The Private Security Industry Vs Client – Systemic Failures in the Acceptance of Risk.

The Private Security Industry Vs Client – Systemic Failures in the Acceptance of Risk.

A ‘Systemic Failure’ is defined as:

A failure that happens in a deterministic (non-random) predictable fashion from a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors.

 

The commercial delivery of ‘security services’ per se, throughout the world, are just that, commercial. The influence of market forces, profit margins and general business sense can rightly be viewed as detriment to the focus of any security requirement; the ‘interference’ of bias motive on the side of the supplier and the cost concern of the consumer on the other. As within the realms of the budget of a large blue-chip and the CSO wishing to increase the level of security provision, both often work in conflict and remains a hard sell.

Failure is the lack of success in doing or achieving something that is preventable, innovative or intelligent and/ or unavoidable/complexity-related. Where an incident occurs  whilst in the presence of security services provision, it is usually related with the latter where in the wash up, all that is recommended are additional security resources for future provision based on that historical event and that the event itself is often excused due to 'act of God' or 'no crystal ball' methodology'. Rarely will any prior incident advisory or guidance provision concerning systems/ equipment, manpower and/ or procedure be dissected and if it were, never to the extent where oversight policy or budget are introduced for serious consideration purposes.

The security advisor, whether for a large organisation, a government department or for a UHNW as a Close Protection Team Leader often experience a difficult sell. He is entrusted with the provision of advice and guidance to accurately reflect the mitigation, control and at times, the acceptance of risk. However, where many people have held that post will agree when assessing risk, there are intrinsic aspects to the compilation of such assessment where potential incidence cannot be ruled out, the results of which could be serious and life-threatening and recommendations are made to cater for such possible eventualities as a means to ensure a comprehensive approach but to also, layman's terms, simply cover the back of the author.

Threat and risk assessments, (TRAs), identifies those threats present and makes recommendations where to avoid, reduce and ‘accept’ risk, as well as how to diminish the impact of threatening events. In an existing security operation, the TRA further assesses and identifies security measures that are inappropriate or non-existent. Recommendations are then made to add or modify where applicable but also to determine the implementation priorities. As in close protection, it is impossible to determine the correct type and amount of protection unless the type and amount of threat has been established. Once the potential for harm has been evaluated, a determination must be made as to what resources and actions are necessary to control those risks. Where possible, the avoidance of risk is preferred. The purpose of a threat and risk assessment therefore is to determine what threats exist, what risks to those threats exist and to separate serious from non-serious. In this manner we can develop plans that will avoid some of the risks, and we can determine how much of our resources to deploy against the threats that cannot be eliminated. We do not over-react or under-react. Over-reaction and under-reaction are almost invariably the result of knee-jerk responses. They come from a lack of planning, a failure to anticipate and prepare for an event. The inability to predict the future contributes to risk. However, even though the threat and the risk of exposure to that threat are assessed, potential remains for incidents to arise, not due to the lack of forethought in planning or an incorrect assessment of the threats and risks exposed but because the probability remains, no matter how slight or diminutive. In these instances, and in most cases, operational procedures are, (should be), drawn up, procedures that involve a selection of actions that are decided upon with consideration to influencing factors at the time. These events are often described as Crises or Emergencies. All persons/ companies/ agencies or governments involved in these emergency responses are instructed or informed of the course and method of action which they should take and which they (should) subsequently train until the best possible state of preparedness is achieved. ‘Emergency’ has been defined as ‘a sudden unforeseen crisis (usually involving danger) that requires immediate action - an emergency is a situation that poses an immediate threat to human life or serious damage to property’. It has also been defined, as ‘a sudden, unforeseen happening that requires action to correct or to protect lives and/or property’. As one can clearly see, both definitions define an emergency as an unforeseen event; however, as far as the context of many security operations are concerned, specifically Close Protection, I would argue the contrary in most cases. The term unforeseen is not the correct description in this instance. Unforeseen is unanticipated, unexpected and unpredicted.

