An Integrated Approach to Managing Security Operations

Ikram Sehgal, Chairman, Pathfinder Group, Karachi, Pakistan

Brigadier General Muhammad Musaddiq Abbasi, Chief Operations Officer,Research and Collection Services (Pvt.) Ltd [RCS], Islamabad, Pakistan

Jerry W. Torres, President & CEO, Torres Advanced Enterprise Solutions, LLC, Falls Church, VA

ASIS International 62nd Annual Seminar & Exhibits, Orlando, Florida, USA Tuesday, September 13, 2016, 11:00 am – 12 Noon

SMS and Torres Security Services in Pakistan

• Security & Management Services (SMS) –Pathfinder Group Pakistan has had the contract to protect the American embassy and consulates throughout Pakistan for 28 years.

• Joint venture with Torres AES in Pakistan for 5 years.

• SMS also provides protection for the UN mission and other international and national clients.

• Therefore, SMS and Torres are implementing the ISO18788 standard and ANSI/ASIS/PSC.1 standard for security operations, now a requirement for contracting.

2

Electronic Security

Recruitment & Training

Facility Management

Background Screening

IT Solutions

UAVs for

Surveillance and

Mapping

Centralized

Ops & Cmd

Centres

Quality

Control &

Assurance

Sabre &

Hunter Teams

Nerve

Centre

• Procurement Dept.

• Supply Chain Dept.

• Internal Financial Audit

• Finance Division

• HR Dept.

• Management Committees

• Operational Committees

• Town Hall Meetings

Admin Support

Integration System

Integrated

Security

Operations

SMS

Response

Force

SOMS

Org

3

Cash Transit

Services

Business Improvement and Professionalism

• SMS’s and Torres’s decision to implement the ISO18788 standard and ANSI/ASIS/PSC.1 standards was not simply to achieve certification for contracting. The real driver was:• A differentiator - exceeding the internationally recognized benchmark for

conducting security operations with respect for human rights.

• Demonstrate our commitment to human rights in addition to membership in the International Code of Conduct Association (ICoCA).

• Use a business and risk management tool to identify opportunities for improvement in the provision of our services and the management of our businesses.

• Bottom line – a better run business is a more profitable business.

4

Getting Started – Expandable Pilot Project Approach

• Do not eat the entire elephant in one bite – use a pilot project approach.

5

Getting Started – Expandable Pilot Project Approach

• Do not eat the entire elephant in one bite – use a pilot project approach.

6

Getting Started – Expandable Pilot Project Approach

• Do not eat the entire elephant in one bite – use a pilot project approach.

7

Why an Integrated Approach Using ASIS Standards?

• The value of implementing a standard is improved businessperformance, certification is the gravy.

• Pursuing simultaneous certification to ISO18788 and ANSI/ASIS/PSC.1 standards for managing security operations and ISO9001 for quality management.

• Best kept secrets about the ASIS PSC series of standards:• ISO18788 and ANSI/ASIS/PSC.1 are not “security operations” standards – they are the first

comprehensive enterprise risk management standards• ISO18788 and ANSI/ASIS/PSC.1 cover all the requirements of the newly released

ISO9001:2015 Quality Management System Standard• The ANSI/ASIS/PSC.3 maturity model standard gives a benchmarking approach for developing

an implementation plan• All human rights obligations contained in the ICoC, Montreux Document and UN Guiding

Principles are covered by the ISO18788 and ANSI/ASIS/PSC.1

• The ANSI/ASIS/PSC.1 is written in a much more user-friendly fashion and easier to use for implementation.

8

An Integrated Approach Using the ASIS Family of Standards

• The ASIS family of management standards gives a comprehensive tool for building a better business – seamlessly plugging into the ISO18788 and ANSI/ASIS/PSC.1 standards.• The ANSI/ASIS/RIMS.RA.1 risk assessment standard gives a comprehensive

approach to assessing strategic, tactical and operational risk including human rights risks and supply chain risk

• The ANSI/ASIS.SPC.2 auditing standard give a detailed approach to developing an internal auditing capacity to identify opportunities for improvement

• The ANSI/ASIS.SCRM.1 supply chain standard gives guidance in assessing and minimizing supply chain risk

• Used together, all the pieces of the puzzle come into place.

9

What We Learned – Cultural Shift

• Do not focus on certification – focus on business improvement and changing the culture of the organization.

• Cultural change is not driven by external consultants but driven by management commitment and dedication to meeting objectives.

• Cultural change is an top down – bottom up approach:• Create a “family attitude” in the organization so everyone feels part of the family.• Everyone who is a risk maker and a risk taker is a risk manager.• Empower people to contribute – openness has it’s benefits, your employees are the best early

warning system for potential problems.• Proactive risk management helps prevent potential undesirable events while identifying possible

opportunities for improvement.• Reaping the benefits of implementation comes from everyone in the organization understanding

the benefits of their contribution.

