user can even encrypt the file. The deployment of appropriate technical and procedural controls to enable the early detection of potential attack is vital. Look at protective monitoring, your incident response team and Incident Response Plan (including lockdown procedures if necessary and proportionate). Protective monitoring should cover outbound and not just inbound traffic in order to detect data exfiltration (ie the inappropriate movement of large-scale data). Also, deploy a range of anti-malware controls to detect potential malicious activity and either isolate or quarantine it. This would help mitigate the risk from phishing and ‘drive-by’ infection. Integrate appropriate security considerations into change and configuration management processes. This will help identify any potential for security vulnerabilities to be introduced as part of a change or modification around a given systems configuration. Regular use of vulnerability scanning and penetration testing tools by properly qualified internal staff will enable early detection of vulnerabilities and allow them to be remediated. Perform trend analysis on VS/PT reports to identify commonly recurring issues that could be indicative of a breakdown of internal processes (ie regularly detecting unpatched systems could mean that your patch management policy and processes are flawed and need to be fixed). Speaking of patches, make certain that you have a good and timely patch management regime in place covering all systems. Last, but by no means least, don’t forget your Business Continuity and Recovery Plan. Making sure that business can continue as usual (or as close to normal as possible) subsequent to an incident is absolutely crucial. Take account of how you’re planning to handle any reputational damage and bad PR. As recommended within ISO 27001, having a good quality information security management system in place is not only logical from an asset protection perspective, but it also offers a business advantage for those seeking to widen commercial partnerships, gain new clients or possibly work with the Government or an element of the public sector.
Mike Gillespie MSyI: Director of The Security Institute and Founder of Advent IM
“Password quality and hygiene is a key part of ISO 27001. Ensuring users have complex, non-repeated passwords that are regularly changed is a security basic” 47
www.risk-uk.com
Project2_Layout 1 02/10/2015 14:18 Page 1
Manual Call Point Misuse? Problem Solved!
Every false alarm is costly, disruptive and detrimental to safety. It may also affect customer service, productivity or the general routine of any organisation.
Safety Technology International (Europe) Ltd For more information please contact Sales: Telephone 01527 520999 info@sti-europe.com I www.sti-europe.com
The Euro Stopper® is an effective deterrent in helping to significantly reduce false alarms, saving time and money. Quick and easy to install and protecting within minutes, when lifted, a powerful 96 dB integral alarm is activated drawing immediate attention to the area and a prankster will either run or be caught.
New safety feature! The Euro Stopper frame now ‘glows in the dark!’ Call Sales to find out about this new innovative innovat technology
MANAGEMENT SYSTEMS
Assessed to ISO 9001 LPCB ref. no. 653
EN54-11 Cert no. 653a/01 ReSet Series 01
solutions for a safer world
CONTRACT SECURITY SERVICES LIMITED CASH & VALAUABLES IN TRANSIT (CViT) SERVICE PROVIDER CASH PROCESSING & BANKING SERVICE (INCLUDING COLLECTION AND PROCESSING FROM CAR PARK MACHINES)
CASH CONSOLIDATION SERVICE SECURITY GUARDING AND MOBILE PATROL HEAD OFFICE: CHALLENGER HOUSE 125 GUNNERSBURY LANE LONDON W3 8LH T: 020 8752 0160 F: 020 8992 9536 E: info@contractsecurity.co.uk www.contractsecurity.co.uk
SALES: T: 01622 792639 F: 01622 882084 E: sales@contractsecurity.co.uk
DEPOTS: Brentford, London | Larkfield, Kent | Andover, Hampshire
InTheSpotlightASISInternational October2015_riskuk_apr15 05/10/2015 14:27 Page 2
In the Spotlight: ASIS International UK Chapter
ASIS/ANSI/RIMS and Risk Assessments eveloped by ASIS International in conjunction with the Risk and Insurance Management Society (RIMS)* and accredited by the American National Standards Institute (ANSI), Risk Assessment Standard RA.1-20151 highlights the timeliness of ‘getting risk management right’. The document is complementary to the ISO 31000:2009 Risk Management Standard2 and provides a generic model for conducting risk assessments (including impact assessments). The strength of the standard is drawn from the expertise and input of more than 250 crossdisciplinary international security practitioners. On that note, Dr Marc Siegel (commissioner for the Global Standards Initiative at ASIS International) commented: “Just like an Italian recipe, the standard tells you what to think, but lets you tailor the approach to the needs of your organisation.” The standard itself is set out in seven chapters – followed by seven appendices – comprising detailed guidance for applying risk assessments and potential treatments. The document begins by introducing the important principles involved: impartiality, independence, objectivity, trust, competence and due professional care, honest and fair representation, responsibility and authority, a fact‐based approach and the need for buildingin change management and continual improvement to risk assessments. To elaborate, the section on trust, competence and due professional care focuses on ensuring that activities in risk assessments are conducted with “honesty, integrity, diligence and responsibility”. Also, RA.1-2015 states that the “assessor’s technical competence and integrity” should provide “confidence” for interested parties. In the context of this standard, competence concerns the ability to apply the “knowledge, experience and skills to achieve the intended purpose and accurate results”.
D
Professional care and integrity Due professional care should be exercised when risk assessments are conducted along with integrity which “provides the foundation for professionalism and trust”. An awareness of – and compliance with – applicable legal, regulatory, safety and security requirements should be demonstrated. The standard also recognises that many organisations may have an established Code of
Security and risk specialists are tasked with making informed risk management-based decisions. With future threat scenarios often difficult to predict, though, this process can sometimes prove to be a difficult task. Thankfully, the new ASIS/ANSI/RIMS standard focuses specifically on risk assessments. Dr Allison Wylde has the overview Ethics in place that sets standards of conduct in the performance of work and that, in order to instil trust, an assessor’s ethical principles and integrity may be codified by a formal set of ethics (including the overriding need to address issues of practitioners’ “competence, independence, diligence, honesty, integrity, impartiality and confidentiality”). The standard continues by presenting sections on managing a risk assessment programme, including the steps involved in understanding the organisation and its objectives, establishing the framework, configuring the programme itself, implementing the risk assessment programme, monitoring the same and then reviewing it with a view to making improvements. The following section sets out the processes involved in performing individual risk assessments. There’s plenty of interesting discussion around planning and then conducting the risk assessment activities followed by an overview of post-risk assessment activities. This section also includes the necessity of confirming the competence of risk assessors. The final section addresses issues surrounding competence.
Dr Allison Wylde FRGS DIC (Imperial): Member of the ASIS International Commission on Standards and Guideliness
49
www.risk-uk.com
InTheSpotlightASISInternational October2015_riskuk_apr15 05/10/2015 14:27 Page 3
In the Spotlight: ASIS International UK Chapter
*Founded in 1950 and headquartered in Manhattan, the Risk and Insurance Management Society is a professional association dedicated to advancing the practice of risk management. The organisation represents over 3,500 industrial, service, non-profit, charitable and Government entities across 60 countries worldwide and serves more than 10,000 risk management professionals based around the globe
‘Risk Assessment Management Standard’, ASIS International
The appendices set out the detailed risk assessment methods, starting with conducting a risk assessment, the data collection and sampling (including the types of interactions, assessment paths and sampling methods). The second appendix considers root cause analysis, focusing on techniques and the key ten steps to take. The third appendix centres on background screening and security clearances, with detail around background checks and procedures, interviews and privacy protection. The next two appendices set out the detailed contents of the risk assessment report together with issues of confidentiality and document protection. The final two appendices include examples of risk treatment procedures that enhance resilience of the organisation, such as the procedures of prevention and mitigation, response, continuity and recovery. The final appendix is all about business impact analysis. Designed as a useful resource for security and risk management practitioners, the appendices provide a wealth of detail.
2ISO 31000:2009 ‘Risk
Root cause analysis
Management’, ISO Copyright Office
Root cause analysis was developed in the safety and engineering disciplines and traditionally associated with ‘after the event’, rearwards-looking reactive assessment following a major risk event or loss. In contrast, RA.1-2015 presents a root cause analysis approach to forecasting risks by drawing from the technique’s investigative capabilities. Following on from a significant loss as a result of a process failure resulting in damage or injury, or a planned activity that has failed to achieve its outcomes, a root cause analysis may be conducted to identify any trigger and/or failure modes. For reference, a trigger is viewed as ‘something’ that may cause ‘something
References 1ASIS/ANSI/RIMS (2015),
3Talbot J and Jakeman M (2009): ‘Security Risk Management Body of Knowledge’, Systems Engineering and Management Series, Wiley 4ISO 31010:2009 ‘Risk Management: Risk Assessment Techniques’, ISO Copyright Office
“Root cause analysis was developed in the safety and engineering disciplines and traditionally associated with ‘after the event’, rearwards-looking reactive assessment following a major risk event or loss” 50
www.risk-uk.com
unwanted’ to occur. It may come about – as an unintended consequence – due to a change management programme. The simplest form of root cause analysis is most useful in examining basic cases of failure and undertaken through the process of ‘Five Why’s?’ (5W). The 5W approach is based on systematically asking ‘Why?’ a factor may have contributed to an event. This process continues by asking ‘Why?’ until such point that the process is exhausted and no further explanation can be identified. More complex failure events may require a ‘Cause and Effect’-style Ishikawa approach involving the classic fishbone diagram. Here, the ‘Cause and Effect’ factors are mapped out to the multiple risk drivers that may be involved, subsequently allowing for a somewhat more detailed analysis. RA.1-2015 illustrates the benefits of using root cause analysis techniques on a strategic basis to identify potential sources of risk. By developing a picture of potential risks, planners are able to better incorporate risk treatment activities right up front rather than as an ‘addon’ after the fact. This ‘up front’ approach shifts the question from what caused the problem to what might cause something to fail, allowing the more important question of what will cause something to succeed to be explored in greater depth. This type of analysis can also draw on other well-established management analysis tools like a force-field analysis – specifically designed to identify the drivers in the business environment – and influence analysis. Finally, how root cause analysis can potentially help a forecasting analysis to identify solutions following the study is then explored. To summarise, investigators are encouraged to seek answers to the identified issues and, in doing so, may identify potential unintended consequences as well as potential untapped success drivers.