The security manager has a requirement, a duty, to prepare for eventualities that may occur in his area of responsibility, no matter how slight the possibility. He must assess the risks and outline any concerns to company managers and directors. Guidelines for immediate responses to such emergencies must be prepared and rehearsed. Within close protection, this is standard practice. Constant ‘What If’ scenarios are considered and a proactive response is initiated to counter such possibilities scrutinising every detail. A bomb threat/ suspicious package, fire and medical emergencies are all ‘standard’ events within large corporations or companies in cities, which can be anticipated and prepared for. A security and risk manager does not necessarily need to implement group decision-making during such crisis or emergency due to the fact that the situations have already been discussed and subsequent actions agreed upon to facilitate an immediate response. Of course, the security manager must inform those relevant persons after the event and only during the crisis where time permits or is necessary, or indeed, instructed in the guidelines for actions on. However, events that have occurred which have not been discussed, anticipated or planned/ prepared for that lead to a crisis or emergency, such as the involvement of blackmail in the theft of intellectual property during an important takeover bid would necessitate a course of dialogue amongst the Board of Directors/ company bosses and security managers, and due to the nature, a certain amount of time would be allowed for this to occur. We can therefore see that the major difference between such instances and ‘ordinary’ situations is the ability of the security manager to deal with the latter without the need to facilitate group discussion amongst other managers or directors. By virtue of the security managers’ responsibility, remit and capability, he can conduct effective decision-making without the need to immediately involve others. The situation does not involve threat to life or serious damage to property and therefore consequences materialising are at the minimum. However, that said, it would be highly likely in such instances, that the security manager would not only feel he had a duty of care to inform his superiors of incidents untoward but also out of common courtesy. Although he would have initiated an immediate response to such incidents, the passing of information to superiors would begin a dialogue promoting group discussion and confirmation of actions carried out and/ or further actions to be conducted. Assessment, planning, preparation and the training in immediate reaction are vitally important in any security operation. None more so than that of a Close Protection Team. For the most part, the CPT is concerned with the protection of life and well-being of the principal. Operational procedures for such events as ‘anti-ambush - reaction to attack’ are drawn up and then trained until the procedure becomes a drill. A drill whereby the reaction is instinctive, a reaction that becomes a habit that is solid and yet fluid in the foundation of having been constantly practised. Worst-case scenarios, or indeed, scenarios involving every potential eventuality are discussed and then planned and prepared for. Walking drills, vehicle immobilisation drills, vehicle anti-ambush - block front – gunmen right, block front – gunmen rear, block front – block rear – gunmen left, positioning of vehicles, deployment of assets, illegal check points, embus – debus drills, or a gun attack when your Principal is delivering a speech at the podium; the list is almost endless.

The basis of all security provision is Threat Assessment. It is of course impossible to determine the correct type and amount of protection unless each has been established, and yet time and again, we see disproportionate levels of security present in many commercial areas, with either too much or too little being common occurrences. Attempting to protect individuals at risk from everything all of the time is neither efficient nor effective, - (It is also not possible), and the people that need it, do not necessarily require the same level of protection all of the time. The development of an effective personal protection program demands that a determination be made of the level and type of threat that exists for an individual at a particular time, in a particular set of circumstances. The best is one that affords the appropriate level of protection with the minimum intrusion on the normal life-style of the person being protected. The key to establishing this level of protection is to perform a Threat Assessment. Once the potential for harm has been evaluated, a determination must be made as to what resources and actions are necessary to control those risks. Where possible, the avoidance of risk is preferred. The purpose of a threat assessment therefore is to determine what risks exist and to separate serious from non-serious. In this manner we can develop plans that will avoid some of the risks, and we can determine how much of our resources to deploy against the threats that cannot be mitigated.

‘Threats’, ‘Threat Assessment’, (TA), and ‘Threat & Risk Assessment’, (TRA), have all often remained subject matters which many claim to understand but in reality, and concerning a Close Protection environment specifically, remain confused. The term Threat & Risk Assessment is often used by many security companies within the context of Close Protection as a service they provide. Yet, many fail to understand exactly what it means and what is involved in the provision of it. They state in their glossy blurb, “Threat Assessments are tailored to an individual client’s needs”. This of course, is incorrect and couldn’t be further from the truth. Threat assessments are not ‘tailored’ but are processes for determining what threats are present, what threats are not and to determine methodologies for mitigation and reduction of them where the risk to threat is present or greatest. The TRA is pivotal to the decision-making practices in the deployment of assets in controlling risk to threats and is fundamentally integral to the initial process in the provision of protective services.