• When employees feel valued, their loyalty to the company increases and turnover decreases.• Pathfinder SMS has over 6000 guards with a turnover rate of approximately 2%

10

What We Learned – Getting Started

• Learning how to conduct an internal audit is an essential tool for getting started.

• Simultaneously learn how to interpret the clauses of the ISO18788 and ANSI/ASIS/PSC.1 standards and how to evaluate where you are at:• Serves as a training and awareness exercise• Emphasizes and demonstrates management commitment to

implementing the management system• Identifies resources and area to focus on when conducting the

implementation process• Builds internal capacity to both implement and evaluate the

progress of the implementation process

11

What We Learned – Building Capacity

• Select and train a team of people within your organization to serve as an internal auditing team.

• Pick people from different divisions within your organization so they do not have to audit their own work.

• The audit team members are a force multiplier who can spread awareness about implementation of the management system and meeting organizational objective throughout your organization.

• Provides you with a capacity to conduct second-party audits of your supply chain partners to minimize your risk.

• Creates a new marketable business service.• Ability to mentor other security companies in Pakistan to improve the

professionalism of the entire.

12

What We Learned – Human CapacityMaturity Model

• Break down the implementation of the standard into doable bits that can be built on.

• Promotes a mentality of success breeds success:• Achieving interim goals builds a sense of accomplishment and

excitement about the implementation process• Start with the low-hanging fruit that demonstrates a known problem

has been solved• Start with simpler concepts in the standard to introduce people to the

concepts of a management system• Emphasize teamwork and everyone’s input is welcome and no question

is too small or silly• People learn from simpler examples before tackling more difficult

issues

• Maximizes the use of time and resources.

13

The Risk Assessment and Management Approach

• Use ANSI/ASIS/RIMS RA.1-2015 Risk Assessment standard with the ISO31000 Risk Management standard.

Source: ISO18788http://www.acq.osd.mil/log/ps/psc.html

14

What We Learned – Context

• Pakistan is not the United States – local culture, customs, economics, social dynamics, and the political and legal environment will have profound impact on your security operations and must be understood.

• Before beginning a risk assessment, you must understand the risk environment and factors that will impact your objectives.

• Who are your stakeholders: • Stakeholders are not just your people and your clients, don’t forget the different

communities you operate in.• How will the internal and external stakeholders impact your security operations?• How will your security operations impact the internal and external stakeholders?

• YOUR REPUTATION AND BRAND IS YOUR MOST PRIZED ASSET!

15

What We Learned – Risk Appetite

• “Your” risk appetite is a myth.

• To determine a risk appetite you must consider:• Your company’s risk attitude• Your client’s risk attitude• NGO’s perceptions of risk and activism in your area of operation• Impacted communities’ perceptions of risk and activism in your area of operation

• Perceived risk can outweigh actual risk and cannot be dismissed as “they don’t understand”.

• Establish a risk committee with top management and representatives of the various functions in the organization to consider strategic, tactical, reputational and operational risk.

16

What We Learned – Human Rights

• Respecting human rights is not just the ethical thing to do – it is the business sensible thing to do.

• A human rights risk and impact analysis considers:• Respecting people and their dignity in the workplace

• Providing adequate remuneration and benefits to employees

• The perceptions of external stakeholders

• Potential impact of the company’s activities on internal and external stakeholders

• Information flow to support proactive risk management in security operations

• PROTECTS REPUTATION OF THE ORGANIZATION AND ITS CLIENTS

• Respecting human rights pays for itself and builds positive morale.

17

What We Learned – Risk Thinking

• Ongoing monitoring of risk profile with daily updates of risk profile.

• In all operational procedures:• What are the risks that need to be considered?

• Who are the internal and external stakeholders that may be impacted?

• Evaluate if the operational procedure decreases the uncertainty in achieving its objectives?

• Are their opportunities for improvements?

• Review the risks considered in the operating procedures when conducting performance evaluation.

• YOU ARE USING YOUR PROPCEDURES AS A RISK MANAGEMENT MECHANISM.

18

What We Learned – Supply Chain Risk

• The risk in your supply chain is your risk and you are responsible. • A supply chain partner can impact your reputation and that of your clients

• Incorporate analysis of continuity of operations and human rights when conducting your due diligence for selection preferred suppliers and contractors.

• Provide your suppliers and contractors with your Statement of Conformance to respect human rights and your Code of Ethics –have them agree to abide by the provisions in these documents.

• Provide your suppliers and contractors with a simple questionnaire to assess their risks for continuity of operations and human rights.

• Supplier and contractor performance review should consider if they have lived up to their commitments.

19

What We Learned – Command Structure

• A clearly defined command and communication structure is essential.

• Define where strategic, tactical and operation risk and planning decisions will be made.

• Develop mechanisms for the flow of information in both directions.

• Check and balances, including auditing of processes minimizes risk and enhances solving problems before they escalate.

20

What We Learned – ImplementationAwareness and Training

• The key to success is a well-trained workforce - in any service industry, the risk mitigation technique with the greatest return on investment is training.

• An investment in training pays back in professionalism and a positive relationship with the client.

• The guards need to understand their role in achieving the organization’s objectives:• Guards who understand their risk environment know what to look for and understand the

importance of “see something, say something”• Guards who understand you prioritize their safety will share their concerns• Guards understand that their appearance and behavior impacts the way clients and the

people they impact with perceive them• They feel valued and appreciated

• Guards know they are a desired as being recognized as having a value skill set.

21

What We Learned – ImplementationUse of Force Policy

• Having a use of force policy and procedures for the use of force prevents problems.• Minimizes accidents and violations of human rights • Provide training on Use of Force Policy articulating that use of force should be reasonably

necessary, proportional and lawful• De-escalation of the threat is the primary objective• Outline parameters for an escalation and de-escalation of force relative to changes in threat

levels• Force should be reasonable in intensity, duration and magnitude based on totality of

circumstances to counter the threat• Explain organizational procedures for control, storage and issuing of weapons, including

procedures for holding people accountable for the weapons and ammunition issued to them• Training should include classroom, mechanical, live fire and scenario based training based

on situations similar to those faced by the guards

22

What We Learned – ImplementationFacilitate Communication

• Communications are a two-way street:• Communicate to your employees the importance of the management system and

their role in it.• Lead by example – top management needs to follow its own procedures and

demonstrate commitment to the management system and employees• Recognize people who contribute to identifying and managing risk

• Establish “town hall” meetings and recognition and reward programs

• Encourage internal and external stakeholders to communicate both the good and the bad – you learn from mistakes and weaknesses

• Establish mechanisms for grievances and whistleblowers show you will address them• Make sure everyone (internal and external stakeholders) clearly understands the

security operations policy, Statement of Conformance with human rights codes, the Code of Conduct, and Code of Ethics

• Active shooter – security awareness training for clients

23

What We Learned – ImplementationImproved Business Management

• Doing the right thing pays:• Client satisfaction• Reputation enhancement• Loyal workforce• Lower turnover – lower recruitment and training costs• Business development based on reputation, no need for advertising

• Biggest benefit – improved management of our business using an enterprise risk management approach:• The ISO18788 and ANSI/ASIS/PSC.1 standards walked us through an analysis

of all aspects of our business allowing us to find enhancements in our system of management and making us a better run more efficient company

24

What We Learned – Implementationof a Management System

• Shoot for Stage TWO!• Stage One – Documentation review and definition of system of management• Stage Two – Auditing the effectiveness of the management system

• Define what your target is using the maturity model.

• A management system standard is a living, organic system of management in your organization – the human element is key!• Management commitment is essential• Start by building excitement and having everyone understand they are an integral

part• Don’t just write procedures, live them• Show people that their contribution is improving their ability to do their job and

manage the risks they touch

25

What We Learned – Building a National Capacity

• “A rising tide lifts all boats” philosophy.

• Serving as a role model to become the first company certified to the ISO18788 standard and ANSI/ASIS/PSC.1 standards in South Asia.

• Working with PSQCA, Accreditation Council of Pakistan, and Ministry of Commerce to implement ANSI/ASIS.PSC.3 maturity model standard as “recognition program” for all Pakistani security companies:• Important to set achievable goals to break inertia• Certification should not be a competitive barrier• Improvement of the industry benefits all companies• Having competitors makes you a stronger company• Improves honor and reputation of the country while enhancing capabilities in a high

risk environment

26

Resources – US Department of Defenseand ASIS International

• The Unites States Department of Defense Office of the Assistant Secretary of Defense for Logistics & Materiel Readiness provides a wealth of information for private security companies:• Free access to the relevant laws, regulations, international agreements,

contracting information, and the PSC standards.

• Visit: http://www.acq.osd.mil/log/ps/psc.html

• ASIS members can download all the ASIS standards for free at:• https://www.asisonline.org/Standards-Guidelines/Guidelines/Published/Pages/default.aspx

27

Pathfinder Group, Karachi, Pakistan: http://www.pathfinder9.com/Torres Advance Enterprise Solutions: http://www.torresco.com/

28