Toolkit for risk managers The inclusion of analytical tools and techniques in RA.1-2015 offers a welcome toolkit for risk and security managers. It’s also worth bearing in mind the ‘bow tie’ approach. This provides a visualisation – in the shape of a bow tie – which helps the analysis and identification of causal relationships that may exist around a particular risk or threat3. Taken together with ISO 31000:2009 and ISO 31010:20094 on risk assessment methodologies, RA.1-2015 certainly offers a comprehensive approach to risk assessment, allowing practitioners to address their own organisational needs, practices and contexts.
Project1_Layout 1 05/10/2015 15:04 Page 1
Integrating, monitoring and protecting
The risks faced may change but Reliance High-Tech remains one step ahead. For over forty years we have been trusted by government departments, major corporations and private customers to provide protection at the highest level.
Innovators in security technology
From physical security, emerging cyber-threats, advanced PSIM to smart monitoring services; we work hand-in-glove with customers to ensure total protection. So whatever the threat or challenge at Reliance High-Tech we have the expertise, experience and resources to deliver the best solution. Call us now to discuss your requirements in strictest conďŹ dence.
0845 121 0802 www.rht.co.uk
FIATechnicalBriefing October2015_riskuk_nov14 05/10/2015 13:51 Page 1
An Historical View: Fire Protection in Heritage Buildings Heritage buildings offer unique challenges for the fire safety professional. They seldom possess any significant fire engineering within and are frequently used for a purpose completely different to the original intent. Set within this context, Graham Simons assesses Best Practice for fire alarm, signage and emergency lighting provision
hen it comes to heritage buildings, in addition to the safety risks posed to members of staff and the visiting public, there are also concerns around the often irreplaceable nature of such structures and the artefacts within. The devastating fire at stately home Clandon Park earlier this year represents a classic case in point. This 18th Century mansion in Surrey is a Grade I-listed building dating back to the 1720s that has been managed by the National Trust since 1956 and contained historic furniture, porcelain and textiles. Last April, a fire began in the basement of the building and quickly spread to the roof. Surrey Fire and Rescue Service attended with 16 fire engines and 80 personnel. Despite their best efforts, the structure was severely damaged. The roof eventually collapsed and, in doing so, destroyed most of the interior. Only one room remained intact. Fortunately, no-one was injured during the incident.
W
Fire detection and alarms
Graham Simons: Technical Manager at the Fire Industry Association
52
www.risk-uk.com
Throughout the UK, fire safety law requires the provision of ‘means for detecting fire and giving warning in case of fire’. Premises must be ‘equipped with appropriate fire detectors and alarms’, but the legislation doesn’t tell us any more than that. The diligent fire risk assessor will most probably refer to BS 5839-1 and recommend a ‘category’ of system. This Code of Practice takes a broad brush approach and, as such, doesn’t give specific advice for heritage buildings. Neither the law nor the Code of Practice states how fire detection and alarm systems should be installed and remain sensitive to the historic nature of these buildings. Clearly, we don’t want red cables or conduit visible on classic facades. That being so, wireless systems would appear to offer an obvious solution. Early criticisms citing problems with reliability and battery life don’t apply to today’s contemporary systems. However, wireless systems are not invisible. By their very nature, Call Points must be clearly visible but there’s no reason why detectors and alarm devices shouldn’t be virtually invisible. A point-type smoke detector in the middle of a ceiling would not look out of place in a modern building but would be so in a heritage building, particularly one with ornate ceilings. Some companies are able to provide elaborate
customisation of detectors with patterns and colour matching so that systems will be more discrete and merge into the decor. Low profile virtual chamber smoke detectors also offer a more discrete solution. Two other solutions spring to mind: aspirating detection and beam-type smoke detection. With an aspirating system, the detector can be remote from the protected area and connected to a sampling point by means of a small diameter pipe. The sampling point can be a small hole concealed among the ceiling decoration, while the pipe may be run in either floor or roof voids and the detector positioned where the public don’t go. A beam-type smoke detector consists of an infrared transmitter and a light sensor receiver. The sensor measures the light level from the transmitter. In some cases, they’re combined in a single unit with just a reflector on the opposite wall. These have a proven track record in big open spaces. The transmitters and receivers are quite small and can often be concealed in galleries and decorative coving. Audible alarms – ie bells and sounders – are usually red or white but there are no rules which say they must be. Care in placing them should make them unobtrusive, if not invisible. When providing fire alarm signals it will also be necessary to consider that some members of the public may be deaf or hard of hearing. If the emergency evacuation procedure requires the use of visual alarm devices then they must be compliant with EN 54-23. However, there are alternatives to fitting these throughout the building such as providing members of the public with tactile devices to alert them of a fire. Some parts of the building, such as the toilet facilities, are probably less aesthetically sensitive but more likely venues for visitors to be left alone. Such scenarios may require a visual alarm device.
Law on emergency lighting The law on emergency lighting is clear: ‘Emergency routes and exits requiring illumination must be provided with emergency lighting of adequate intensity’. As all escape routes require illumination, this could be very extensive. They would include corridors, stairs, immediately outside (final) exit doors and open areas where people may congregate. It’s worth bearing in mind that required emergency lighting levels have increased dramatically since the late 1990s. Regrettably, enforcers and installers were somewhat slow to realise this, which means that most emergency lighting systems in heritage buildings remain lamentably poor.
FIATechnicalBriefing October2015_riskuk_nov14 05/10/2015 13:51 Page 54
FIA Technical Briefing: Fire Safety in Heritage Buildings
For emergency lighting to be implemented sensitively and not spoil the heritage environment, it’s best for it to be integrated within the normal lighting at the design stage. If this cannot be done there are many light fittings on the market that can help such as very small luminaires with remote batteries or decorative fittings made of metal and glass. Spotlights may be used for large open spaces such as cathedrals. These can be mounted remotely from the area to be lit and, being relatively small, hidden away among the wall decoration. Such emergency lighting solutions do not make fittings invisible, but would certainly render them less obtrusive.
Signage and emergency exits The law states: ‘Emergency routes and exits must be indicated by signs’. It’s crucial to determine where the escape routes are as not every final exit is an emergency exit. A sign should be placed at every designated final exit. Additional signs are then strategically located to lead people through the building to a place of relative safety and escape. Design of the signage is governed by EU regulations. These require a green rectangle with white pictograms. There are two types you can use: British Standards and European Standards-approved. The former sign shows a figure running through an open door, a direction arrow highlighting the direction of travel and supplementary text stating ‘Exit’, ‘Fire exit’ or ‘Emergency exit’. Note that the text is all lower case except the first character. For their part, the EU signs show a white rectangle representing a door, a figure apparently running towards the door and an arrow pointing at the exit. Either design is acceptable but you should be consistent and only use one design throughout. Size is important, too. The bigger the viewing distance, the bigger the sign. Most suppliers can offer end users good advice on this. You’ve likely seen what are known as ‘mandatory’ signs. These are blue circles with white symbols or text. The most common one reads: ‘Fire door keep shut’. They’re called ‘mandatory’ because they’re giving a specific instruction and not for any legal reason. Do you need them on every fire door? Broadly speaking, it’s a good idea because it provides a reminder to everyone to keep the door closed.
If a given door is aesthetically or historically very sensitive, it may be prudent not to stick a mandatory sign on it. This would be acceptable as long as you take reasonable measures to ensure the door is closed when not in use. Those measures would include staff training and the provision of written instructions.
Fire safety equipment Fire safety equipment should be easily accessible which means that signs are very often required. Fire alarm Call Points tucked away out of sight should be linked with signs indicating exactly where they reside. Interestingly, the law states that any nonautomatic firefighting equipment should be easily accessible, simple to use and indicated by signs. That implies every fire extinguisher ought to have a sign. This begs the question: ‘If you cannot see a big red extinguisher, how are you going to see the sign?’ Operators of heritage buildings are often tempted to put extinguishers out of sight. Most people see extinguishers every day in workplaces and public buildings and, for the most part, develop a blind spot to them. If you’re tempted to hide them, you must still indicate their location with signs. Suppliers often render information about an extinguisher and its uses with the equipment sign. While not mandatory, this is useful. It’s far easier to read the sign on the wall than the information on the side of an extinguisher.
“Fire safety equipment should be easily accessible which means that signs are very often required. Fire alarm Call Points tucked away out of sight should be linked with signs indicating exactly where they reside” 53
www.risk-uk.com
Project2_Layout 1 02/10/2015 13:51 Page 1
’s So… What or f your plan 15? 20 December
COUNTERING THE THREAT
THE GLOBAL EVENT FOR TRANSPORT SECURITY LEADERS Secure movement of people and goods in: ■ Aviation Security ■ Maritime Security ■ Rail Security ■ Secure Transportation ■ Major Events Transport Security ■ Border Security
REGISTER FOR YOUR
FREE TICKET TODAY
OFFICIAL SHOW PARTNER
200 EXHIBITORS | FREE CONFERENCES SECURITY INNOVATION SEMINARS | NETWORKING www.transec.com
#TRS_expo
SecurityServicesBestPracticeCasebook October2015_riskuk_apr15 05/10/2015 14:34 Page 2
Security Services: Best Practice Casebook
Taking Good Care of Security: Guarding Solutions for the Hospital Environment Any hospital must protect its reputation and, most important of all, the safety of patients, visitors and staff alike. To achieve that status quo, suggests David Pike, the internal management team needs to work closely with an experienced solutions provider in realising a professional and reliable security service for all concerned he mere mention of a hospital visit can conjure up a range of unwelcome emotions: anxiety, apprehension and even dread. Spare a thought, then, for those who work within our hospitals and the challenges they face on a daily basis. The members of staff and security teams who diligently ensure that our care is second to none and our well-being continually preserved. Of course, security needs will vary depending on the hospital concerned and where it’s located. Put simply, the larger the hospital, the more complex the kind of situations that may be encountered. Certainly, those working within inner city hospitals and mental health facilities face the biggest challenges. Some locations harbour emergency treatment centres while others serve as specialist clinics. That being so, the security services provided must be adjusted accordingly depending on the needs of the facility. Healthcare security officers’ roles within hospitals can involve many and varied responsibilities. These range from monitoring CCTV and managing the car parks through to assisting healthcare staff when necessary. What makes these roles so challenging is the unique environment a hospital creates. It’s the additional elements of emotion, vulnerability, abuse and, on occasion, the possibility of violent conduct being perpetrated upon them that demands extra care and attention on the part of team members. Security officers can face numerous challenges. Whether they’re dealing with a patient under the influence of drugs or alcohol or those with mental health issues, officers need specific qualities to handle such scenarios in an efficient and effective manner.
T
In each case, failing to make the correct decision could have disastrous – maybe even lethal – outcomes and place NHS Trusts and managers at risk of complaints and litigation.
Need for bespoke training On a daily basis, healthcare security officers may be called to manage emotional, frightened, desperate and vulnerable people and potentially volatile situations. Consequently, they need training that affords them an understanding of why people can behave, often uncharacteristically, in unusual, disruptive and aggressive ways when they find themselves in a hospital environment. Examples would include people with dementia, learning difficulties or drug addiction problems or those affected by recent bereavement. Security officers working in the healthcare sector should receive training in control and restraint (ideally refreshed on an annual basis rather than the three-yearly legal requirement), first responder negotiation skills (for tackling suicide attempts) and instruction in the Mental Health Act 1983 (re: dementia) and the Mental Capacity Act 2005 (again re: dementia). They should also learn about securing an open space environment, customer service skills, risk assessments, fire warden skills (to London Fire Brigade standards), awareness of the Care Quality Commission and how officers’ actions affect the Trust and, last but not least, environmental sustainability. Security officers cannot be expected to respond in a calm and patient-centric manner without such essential knowledge and, although officers will not be able to diagnose mental health issues, it’s important that they’re able to recognise the characteristic signs of
David Pike: National Account Manager for the Healthcare and Education Sectors at Securitas
55 www.risk-uk.com
SecurityServicesBestPracticeCasebook October2015_riskuk_apr15 05/10/2015 14:34 Page 3
Security Services: Best Practice Casebook
mental ill health and learning difficulties. This helps to ensure their attitude and approach is always appropriate to each patient’s needs. Officers must put the patient first, listen before acting and, when necessary, show bravery in the face of difficult or otherwise dangerous situations.
Access control provision In addition to visible security personnel, access control systems can play a key part in protecting hospitals against crime. With expensive equipment and medicines on the premises, together with a large number of visitors accessing the site every day, hospitals can – and do – face a number of threats. A great deal of IT equipment containing sensitive patient data is usually on site, not to mention the personal possessions of staff, patients and visitors alike. That’s why hospitals can be targeted by thieves. This has resulted in a growing number of hospitals turning to access control systems for extra protection. Strategically placed CCTV cameras mean operators can keep watch over hospital entrances, ready to intervene if the need arises. Since those operators are able to visually verify an incident, there’s no delay in sending assistance to the scene when it’s needed. Intelligent analytics can prevent trouble at any time of the day by monitoring footage in real-time and triggering human intervention based on pre-defined criteria. Not only do analytics automatically flag intrusions, but they also notice more subtle behaviour like a person or vehicle trying to sneak through a checkpoint behind authorised personnel. They can even make access control run more smoothly with licence plate recognition and automated authorisation. Thanks to the introduction of smart technology and efficient practices, remote entry/exit management can actually reduce resource demand while at the same time creating a safer environment.
In the danger zone For our part, Securitas works with numerous NHS Trusts across the UK providing bespoke services including security guarding, mobile response, remote monitoring, key holding, access control and specialised monitoring including close personal supervision for
“Whether they’re dealing with a patient under the influence of drugs or those with mental health issues, officers need specific qualities to handle such scenarios” 56
www.risk-uk.com
patients who demonstrate significant levels of violence or aggression. One such example saw our officers working at Barnsley Hospital NHS Foundation Trust being on duty 24/7 over a 12-week period to protect Trust nursing staff and other patients from a violent patient who committed physical assaults. These assaults consisted of thumping, kicking, biting and scratching whenever nursing contact was required. During the latter part of the treatment phase, the patient would regularly spit at the officers and staff and was later diagnosed with a transferable blood-borne complaint. This protective duty and the regular physical contact meant that a number of officers had to receive treatment from the Emergency Department and use special protective equipment. Back in August 2009, we were awarded the contract to provide security solutions for the Northumberland, Tyne and Wear (NTW) NHS Foundation Trust. The Trust was looking towards greater control of its security provision across the seven NTW NHS Foundation Trust hospitals through one provider. There was a keen desire to achieve greater efficiencies and replace the need for NHS night-time porters. However, the concern was that any new solutions provider would suffer from a lack of knowledge of all the sites. Finding a solution to this issue would be critical when it came to delivering a successful solution.
Thorough induction programme The initial contract was to provide security solutions for the seven NTW NHS Foundation Trust hospitals. A thorough induction programme for all security officers ensured that the new team soon became very comfortable working within the unique environment of a mental health hospital. The team members spent time with nurses and patients and gained a greater knowledge and understanding of the needs of all parties. As the contract developed, it was key to its success that Securitas and the NTW NHS Foundation Trust worked closely together in order to adapt and innovate as the need arose. This co-operation led to us providing a host of extra services within the scope of the contract across the seven hospitals. The core purpose of the security function on this particular assignment is to act as a visible deterrent. This is achieved through regular and focused night-time patrols. In addition to carrying out these patrols, we’ve worked with the NTW NHS Foundation Trust on providing extra duties and assistance, in turn adding further value to the contract for the client.
Project1_Layout 1 09/09/2015 14:48 Page 1
EARLY BIRD SAVINGS Book your delegate place by 20th September 2015 and save with the Early Bird!
The National Security & Resilience Conference, hosted by the National Security & Resilience Consortium (NS&RC), will help you identify the future threats to your organisation and help you strategise and plan for your business security and resilience. For further information, conference programme and registration details visit www.nsr-conference.co.uk
Organisational security and resilience in todays climate of extreme threats National Security and Resilience combines national security needs with an in-depth understanding of the design and implementation of resilience solutions. Working collaboratively and cooperatively to provide unique, world-class security and resilience solutions in the face of increasing natural and man-made risks and threats to Governments, corporate organisations, major events, transport systems and critical national infrastructure. The National Security & Resilience Conference, hosted by the National Security & Resilience Consortium (NS&RC), will help you identify the future threats to your organisation and help you strategise and plan for your business security and resilience.
Opening Keynote Speakers include: Tony Porter, Commissioner, Surveillance Camera &RPPLVVLRQ +RPH 2IĂ&#x20AC;FH
Richard Barnes, Former Statutory Deputy Mayor of London
Speakers include: â&#x20AC;&#x201C; Phil Luxford, Director Prepare Protect and &7 6FLHQFH 26&7 +RPH 2IĂ&#x20AC;FH â&#x20AC;&#x201C; Tim Cutbill, Programme Lead, London Resilience â&#x20AC;&#x201C; Commander Wayne Chance, Commander Operations, City of London Police - Gary McManus, Project Genesius, Metropolitan Police â&#x20AC;&#x201C; Phil Sherwood, Head of Volunteer/ Workforce, Olympic Games
â&#x20AC;&#x201C; Senior Representative, CERT-UK â&#x20AC;&#x201C; Mike Fuller MBE, Director for Global Resilience and advisor to National Olympic Security Coordination Centre â&#x20AC;&#x201C; Chris McIntosh, CEO, ViaSat UK â&#x20AC;&#x201C; Paul Sawyer, Managing Director, XIX Group â&#x20AC;&#x201C; Tony Maher MSyI, MInstLM, Head of Head of International Secure Minds Training Academy (ISMTA)
For full speaker details, programme and to register visit www.nsr-conference.co.uk
Preparing your organisation for what lies ahead - securing your business future Owned & Organised by:
www.nsr-conference.co.uk
CyberSecurityTargetedAttackDefenceMechanisms October2015_riskuk_mar15 05/10/2015 13:46 Page 1
Turning Cyber Security into Cyber Defence making it hard to know beforehand whether any particular organisation is at risk. Most dangerous in some industries is the fact that states are now seriously involved in the business of attacking not just other states but private organisations as well. This should be particularly worrying for those businesses with connections to national security and Critical National Infrastructure, among them engineering, energy and transportation companies, but in reality the danger is somewhat broader than this. Many cyber attacks now reach their intended targets via other organisations, such that a hostile state attacker might, for instance, attempt to breach a law firm in order to reach the detail of the energy company that legal concern represents. As the catastrophic Sony breach showed last year, no sector is entirely safe from this kind of sophisticated attack.
Increasingly sophisticated targeted attacks in the virtual space combined with an ever more complex security environment mean that cyber security as a technology issue must now be supplemented by cyber defence as a risk management issue. As Dave Palmer correctly asserts, ‘immune system’inspired cyber defence technology is now rendering this possible for today’s host organisations
58
www.risk-uk.com
ecurity and IT professionals absolutely recognise that the risk of data breaches – and the risk emanating from such breaches – is growing constantly. As businesses migrate more and more vital information to networks that are increasingly porous, they place themselves at risk of suffering the release of confidential data or, worse still, malicious modification of the data itself. Some of these breaches may be opportunistic, but the majority of the most serious ones are targeted attacks on specific organisations by organised criminals, ‘hacktivists’ and, in some sectors, states. Targeted attacks have become easier to execute in the past few years due to the sharing of malware and hacking techniques on ‘The Dark Web’ to the extent that even a relatively inexperienced attacker will often have access to software tools designed by much more skilled individuals. As the cost and difficulty of carrying out a major data breach falls and more business moves online, it becomes more and more attractive for organised criminals to focus on identity theft and the hijacking of financial and user data for the purposes of fraud. ‘Hacktivism’ has exploded in popularity as an avenue of attack against organisations for a wide variety of reasons. Some hacktivists are seriously political in nature and deliberately attack organisations for clearly stated reasons – a concern for privacy or opposition to fossil fuel extraction, for instance. More disturbingly, many have views and motivations that are all but incomprehensible,
S
Balancing risk and interconnectivity Today’s companies face a dilemma in balancing the growing risk of security breaches with the benefits of interconnectivity. Business efficiency is served by increased openness in many dimensions. For example, supply chain companies may be assisted by having access to a company’s inventory. Also, external contractors and consultants often require access to one or more aspects of a corporate network. Once a third party is given access to the network, though, security is only as good as that of the third party – something over which organisations have little control and next to no real and/or meaningful oversight. This also increases the danger posed by ‘The Insider Threat’ which, in basic terms, remains as serious a problem as ever. Outsiders may gain legitimate insider access to large amounts of sensitive data belonging to organisations whose goals and values they do not share. Meanwhile, Bring Your Own Device (BYOD) policies look good from a financial perspective – at least in the short term – but they can open up organisations to a huge potential attack surface. Mobile devices remain a small proportion of overall attack vectors, but with the proliferation of BYOD policies this will surely change. The full extent of the potential security risk from mobile devices is only now beginning to be fully understood with the discovery of serious vulnerabilities like Stagefright. Ultimately, the problem is that this increasing openness is a necessary part of the efficiency
CyberSecurityTargetedAttackDefenceMechanisms October2015_riskuk_mar15 05/10/2015 13:47 Page 2
Cyber Security: Targeted Attack Defence Mechanisms
and flexibility required to be competitive in today’s business world. Reducing the risk of a data breach by locking the network down may therefore put the organisation at risk of losing market share to competing companies by dint of waning efficiencies in other dimensions.
Old method isn’t working There’s no way of resolving this dilemma with traditional cyber security technology. The traditional approach treats security as akin to defending a castle from siege – damage is prevented by keeping attackers out. Increasingly, this approach simply doesn’t work. It’s an old adage that security personnel need to be right every time and attackers only need to be right once. That imbalance has only been amplified by the growing number of subtle and targeted attacks, not to mention the necessity for corporate networks to be increasingly permeable. Corporate networks cannot be secured in any meaningful way. The unfortunate fact is that the only way to ensure total security for a network is to disconnect it from the Internet, or even shut it down entirely. A network belonging to any organisation with sufficient size or visibility to make it a potential target for determined attackers must be assumed to be compromised in some way unless proven otherwise. We should not conclude that traditional cyber security is unnecessary, but we should realise that, on its own, it simply isn’t enough. Cyber security as a technical issue must be supplemented by cyber defence as a risk management issue. The cyber defence approach is based on the assumption that the ‘perimeter’ of firewalls, anti-malware software and so on is trivial to breach in any serious targeted attack. The way to approach cyber defence, then, is to attempt to balance the risk of a serious data breach against maintaining the openness, convenience and free flow of information necessary to do business both efficiently and competitively in today’s world.
“It’s an old adage that security personnel need to be right every time and attackers only need to be right once. That imbalance has only been amplified by the growing number of subtle and targeted attacks” combating targeted attacks. While a sophisticated attacker will be quite capable of breaking through the barriers in their own way, they will be unable to do real damage without – by definition – acting in a manner that’s abnormal for users on the network in question. Like the immune system in the human body, this new class of self-learning technology is able to develop an accurate, constantly updated model of the network in its normal state – to develop a dynamic sense of ‘self’ – that allows it to detect even the most subtle of anomalies that might signify an attack. Malicious entities that break through the perimeter – ie the ‘skin’ in the immune system analogy – will nevertheless be detected and stopped before they can cause serious trouble. Since this technology is based on machine learning, it doesn’t need to be told how any given network is supposed to be configured – it will form its own understanding as it monitors traffic. This yields otherwise inaccessible information on the real state of a large network that may help to minimise the risk from previously unknown attack surfaces in future. The immune system approach kills two birds with one stone, making cyber defence – as opposed to cyber security – possible. On the one hand, it provides an additional, powerful line of resistance against attackers who succeed in breaching the perimeter. On the other, it affords a window into the network, allowing the gathering of rich data. That’s vital when it comes to accurate risk assessment.
Dave Palmer: Director of Technology at Darktrace
The Immune System Approach The problem with this approach in the past was that it required something that, until recently, wasn’t possible: the ability to detect attackers within one’s own network before they do real damage. This is necessary both to allow action to be taken against attacks currently in progress and provide the necessary information to assess future risk to the organisation. New advances in mathematics and machine learning have, for the first time, allowed the implementation of this completely new way of
59
www.risk-uk.com
Project1_Layout 1 08/09/2015 13:12 Page 1
TrainingandCareerDevelopment October2015_riskuk_apr15 05/10/2015 14:37 Page 2
Training and Career Development
Taking Event Security to Level 2 F or venue managers and event organisers alike, it’s safe to say that customer experience is everything. In this regard, their relentless pursuit of excellence makes it important that those providing essential services for them continually explore ways in which they can make a genuine difference. For their part, third party crowd management and event security companies have a responsibility towards the enjoyment and safety of venue and event attendees through the effective delivery of their specialist services which can help to create long-lasting memories for audiences. Memories that will make those attendees want to return for future concerts or sporting spectacles. As an industry, we’re constantly endeavouring to raise standards by increasing the skills set and knowledge of our workforces such that we can assist those venue managers and event organisers in nurturing the best experiences for audiences in both safe and secure environments. It’s perhaps appropriate, then, that a significant step forward has been taken in what is a landmark year for two of the UK’s major entertainment arenas. Manchester Arena celebrated its 20th Anniversary in July while Newcastle’s Metro Radio Arena is all set to reach the exact same milestone very soon. Working with the teams at both of these venues, Showsec has developed a longstanding relationship with operator SMG Europe most notable for the fact that, in partnership, we’ve established a customerfocused operating blueprint which has since been rolled out to many other venues.
Licensing issues and legislation Further progression for the industry is crucial if we’re to ensure compliance with an everincreasing amount of licensing issues and legislation, while at the same time being mindful of commercial pressures to provide the most cost-effective solutions for our customers. Recognising the importance of – and, indeed, the necessity for – such a forward-thinking approach, the United Kingdom Crowd Management Association (UKCMA) identified that there was a growing requirement for the development of a multi-faceted qualification to serve all event stewarding. An important objective has been to redress the balance by placing as much emphasis on public safety as there is on crime reduction.
Generating the all-new Level 2 Certificate in Event Security Operations – which has been endorsed by the Highfield Awarding Body for Compliance – necessitated the UK Crowd Management Association conducting a feasibility study and the National Occupational Standards being redefined. Mark Harding examines the latest thinking in security management for crowded spaces
Since the National Police Chiefs’ Council – in its former guise as ACPO – gave direction to local police forces that they should start charging per hour to work on many events, there have been a good many courses for security staff to acquire qualifications such that they can assume some of the roles normally undertaken by police officers within an overall crime reduction strategy. The effectiveness of a crowd management and security operation isn’t just about crime reduction, though. It’s also about making sure members of the public are safe at all times. Indeed, there’s an argument to suggest that if your public safety focus is spot on, then it will have an impact upon the level of criminal activity at an event as well. We do, of course, have a dual responsibility, so it’s about getting that balance right. While it’s widely understood that public safety is just as important as crime reduction, there will consistently be more of a requirement for safety measures.
Safety of the public With that detailed backdrop in mind, the development of the Level 2 Certificate in Event Security Operations was really about looking at the safety of the public at a wide range of
Mark Harding: Chairman of the United Kingdom Crowd Management Association (UKCMA) and Managing Director at Showsec
61
www.risk-uk.com
TrainingandCareerDevelopment October2015_riskuk_apr15 05/10/2015 14:38 Page 3
Training and Career Development
venues and events. The UKCMA wouldn’t have been able to reach a position whereby we now have this fit-for-purpose qualification without the commitment and drive of industry-wide experts, together with the wholehearted support of internal and external stakeholders. Throughout the lengthy development process, there has been a strong desire to achieve the best possible outcome in terms of the learning process for stewards, thus providing them with an entry point into the industry and, just as importantly, a foundation upon which to build. At the end of it all, we wanted to have a qualification that was pertinent to the different types of venues and events in which we deliver our product. The development process involved redefining the National Occupational Standards, the UKCMA conducting a feasibility study and then, based on the results of that study, the publication of this new Level 2 Certificate in Event Security Operations which has been endorsed by the Highfield Awarding Body for Compliance (HABC). In leading the way with the development of the qualification, the UKCMA has been supported by both HABC and the Sports Grounds Safety Authority, while individuals who deserve special mention are Martin Girvan and Ruth Oliver. There has also been active involvement from many other stakeholders, such as John Newsham of the Football Safety Officers’ Association, all of whom held a strong desire to see this addition to the qualifications available for those wishing to join our sector.
Developing new revenue streams The hugely competitive events marketplace means that venue managers and event organisers are constantly looking at ways in which they can develop new revenue streams. On that basis, it’s vital for them to have operational staff on site trained to a high level so that they can deal with all types of occasion. Clearly, the skills and knowledge which they acquire are put to a greater test when operating within the confines of smaller venues, particularly when it comes to the issues of ingress, egress and managing crowd flows. The Level 2 Certificate is primarily a knowledge-based qualification with some
“We are not like-for-like replacements for the police, and never intend to be that, but we can take on roles not considered to be core duties of policing work and, in doing so, provide our clients with more cost-effective solutions” 62
www.risk-uk.com
elements of practical demonstration and assessment of performance in the workplace, one which covers these significant areas of public safety at events. Importantly, it also provides the foundation upon which event stewards can build a portfolio of transferrable skills such that they might contribute more towards operations. Indeed, we want this Level 2 Certificate to be the first step along a pathway of new qualifications designed to consolidate Best Practice. At Showsec, we consider ourselves to be a ‘knowledge bank’ when it comes to the development of market-leading training programmes which equip our workforce with the skills necessary for them to undertake roles to the best of their ability and give staff the opportunity to fulfil their true potential. Indeed, we’re continually expanding and modifying those training modules so that they enable members of staff to raise their standards of performance, but also meet the aspirations of our clients in seeking to deliver the very best possible customer experience. This has enabled us to work with police forces on crime reduction strategies to ensure that we achieve the required security standards in key areas such as incident response teams, enhanced searches and ejection procedures.
Cost-effective security solutions We are not like-for-like replacements for the police, and never intend to be that, but we can take on roles not considered to be core duties of policing work and, in doing so, provide our clients with more cost-effective solutions. The safety of our staff has to be an important consideration. Police officers are empowered by legislation and have sophisticated personal and operational equipment at their disposal, both in terms of front line and operational support services. This is not the case with our staff. While we may have clear operating guidelines in terms of particular sizes of venue, the crucial point here is to focus on offering a bespoke service which takes into account the individual requirements of the client, the venue itself and the type of event being run. Recent advances in technology and greater accessibility to more information mean that we’ve been able to change our strategy with regard to preventative action. Alongside improvements in ticketing procedures, we’re also able to undertake profiling of audiences which helps us with planning and deployment. It means we’re able to identify any potential criminal activity and put in place preventative measures which protect both the audience and the commercial well-being of the event.
paper ad_Layout 1 04/06/2015 17:59 Page 1
thepaper
Pro-Activ Publications is embarking on a revolutionary launch: a FORTNIGHTLY NEWSPAPER dedicated to the latest financial and business information for professionals operating in the security sector
Business News for Security Professionals
The Paper will bring subscribers (including CEOs, managing directors and finance directors within the UKâ&#x20AC;&#x2122;s major security businesses) all the latest company and sector financials, details of business re-brands, market research and trends and M&A activity
FOR FURTHER INFORMATION ON THE PAPER CONTACT: Brian Sims BA (Hons) Hon FSyI (Editor, The Paper and Risk UK) Telephone: 020 8295 8304 e-mail: brian.sims@risk-uk.com www.thepaper.uk.com
RiskinAction October2015_riskuk_sep15 05/10/2015 14:33 Page 1
Risk in Action Wilson James’ BP North Sea security contract extended to deliver Emergency Response Control Room services Security solutions specialist Wilson James has been appointed by BP to deliver Emergency Response Control Room services across the organisation’s North Sea business, in turn building upon and extending the existing core security guarding and reception service provision already in place. Commenting on the contract, Keith Fleming (director for Scotland at Wilson James) told Risk UK: “The contract expansion enables Wilson James to take an integrated approach towards the provision of security and emergency response arrangements within the environs of BP’s onshore assets and associated portfolios within the North Sea zone.” Fleming went on to state: “We can use our long-standing experience and understanding of BP’s business from working with the customer across Scotland and beyond to ensure consistency and continuity, subsequently contributing to the company’s overall business resilience.” As stated, this appointment takes Wilson James into the realms of delivering Emergency Response Control Room operations and will support BP’s initial response to crisis, continuity and emergency response-related incidents. Gemma Quirke – managing director for Security Services at Wilson James – explained: “Services such as the provision of Emergency Response Control Room operatives are crucial in terms of ensuring that effective response arrangements are in place for any eventualities that may occur in today’s working environment. We’re delighted to be assisting BP in these arrangements. The contract demonstrates the service expertise we can deliver across a range of sectors.” Wilson James is a leading security, logistics and business services provider. Founded in 1991 and now employing over 2,500 members of staff, the company helps organisations meet their business objectives.
DVS and Lantec Security enhance Sand Martins Golf Club surveillance system thanks to Hikvision technology Surveillance specialist Hikvision and systems installer Lantec Security have recently completed an upgrade project at the prestigious Sand Martins Golf Club in Surrey with assistance from Hikvision’s UK distributor DVS. The Sand Martins Golf Club is located near Wokingham and, only recently, the management team decided it was time to upgrade the club’s existing standard definition analogue surveillance system. Given that the course is spread across many acres of land, CCTV is paramount for the security and smooth running of the location. Steve Lane of Lantec Security headed up the installation project for the new surveillance
64
www.risk-uk.com
Community cinema in Dulwich benefits from Fire-Cryer Voice Sounders developed by Vimpex The former St Thomas More Community Centre in East Dulwich, London is now home to a new three-screen cinema with a café-bar and a courtyard garden. Refurbished this year, the East Dulwich Picture House and Café offers diverse programmes catering for all sections of the local community. As part of the refurbishment a new fire alarm system was installed, together with Vimpex’s EN 54-3 approved Multi-Message Fire-Cryer Plus Voice Sounders to ensure timely building evacuation in the event of a fire scenario. The fire alarm system was designed and commissioned by Southern Fire Alarms in partnership with consultant LTS International and installed by DW Electrical. A total of 35 Mini Fire-Cryer slimline base sounders have been installed under ceilingmounted fire detectors in all parts of the building. The Mini Fire-Cryer provides both an attractive and unobtrusive solution. system, all the while working closely with DVS. A full HD system has been designed and implemented using Hikvision’s solutions. The project consists of 16 Hikvision Full HD cameras, among them vandal-resistant IR domes, bullet cameras and even a newlyreleased Lightfighter model installed to watch over the club’s grounds. Hikvision’s ANPR system is employed in the car park, recording the number of every vehicle that enters the compound. The large field of view on the ANPR solution means that it can also serve as a general overview system. The installation even boasts an auto tracking dome on the 18th hole that streams live images directly into the clubhouse. “We decided to choose a Hikvision system as the user interface is ideal,” explained Steve Lane. “Using Hikvision’s products also allowed us to provide an end-to-end solution covering ANPR, internal areas and the retail space.”
RiskinAction October2015_riskuk_sep15 05/10/2015 14:33 Page 2
Risk in Action
2015 IRB Rugby Union World Cup represents latest leg of Zaun’s Olympic Stadium relay The IRB Rugby Union World Cup represents the latest leg of Zaun’s Olympic legacy that just keeps on running and running. The Wolverhampton-based high security fencing manufacturer has been appointed to the latest two phases of work at the Olympic Stadium in London during its temporary re-opening for Rugby Union’s most special event. Balfour Beatty was appointed to transform the former Olympic Stadium in Queen Elizabeth Olympic Park into a year-round multi-use venue that will deliver a lasting cultural, sporting and community legacy in east London. That transformation includes installing the largest roof of its kind in the world, a community track, innovative retractable seating, spectator and hospitality facilities as well as external landscaping. The initial two phases of work, which included a £150,000 contract for high security fencing to be installed by Zaun Group company Binns Fencing, finished several weeks ago when the Olympic legacy team handed over ‘The Stadium’ (as it will be known during the IRB Rugby Union World Cup) to the event organisers. The 54,000-capacity venue is hosting five matches, starting with the Pool D clash between France and Romania, New Zealand’s second Pool C match, Ireland versus Italy and a fourth pool game between South Africa and the USA. The venue also stages the third place play-off on Friday 30 October. It will then open permanently as the new home of Barclays Premier League club West Ham United and a national competition centre for UK Athletics. Zaun is supplying over 800 metres of security-rated Duo8 SR1 fencing panels at heights varying between 2.4 metres and 3.5 metres, along with 200 metres of 5 metre-high sports fencing, over 200 metres of spectator railings and 13 pedestrian and vehicle gates.
Chubb installs bespoke access control and entry phone system to safeguard London’s iconic Westminster Abbey Chubb Fire & Security has recently installed an access control and entry phone system at Westminster Abbey’s Song School, part of the iconic London church that has held numerous Royal Weddings and State Ceremonies. Indeed, Chubb’s fire and security systems have helped to ensure security throughout the location for more than 30 years. Westminster Abbey is, of course, one of the world’s greatest churches, with a history stretching back over a thousand years. The Song School, which is set in the heart of the Abbey’s precincts, exists solely to educate and care for the boys who sing as choristers in the Abbey Choir. Chubb has equipped the school with an access control and door entry system to ensure that only authorised individuals are able to enter. This is integral to the facility’s existing intruder alarm system which Chubb monitors on a 24/7 basis. Garry Evanson CSyP – head of security and emergency planning at Westminster Abbey and also chairman of The Security Institute – told Risk UK that the trust established with Chubb over three decades is essential. “Chubb’s expert knowledge and recognised customer focus are major factors in the longevity of the contract,” explained Evanson. “We have always worked with one point of contact and it is this trust, as well as the ease and speed of resolving any issues we may have, that are the very bedrock of the service.”
Amthal Fire & Security’s riding high with protection regime for Bespoke Cycling Amthal Fire & Security has geared up to meet the security challenges outlined by client Bespoke Cycling, installing its latest smart systems into three of the high-end bike specialist’s newest stores in central London. Bespoke Cycling’s outlets in Canary Wharf, Gresham Street near St Paul’s and Jermyn Street offer some of the world’s finest cycling products as well as cutting-edge 3D and 4D technology that aims to bring performance and enjoyment gains for customers. The business decided to partner with Amthal Fire & Security, who duly specified a bespoke security solution. In addition to installing the latest intruder alarms, Amthal Fire & Security also added smart CCTV and specialist EAS tagging to deter would-be thieves. Liam Lynch, operations manager at Bespoke Cycling, told Risk UK: “Amthal Fire & Security completed a full site survey at each location and then devised a schedule of works for the installation process that would operate within our very tight fit-out schedule. The end result is a seamless integration of security solutions which can be managed centrally for powerful protection.”
65
www.risk-uk.com
TechnologyinFocus October2015_riskuk_sep15 05/10/2015 14:35 Page 1
Technology in Focus High performance IP Mini-Domes bolster Illustra portfolio for Tyco Security Products Tyco Security Products has introduced Illustra Pro IP Mini-Dome cameras in both 3 and 5 Megapixel resolutions that deliver “exceptional video quality and performance” for end users across various lighting conditions. The 3 Megapixel Illustra Pro vandal-resistant IP Mini-Domes render real-time video images in HD. Whether in bright sunlight or near/total darkness, important details such as vehicle number plates, merchandise labels, faces and even blurred objects can clearly be seen by the end user. As part of the high performance Pro range, these dome cameras make use of “the highest performance-critical components, sensors and system platforms available” to meet the most demanding specification requirements in today’s professional-level installations. The Illustra Pro Mini-Domes offer premium performance and “category-leading Wide Dynamic Range” in the 5 Megapixel Series as well as “true Wide Dynamic Range” in the 3 Megapixel Series. www.illustracameras.com
LINKLOCK network protection from Veracity supports Videoover-IP systems for risk and security professionals
With HD IP network cameras and domes increasingly being used by host organisations to capture evidence grade images of activity at their head offices and branches, there’s the potential for would-be fraudsters to gain access to valuable and confidential information. Deployment of external IP cameras requires the provision of an external network connection to the IP camera device. Such external connections could be subject to malicious tampering such that the perpetrator might gain access to a company’s internal network. There’s now a solution available that stops dead any attempt by those with criminal intent to hack into a network via an IP network-based video surveillance system. Manufactured by UK-based Veracity and available exclusively via Samsung Techwin Europe, LINKLOCK provides a total barrier to all unauthorised network access by fully blocking connections to any cable or equipment that has been tampered with or disconnected. It works by completely disconnecting data and power from the coaxial cable link, thereby providing complete isolation of the affected link. This makes it an ideal protection measure for security-critical installations in banks, for instance, where network cabling or video surveillance equipment might be located externally in order to detect, monitor and record evidence of criminal activity such as vandalism, ATM skimming and armed robbery, as well as to remotely monitor premises outside of normal business hours. www.samsungsecurity.co.uk
G4S introduces “groundbreaking” TravelAware app to revolutionise business travel safety Global security solutions provider G4S has launched the G4S TravelAware app, badged by the company as a “groundbreaking” security tool specifically designed to inform business travellers across the globe on risk and security-related issues. TravelAware will “revolutionise” the way in which organisations protect their employees by providing business travellers with critical and reliable, location-specific security information through a smart phone app. Managers have access to exact tracking information on all app users in real-time. Through a dedicated online portal and via the app, TravelAware enables detailed twoway communication, making sure company employees and managers are connected. www.g4s.com
Dycon Power Solutions launches innovative security power supply for use in plastic housings
Dycon Power Solutions has launched the XLo range featuring a “revolutionary” new power technology that’s designed to offer reliable, battery backed-up, switched-mode power supplies for use in today’s increasingly popular plastic housings. The XLo PSU effectively dissipates most extraneous RF signals, in turn “dramatically reducing EMC emissions” while still delivering a full 3 Amp output at greater than 85% efficiency and with battery back-up facilities. All PSUs have been thoroughly tested to EN 55022 Class B. www.dyconpower.com
66 www.risk-uk.com
TechnologyinFocus October2015_riskuk_sep15 05/10/2015 14:35 Page 2
Technology in Focus
Apollo develops intelligent Manual Call Point to support SOTERIA range of detectors
Following the launch of its original Manual Call Point in 2013, Apollo Fire Detectors has announced the development of a version which will support the company’s new SOTERIA range of detectors. Product manager Tom Crane told Risk UK: “The development of SOTERIA and CoreProtocol – our new generation detectors and operating protocol – gave us the opportunity to improve upon our original Manual Call Point by including some additional features which we know will be welcomed by customers.” One of the main features of the new Intelligent Manual Call Point is that it’s a universal product, not only designed to fit with SOTERIA and CoreProtocol, but also engineered to be backwards-compatible with the Discovery and XP95 digital protocols incorporated in the same unit. Crane continued: “The development of this new Intelligent Manual Call Point has enabled us to evaluate the device as a whole and listen to valuable feedback from end users. This has resulted in a number of design changes, including the front assembly now becoming a sealed unit.” www.apollo-fire.co.uk
March Networks introduces selfcontained HDR surveillance camera for banking ATMs IP video solutions developer March Networks has introduced the MegaPX ATM camera. The MegaPX is believed to be the security sector’s first self-contained, covert IP camera with High Dynamic Range (HDR) image clarity. Purpose-built for easy installation in leading ATMs, the camera captures highly-detailed video in all lighting conditions, enabling banking investigators and members of the police service to clearly identify faces and other distinguishing features. Importantly, the new models are compliant with ONVIF Profile S and can be deployed seamlessly to provide the high quality ATM video evidence many financial institutions are seeking to fill a gap in their complete banking surveillance solutions.
Fireray heater keeps optical beam smoke detectors clear of condensation
FFE’s Fireray optical beam smoke detectors provide wide area smoke detection when it’s impractical to use traditional point-type detectors. They’re ideal for large indoor spaces with high ceilings, such as warehouses, sports arenas, factories or shopping centres. There are two general types of detector: end-to-end, which use two detector heads, and reflective (which have one detector head and a reflector or prism). With the onset of autumn, lower temperatures can cause condensation to form on detector lenses and reflective prisms. That obscures the lens and prism, reducing the amount of infrared light reaching the detector. In truth, this has a similar effect to smoke and can lead to unwanted false alarms. To combat this issue, FFE has developed a new range of anti-condensation heaters for its Fireray range of optical beam smoke detectors and reflective prisms. The detector heater circulates a current of warm air over the lens, raising its ambient temperature by up to 10°C and maintaining the lens at an incrementally higher temperature than the surrounding air. This dramatically reduces the likelihood of condensation forming on the lens which, in turn, reduces the potential for false alarms. www.ffeuk.com
The MegaPX ATM camera combines HDR and “exceptional” low-light performance to capture clear video in high contrast lighting, such as the direct sunlight and near-dark conditions that ATMs can be located in at different times of the day. Available with a 2.8 mm standard lens or 3.7 mm pinhole lens, these cameras’ wide field of view records ATM users from the waist up rather than just capturing faces to provide comprehensive video evidence. To prevent the cameras from shifting, the MegaPX ATM solution offers a choice of two mounting brackets that lock firmly into place. The built-in robust locking mechanism ensures that each camera’s desired field of view is maintained at all times. www.marchnetworks.com
67
www.risk-uk.com
Project1_Layout 1 04/08/2015 15:13 Page 1
WORLD
Conference and Exhibition
10% OFF using promotional code
MP10
Appointments October2015_riskuk_jul15 05/10/2015 12:57 Page 1
Appointments
Mike White and David Rubens CSyP
Mike White and David Rubens CSyP have accepted places on the Board of Directors at The Security Institute, with the organisation’s chairman Garry Evanson explaining the move as “adding strength to the existing group of individuals by bringing in two very active and engaged members who can contribute greatly to what we can achieve as a Board of Directors in implementing our plans.” Security companies for whom White has served in the past include Equinox Security Management, Grosvenor Security Services, Charter Security, Lynx Security, St James Security and Initial Security Services. White is now an independent security, risk management and training consultant, serving as director of the Hampton Security Consultancy. He recently completed his permitted term as chairman of the International Professional Security Association and is also an active member of ASIS International’s UK Chapter and the Institute of Leadership and Management. David Rubens has been involved in the UK’s security business sector since 1992. He ran his own consultancy from that year until 2013 under the names of Meido Consultants and David Rubens Associates. From December 2013 until recently, Rubens served as managing director of InfraSafe Security International, the international division of InfraSafe (a major USbased security technology company). Rubens has also been involved in the academic side of security and risk management, completing his MSc at the University of Leicester’s Scarman Centre back in 2006.
David Openshaw and Mark Langworthy Support services provider Emprise Services plc has appointed David Openshaw as the company’s new chairman. Openshaw’s distinguished career in the facilities management sector dates back to 1975. Prior to his retirement from ISS in 2014, Openshaw held senior positions in the UK and latterly served as CEO of ISS North America. Openshaw commented: “Emprise has built a terrific new team which I’m very much looking forward to supporting as it enters the next phase of its development.” In tandem, the business has also appointed Mark Langworthy as director of its security
Appointments Risk UK keeps you up-to-date with all the latest people moves in the security, fire, IT and Government sectors Mike Kenny CSyP
With Mike Kenny having recently been admitted to the Register of Chartered Security Professionals, Linx International Group can claim to have more CSyPs within its ranks than any other organisation. Kenny, who serves as training manager for ARC Training, joins five other colleagues and training experts associated with the Linx International Group who have achieved Chartered Security Professional (CSyP) status. They include David Gill (CEO at Linx International Group) and director Angus Darroch Warren, senior consultant with the company. Admittance to the Register of Chartered Security Professionals signifies that a person has met the stringent criteria jointly developed by The Worshipful Company of Security Professionals and The Security Institute. This includes a strong understanding of general security principles and an ability to demonstrate a high level of competence in key areas such as security knowledge, practice skills, communication and leadership. “I’m proud that so many of my colleagues share my passion for helping raise standards within the security sector and that they have the experience, expertise and commitment necessary to achieve CSyP status,” explained David Gill, who heads a group encompassing Linx Consulting in addition to security management and systems training specialists ARC Training, Perpetuity Training and Tavcom. division. Langworthy joins from MITIE Total Security Management where he served as a regional director with responsibility for London and the South East. Prior to this, Langworthy held senior positions with Initial Facilities Services, Power Distribution Security, VSG, Chubb and Lynx in addition to spending six years in the Household Cavalry. Langworthy told Risk UK: “The company delivers a first class service to an impressive client list and I’m very much looking forward to leading the division.” As a designated Security Industry Authority Approved Contractor, Emprise offers security services ranging from technical solutions through to security guarding.
69
www.risk-uk.com
Appointments October2015_riskuk_jul15 05/10/2015 12:58 Page 2
Appointments
David Wilkinson
Karen Morris-Lanz
Securitas has a new Human Resources (HR) director in place who will support the UK business in achieving its strategy for growth and commercial success. Karen Morris-Lanz joins the company from Waponi’s HR function and brings with her a wealth of HR consultancy experience across a broad range of business sectors. A Fellow of the Chartered Institute of Personnel and Development, Morris-Lanz will now be responsible for the overall HR strategy across the security business. During her time at Waponi, Morris-Lanz worked with the Department for Business, Innovation and Skills to support the set-up of the British Business Bank. Morris-Lanz has also held roles at Network Rail and with major retailers (among them Marks and Spencer and Next) and duly gained much experience across both the central and local Government sectors. In conversation with Risk UK, Morris-Lanz said of her new role at Securitas: “I’m looking forward to supporting Securitas’ global change from being a traditional security guarding company to becoming a leading international business specialising in protective services based on people, technology and knowledge. How we can combine our people skills with technology-focused solutions for customers will be the central focus of that change.”
Dr Karin von Hippel
From Tuesday 1 December 2015, the new director general of Whitehallbased defence and security Think Tank the Royal United Services Institute (RUSI) will be Dr Karin von Hippel, presently Chief of Staff to General John Allen, Special Presidential Envoy for the Global Coalition to Counter ISIL. Dr von Hippel has worked in the US State Department for nearly six years, prior to which she was at the Centre for Strategic and International Studies in Washington and also senior research fellow at King’s College, London. Additionally, Dr von Hippel has worked for both the United Nations and the European Union in Somalia and Kosovo. Dr von Hippel has advised the UN on peacekeeping, peace-building and its humanitarian system, USAID on the development potential of Somali remittances and the Organisation for Economic Cooperation and Development when it comes to the role of development co-operation in discovering the root causes of terrorism. Dr von Hippel has been a member of the World Economic Forum’s Global Agenda Council on Fragile States and harbours direct experience in over two dozen conflict zones. Her numerous and very much respected publications cover the full conflict spectrum and include Democracy by Force (Cambridge, 2000), which was shortlisted for the RUSI Westminster Medal in Military History.
70
www.risk-uk.com
David Wilkinson, director of technical services at the British Security Industry Association (BSIA), has been appointed chairman of the British Standards Institution’s (BSI) GW/1 Committee which oversees standards development for the UK’s electronic security sector. As the UK’s parent committee for all standards work conducted in the field of electronic security, GW/1 acts as the UK’s ‘gatekeeper’ representing the BSI at European and international levels. With 25 years’ experience in the electronic security sector, Wilkinson has been involved in standards development for a number of years, having been an active participant on several standards committees across Britain and Europe before stepping up to lead GW/1. For its part, GW/1 includes a number of other participating industry organisations including the National Security Inspectorate, the Security Systems and Alarms Inspection Board and the newly-formed National Police Chiefs’ Council.
Jeremy Hockham
Norbain Holdings – the security, fire and IT/IP connectivity systems distribution company – has announced the appointment of Jeremy Hockham as the business’ new managing director. Hockham joins the Berkshire-based company with broad international industry experience having served as president of Bosch Security USA, managing director at Bosch Security Systems UK and also managing director of Honeywell Security. These roles are among many other senior management positions Hockham has held in the security sector. Commenting on his new role, Hockham told Risk UK: “I was delighted to accept the opportunity to run the Holdings company at such an important phase in its development. Since its acquisition by the Newbury Group in 2012, Norbain has seen continuous investment and acquisitions. I’m really looking forward to joining the team and building on the strong platform the business has in place across the security, fire and connectivity markets.”
sep15 dir_000_RiskUK_jan14 05/10/2015 15:18 Page 1
Best Value Security Products from Insight Security www.insight-security.com Tel: +44 (0)1273 475500 ...and lots more Computer Security
Anti-Climb Paints & Barriers
Metal Detectors (inc. Walkthru)
Security, Search & Safety Mirrors
ACCESS CONTROL
Security Screws & Padlocks, Hasps Fastenings & Security Chains
Key Safes & Key Control Products
Traffic Flow & Management
see our website
ACCESS CONTROL – BARRIERS GATES & ROAD BLOCKERS
FRONTIER PITTS Crompton House, Crompton Way, Manor Royal Industrial Estate, Crawley, West Sussex RH10 9QZ Tel: 01293 548301 Fax: 01293 560650 Email: sales@frontierpitts.com Web: www.frontierpitts.com
ACCESS CONTROL
ACT ACT – Ireland, Unit C1, South City Business Centre Tallaght, Dublin 24 Tel: +353 (0)1 4662570 ACT - United Kingdom, 2C Beehive Mill Jersey Street, Manchester M4 6JG +44 (0)161 236 3820 sales@act.eu www.act.eu
ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES
UKB INTERNATIONAL LTD ACCESS CONTROL
APT SECURITY SYSTEMS The Power House, Chantry Place, Headstone Lane, Harrow, HA3 6NY Tel: 020 8421 2411 Email: info@aptcontrols.co.uk www.aptcontrols-group.co.uk
Planet Place, Newcastle upon Tyne Tyne and Wear NE12 6RD Tel: 0845 643 2122 Email: sales@ukbinternational.com Web: www.ukbinternational.com
B a r r i e r s , B l o c k e r s , B o l l a r d s , PA S 6 8
ACCESS CONTROL, CCTV & INTRUSION DETECTION SPECIALISTS
SIEMENS SECURITY PRODUCTS ACCESS CONTROL
KERI SYSTEMS UK LTD Tel: + 44 (0) 1763 273 243 Fax: + 44 (0) 1763 274 106 Email: sales@kerisystems.co.uk www.kerisystems.co.uk
Suite 7, Castlegate Business Park Caldicot, South Wales NP26 5AD UK Main: +44 (0) 1291 437920 Fax: +44 (0) 1291 437943 email: securityproducts.sbt.uk@siemens.com web: www.siemens.co.uk/securityproducts
ACCESS CONTROL & DOOR HARDWARE
ALPRO ARCHITECTURAL HARDWARE
ACCESS CONTROL
COVA SECURITY GATES LTD Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68
Tel: 01293 553888 Fax: 01293 611007 Email: sales@covasecuritygates.com Web: www.covasecuritygates.com
Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks, Waterproof Keypads, Door Closers, Deadlocks plus many more T: 01202 676262 Fax: 01202 680101 E: info@alpro.co.uk Web: www.alpro.co.uk
ACCESS CONTROL – SPEED GATES, BI-FOLD GATES ACCESS CONTROL MANUFACTURER
NORTECH CONTROL SYSTEMS LTD. Nortech House, William Brown Close Llantarnam Park, Cwmbran NP44 3AB Tel: 01633 485533 Email: sales@nortechcontrol.com www.nortechcontrol.com
HTC PARKING AND SECURITY LIMITED 4th Floor, 33 Cavendish Square, London, W1G 0PW T: 0845 8622 080 M: 07969 650 394 F: 0845 8622 090 info@htcparkingandsecurity.co.uk www.htcparkingandsecurity.co.uk
ACCESS CONTROL - BARRIERS, BOLLARDS & ROADBLOCKERS
ACCESS CONTROL
HEALD LTD
INTEGRATED DESIGN LIMITED
HVM High Security Solutions "Raptor" "Viper" "Matador", Shallow & Surface Mount Solutions, Perimeter Security Solutions, Roadblockers, Automatic & Manual Bollards, Security Barriers, Traffic Flow Management, Access Control Systems
Integrated Design Limited, Feltham Point, Air Park Way, Feltham, Middlesex. TW13 7EQ Tel: +44 (0) 208 890 5550 sales@idl.co.uk www.fastlane-turnstiles.com
Tel: 01964 535858 Email: sales@heald.uk.com Web: www.heald.uk.com
www.insight-security.com Tel: +44 (0)1273 475500
sep15 dir_000_RiskUK_jan14 05/10/2015 15:18 Page 2
ACCESS CONTROL
CCTV
SECURE ACCESS TECHNOLOGY LIMITED
G-TEC
Authorised Dealer Tel: 0845 1 300 855 Fax: 0845 1 300 866 Email: info@secure-access.co.uk Website: www.secure-access.co.uk
ACCESS CONTROL â&#x20AC;&#x201C; BARRIERS, GATES, CCTV
ABSOLUTE ACCESS Aberford Road, Leeds, LS15 4EF Tel: 01132 813511 E: richard.samwell@absoluteaccess.co.uk www.absoluteaccess.co.uk Access Control, Automatic Gates, Barriers, Blockers, CCTV
BUSINESS CONTINUITY
Gtec House, 35-37 Whitton Dene Hounslow, Middlesex TW3 2JN Tel: 0208 898 9500 www.gtecsecurity.co.uk sales@gtecsecurity.co.uk
CCTV/IP SOLUTIONS
DALLMEIER UK LTD 3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH Tel: +44 (0) 117 303 9 303 Fax: +44 (0) 117 303 9 302 Email: dallmeieruk@dallmeier.com
CCTV & IP SECURITY SOLUTIONS
PANASONIC SYSTEM NETWORKS EUROPE Panasonic House, Willoughby Road Bracknell, Berkshire RG12 8FP Tel: 0844 8443888 Fax: 01344 853221 Email: system.solutions@eu.panasonic.com Web: www.panasonic.co.uk/cctv
BUSINESS CONTINUITY MANAGEMENT
CONTINUITY FORUM Creating Continuity ....... Building Resilience A not-for-profit organisation providing help and support Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845 Email: membership@continuityforum.org Web: www.continuityforum.org
COMMUNICATIONS & TRANSMISSION EQUIPMENT
KBC NETWORKS LTD. Barham Court, Teston, Maidstone, Kent ME18 5BZ www.kbcnetworks.com Phone: 01622 618787 Fax: 020 7100 8147 Email: emeasales@kbcnetworks.com
DIGITAL IP CCTV
TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk
SESYS LTD High resolution ATEX certified cameras, rapid deployment cameras and fixed IP CCTV surveillance solutions available with wired or wireless communications.
1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333 Email: info@sesys.co.uk www.sesys.co.uk
INFRA-RED, WHITE-LIGHT AND NETWORK CCTV LIGHTING
RAYTEC
CCTV
Unit 3 Wansbeck Business Park, Rotary Parkway, Ashington, Northumberland. NE638QW Tel: 01670 520 055 Email: sales@rayteccctv.com Web: www.rayteccctv.com
CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS
CCTV SPECIALISTS
ALTRON COMMUNICATIONS EQUIPMENT LTD
PLETTAC SECURITY LTD
Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ Tel: +44 (0) 1269 831431 Email: cctvsales@altron.co.uk Web: www.altron.co.uk
Unit 39 Sir Frank Whittle Business Centre, Great Central Way, Rugby, Warwickshire CV21 3XH Tel: 01788 567811 Fax: 01788 544 549 Email: jackie@plettac.co.uk www.plettac.co.uk
www.insight-security.com Tel: +44 (0)1273 475500
sep15 dir_000_RiskUK_jan14 05/10/2015 15:18 Page 3
WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS, PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.
MAYFLEX Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ
TO ADVERTISE HERE CONTACT:
Tel: 0800 881 5199 Email: securitysales@mayflex.com Web: www.mayflex.com
Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk
CCTV & IP SOLUTIONS, POS & CASH REGISTER INTERFACE, EPOS FRAUD DETECTION
THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS CONTROL AND INTRUDER DETECTION SOLUTIONS
AMERICAN VIDEO EQUIPMENT
NORBAIN SD LTD
Endeavour House, Coopers End Road, Stansted, Essex CM24 1SJ Tel : +44 (0)845 600 9323 Fax : +44 (0)845 600 9363 E-mail: avesales@ave-uk.com
CONTROL ROOM & MONITORING SERVICES
ADVANCED MONITORING SERVICES
EUROTECH MONITORING SERVICES LTD.
Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring • Vehicle Tracking • Message Handling • Help Desk Facilities • Keyholding/Alarm Response Tel: 0208 889 0475 Fax: 0208 889 6679 E-MAIL eurotech@eurotechmonitoring.net Web: www.eurotechmonitoring.net
DISTRIBUTORS
210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP Tel: 0118 912 5000 Fax: 0118 912 5001 www.norbain.com Email: info@norbain.com
EMPLOYMENT
FIRE AND SECURITY INDUSTRY RECRUITMENT
SECURITY VACANCIES www.securityvacancies.com Telephone: 01420 525260
EMPLOYEE SCREENING SERVICES
THE SECURITY WATCHDOG Cross and Pillory House, Cross and Pillory Lane, Alton, Hampshire, GU34 1HL, United Kingdom www.securitywatchdog.org.uk Telephone: 01420593830
IDENTIFICATION
sales@onlinesecurityproducts.co.uk www.onlinesecurityproducts.co.uk
ADI ARE A LEADING GLOBAL DISTRIBUTOR OF SECURITY PRODUCTS OFFERING COMPLETE SOLUTIONS FOR ANY INSTALLATION.
ADI GLOBAL DISTRIBUTION Chatsworth House, Hollins Brook Park, Roach Bank Road, Bury BL9 8RN Tel: 0161 767 2900 Fax: 0161 767 2909 Email: info@adiglobal.com
COMPLETE SOLUTIONS FOR IDENTIFICATION
DATABAC GROUP LIMITED 1 The Ashway Centre, Elm Crescent, Kingston upon Thames, Surrey KT2 6HH Tel: +44 (0)20 8546 9826 Fax:+44 (0)20 8547 1026 enquiries@databac.com
www.insight-security.com Tel: +44 (0)1273 475500
sep15 dir_000_RiskUK_jan14 05/10/2015 17:32 Page 4
INDUSTRY ORGANISATIONS
PERIMETER PROTECTION
GPS PERIMETER SYSTEMS LTD TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY
BRITISH SECURITY INDUSTRY ASSOCIATION
14 Low Farm Place, Moulton Park Northampton, NN3 6HY UK Tel: +44(0)1604 648344 Fax: +44(0)1604 646097 E-mail: info@gpsperimeter.co.uk Web site: www.gpsperimeter.co.uk
Tel: 0845 389 3889 Email: info@bsia.co.uk Website: www.bsia.co.uk
POWER THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY
SSAIB 7-11 Earsdon Road, West Monkseaton Whitley Bay, Tyne & Wear NE25 9SX Tel: 0191 2963242 Web: www.ssaib.org
POWER SUPPLIES – DC SWITCH MODE AND AC
DYCON LTD Cwm Cynon Business Park, Mountain Ash, CF45 4ER Tel: 01443 471 060 Fax: 01443 479 374 Email: marketing@dyconsecurity.com www.dyconsecurity.com The Power to Control; the Power to Communicate
INTEGRATED SECURITY SOLUTIONS STANDBY POWER SECURITY PRODUCTS AND INTEGRATED SOLUTIONS
HONEYWELL SECURITY GROUP Honeywell Security Group provides innovative intrusion detection, video surveillance and access control products and solutions that monitor and protect millions of facilities, offices and homes worldwide. Honeywell integrates the latest in IP and digital technology with traditional analogue components enabling users to better control operational costs and maximise existing investments in security and surveillance equipment. Honeywell – your partner of choice in security. Tel: +44 (0) 844 8000 235 E-mail: securitysales@honeywell.com Web: www.honeywell.com/security/uk
UPS SYSTEMS PLC Herongate, Hungerford, Berkshire RG17 0YU Tel: 01488 680500 sales@upssystems.co.uk www.upssystems.co.uk
UPS - UNINTERRUPTIBLE POWER SUPPLIES
ADEPT POWER SOLUTIONS LTD Adept House, 65 South Way, Walworth Business Park Andover, Hants SP10 5AF Tel: 01264 351415 Fax: 01264 351217 Web: www.adeptpower.co.uk E-mail: sales@adeptpower.co.uk
INTEGRATED SECURITY SOLUTIONS
INNER RANGE EUROPE LTD Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead, Reading, Berkshire RG74GB, United Kingdom Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001 Email: ireurope@innerrange.co.uk www.innerrange.com
UPS - UNINTERRUPTIBLE POWER SUPPLIES
UNINTERRUPTIBLE POWER SUPPLIES LTD Woodgate, Bartley Wood Business Park Hook, Hampshire RG27 9XA Tel: 01256 386700 5152 e-mail: sales@upspower.co.uk www.upspower.co.uk
SECURITY PRODUCTS AND INTEGRATED SOLUTIONS
TYCO SECURITY PRODUCTS Heathrow Boulevard 3, 282 Bath Road, Sipson, West Drayton. UB7 0DQ / UK Tel: +44 (0)20 8750 5660 www.tycosecurityproducts.com
PERIMETER PROTECTION
ADVANCED PRESENCE DETECTION AND SECURITY LIGHTING SYSTEMS
TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk
GJD MANUFACTURING LTD Unit 2 Birch Business Park, Whittle Lane, Heywood, OL10 2SX Tel: + 44 (0) 1706 363998 Fax: + 44 (0) 1706 363991 Email: info@gjd.co.uk www.gjd.co.uk
www.insight-security.com Tel: +44 (0)1273 475500
sep15 dir_000_RiskUK_jan14 05/10/2015 15:18 Page 5
SECURITY
INTRUDER ALARMS – DUAL SIGNALLING
WEBWAYONE LTD CASH & VALUABLES IN TRANSIT
CONTRACT SECURITY SERVICES LTD Challenger House, 125 Gunnersbury Lane, London W3 8LH Tel: 020 8752 0160 Fax: 020 8992 9536 E: info@contractsecurity.co.uk E: sales@contractsecurity.co.uk Web: www.contractsecurity.co.uk
11 Kingfisher Court, Hambridge Road, Newbury Berkshire, RG14 5SJ Tel: 01635 231500 Email: sales@webwayone.co.uk www.webwayone.co.uk www.twitter.com/webwayoneltd www.linkedin.com/company/webwayone
LIFE SAFETY EQUIPMENT
C-TEC QUALITY SECURITY AND SUPPORT SERVICES
CONSTANT SECURITY SERVICES Cliff Street, Rotherham, South Yorkshire S64 9HU Tel: 0845 330 4400 Email: contact@constant-services.com www.constant-services.com
Challenge Way, Martland Park, Wigan WN5 OLD United Kingdom Tel: +44 (0) 1942 322744 Fax: +44 (0) 1942 829867 Website: http://www.c-tec.co.uk
PERIMETER SECURITY
TAKEX EUROPE LTD FENCING SPECIALISTS
J B CORRIE & CO LTD Frenchmans Road Petersfield, Hampshire GU32 3AP Tel: 01730 237100 Fax: 01730 264915 email: fencing@jbcorrie.co.uk
Aviary Court, Wade Road, Basingstoke Hampshire RG24 8PE Tel: +44 (0) 1256 475555 Fax: +44 (0) 1256 466268 Email: sales@takex.com Web: www.takex.com
PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB INTRUSION DETECTION AND PERIMETER PROTECTION
OPTEX (EUROPE) LTD Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311 Email: sales@optex-europe.com www.optex-europe.com
INSIGHT SECURITY Units 1 & 2 Cliffe Industrial Estate Lewes, East Sussex BN8 6JL Tel: 01273 475500 Email:info@insight-security.com www.insight-security.com
SECURITY EQUIPMENT INTRUDER AND FIRE PRODUCTS
CQR SECURITY 125 Pasture road, Moreton, Wirral UK CH46 4 TH Tel: 0151 606 1000 Fax: 0151 606 1122 Email: andyw@cqr.co.uk www.cqr.co.uk
PYRONIX LIMITED Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY. Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042 www.facebook.com/Pyronix www.linkedin.com/company/pyronix www.twitter.com/pyronix
SECURITY SYSTEMS INTRUDER ALARMS – DUAL SIGNALLING
BOSCH SECURITY SYSTEMS LTD
CSL DUALCOM LTD
PO Box 750, Uxbridge, Middlesex UB9 5ZJ Tel: 01895 878088 Fax: 01895 878089 E-mail: uk.securitysystems@bosch.com Web: www.boschsecurity.co.uk
Salamander Quay West, Park Lane Harefield , Middlesex UB9 6NZ T: +44 (0)1895 474 474 F: +44 (0)1895 474 440 www.csldual.com
INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS
RISCO GROUP Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton, Manchester, M24 2SS Tel: 0161 655 5500 Fax: 0161 655 5501 Email: sales@riscogroup.co.uk Web: www.riscogroup.com/uk
SECURITY EQUIPMENT
CASTLE Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042 www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity
www.twitter.com/castlesecurity
ONLINE SECURITY SUPERMARKET
SECURITY SYSTEMS
EBUYELECTRICAL.COM
VICON INDUSTRIES LTD.
Lincoln House, Malcolm Street Derby DE23 8LT Tel: 0871 208 1187 www.ebuyelectrical.com
Brunel Way, Fareham Hampshire, PO15 5TX United Kingdom www.vicon.com
www.insight-security.com Tel: +44 (0)1273 475500
Project2_Layout 1 02/10/2015 13:49 Page 1
*HW LW ULJKW ½UVW WLPH 0D[LPLVH LQYHVWPHQW 6XEMHFW PDWWHU H[SHUWV &RPPLWPHQW WR TXDOLW\ :RUN WR DJUHHG EXGJHW DQG WLPHVFDOHV &RQQHFWLQJ %& DGYLFH ZLWK %& WHFKQRORJ\
WORLD
Conference and Exhibition