The compilation of a TRA is for the purposes to act as a determination of:

• The threats posed

• The risks to those threats

• Organising those risks into order of priority

• Mitigation/ control and/ or acceptance of those risks

• The vulnerability in consideration to imposed safeguards

Acceptance of Risk & Risk Management

‘Risk exists where the future is unknown’

‘Security measures must be commensurate with the threat’

Risk and the management of it remains the central factor concerning the aims of Close Protection. As defined, it is the level of exposure to threats that ultimately provides the control and the manner for mitigating risk to threats. The two statements above are commonly used in the management of risk. Although they remain correct for the most part, within a CP context they do not accurately appreciate an understanding of the concept of CP operations. Risk does exist where the future is unknown but it also exists where the future IS known. Risk exists as a constant presence as do those assessed threats. It is the level of risk that changes in accordance with the counter measures employed. The assessment of risk in the context of CP cannot accurately be determined by any mathematical equation. It provides as a guideline, a focus to concentrate efforts on those areas where risk is present or, if budgets do not allow, where risk is greatest. However, as the determination of threat and risk is not an exact science, employing safe guards that are merely ‘commensurate’ with the threat is not necessarily the advisable course of action.

Part of the role and one of the expectations of a CPTL or IBG is to act in the capacity as a consultant, an advisor – very much similar to the corporate security manager. Dynamic threat assessment and risk mitigation is a continuing process throughout the operation but if the measures implemented are unbalanced or deemed not adequate to meet the risk to threats at the start then the assigned TL/ BG must act. Commercial operations are compounded by many influencing aspects not otherwise experienced at all in those government led. To jeopardise the safety and security of both the principal and members of the CPT on operations that do not effectively mitigate threats or the risks to the threats is an action that is irresponsible, rash and risky but one that also fails in values and expectations by the principal. The actual performance criteria, knowledge and understanding recommended by the National Occupational Standards are fit for purpose, albeit illustrating a legal, ethical and moralistic standpoint for a UK environment6 . However, although it clearly shows the subject matter headings that should be taught, as with all subject matter within the SIA CP Course, it doesn’t show the actual content that should be taught; that is left to the training provider. As a result, and due to the complex nature of the subject, many training providers do not teach to a competent level it should be.

The Threat & Risk Assessment must show:

The TRA must be clear, current and correct. Above all, it must ask the question –

Why is the Principal a Target?

The TRA must identify the enemy and assess if they are:

  • Capable
  • Active in area
  • Capable of activity in area


It must study:

  • The enemy
  • The histories
  • The descriptions
  • The favoured Modus Operandi
  • The recent attacks
  • The present capabilities
  • The possible future capabilities


As a result, it should now be possible to deduce the most likely forms of attack. The TL/ IBG must:

Study the Program

Assess vulnerable locations & timings

Traffic conditions

Enemy weapons

Weakness in building

Weakness in perimeter

Vehicle security Interpretation of all available intelligence

• Vulnerable elements of operation

• Allocation of protection resources


An accurate Threat and Risk Assessment is vital. It must be updated regularly and new information must be used as soon as it becomes available. Conversely, the lack of confirmed intelligence is no excuse for the non-production of a TA.

‘Hostile operations do not stand still because the intelligence services are unable to keep pace. In absence of good information, the Security Manager/ CPTL/ IBG must use his experience, tactical awareness, knowledge of the terrorist operations and common sense to produce the ‘best guess’ he can. It is better to fail through an error of judgement than through an omission of responsibility’


Hence, in the commercial world, the level of ‘security’ is not only dictated by money and party politics but also by ethically improper profit-making strategies or uneducated thought processes by contract service providers. Contract wording to benefit the party line and profit-making strategies that subsequently restrict/ limit more accurately assessed and professional deployment. This is not amateur night and I have been hugely surprised (or not so but more disappointed) how both commercial and government interaction specifically choose to roll the dice as opposed to accurately mitigating and controlling risk whilst paying properly to do so.

"It is simply an example of systemic failure in the acceptance of risk. Dangerous for the client, dangerous for the supplier but most importantly, dangerous for those security operatives delivering that service."

Dean H.

Director of Security

5mo

A good in-depth article that re-iterates the importance and rightly places the onus on service providers and security managers to effectively understand the risks, ensure the team and its procedures are drilled and re-hearsed, based on those identified threats, within the confines and limitations of budget, client appetite and client understanding of those risks. Private sector protection is a choice, and ultimately the business or individual will decide what and in many cases how their security provision is provided, regardless of the expert advice.

Andy Taylor FRGS, MCoROM, MSyl

Close Protection | Medic | Risk Management | Security

5mo

Many won’t realise they’ve failed because they don’t know what they don’t know ..

Mick Coup

Threat Management Solutions - Consulting - Training - Operations

5mo

Nice piece Richard...most never fail...because they are never tested, nor will be...

Alex Mac

A global presence tailored to high-end personal security

5mo

As usual on the ball mate. .. this is gonna go over a few heads .... But again spot on ..

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics