Universities are a hub for growth and development, often leading the way in social, science and technological transformations alike. Growing alongside these advancements, are the external risks that threaten not only the safety of the institution’s research and data, but also the safety of those who call the campus home.
That is why forward-thinking universities today are reassessing how they manage risk and compliance to protect their data, assets, and most importantly, people. Most are finding that an integrated security system is the answer.
Understanding best practice risk management
Universities are like mini-cities, and they face a number of unique risks. Top of the list is the physical safety of people and property, protection of personal information and intellectual property, compliance with a wide range of standards and regulations, securing funding from a variety of income streams, and the strategic, political and reputational risks that can be harder to quantify.
In other words, it is a lot.
Best practice risk management models typically include a few common steps:
1. Identify risks.
2. Analyse or understand the risk.
3. Evaluate or rank the risk.
4. Treat the risk.
5. Monitor, track, and review risks over time.
Invariably, this process results in a comprehensive risk management strategy that includes a risk register, policies, and other treatment methods intended to mitigate threats, including a review cycle, intended to ensure the strategy remains relevant and effective.
At worst, these strategies become a tick-box exercise that is approved and then shelved. The risk register gathers virtual dust until it is looked at when the review cycle rolls around again.
At best, the risk management strategy is clearly linked to ensuring the achievement of well-defined business objectives. The organisation understands its appetite for risk, and risks that might hinder the achievement of business goals are managed appropriately by mitigation measures that are seamlessly embedded in everyday business practices. Organisations have assurance they will achieve their business objectives, and that their risk mitigation measures have the agility to evolve in an ever-changing threat landscape.
That all paints a pretty picture and it is a desirable goal for universities, or any business for that matter. Education institutions in Africa know this already, and many are well down the track of developing mature risk management processes.
The challenges lie in translating a comprehensive risk management plan into action and embedding risk mitigation measures into everyday practice across your campuses.
The role of integrated security
Security is often misunderstood as just being about keeping people in or out, but in reality, it can play a central role in risk management. Security hardware, software, policies, and day-to-day management all directly protect against many physical risks. That protection also indirectly mitigates the less tangible impacts of political, reputational and financial risk.
Many layers of security feed into risk management: access control, perimeter security, site maps, alarms, and compliance modules are some of the biggest moving parts. When managed by powerful software, the ability to integrate multiple systems allows for robust policy execution that protects data, assets, and people.
Integration between security, human resources, and other platforms encourages better data management practices and creates many possibilities – including the often-missed ‘positive risk’ opportunity – such as:
• Providing an open, yet secure, environment with guarded facility access and comprehensive visitor management.
• Implementing, enforcing, and reporting on policies and processes at every point.
• Automating access decisions by using your system to check people are fit for entry based on induction status, qualifications, competencies, and compliance rules.
• Monitoring and managing time on campus, residential dormitories, and restricted areas like research labs for all students, staff, visitors and contractors.
• Improving emergency management processes and response times with rapid evacuation and lockdown capabilities, including broadcast notifications based on real-time cardholder location data.
• Optimising facility and resource use by using one central system for cardholder and resource management.
Despite this wide range of controls and protections, sophisticated security systems are not a silver bullet. It is better to think of them as an essential piece of the risk puzzle or ecosystem.
Integrated security solutions come into their own once you are clear on the risks that need to be minimised, supporting you to engineer those risks out of existence. The right security system will help you enforce business policy, systemise it, and protect it from human error.
Historically, there has often been a trade-off between security and convenience, with highly secure sites being annoying to get around or unfriendly to visitors. With modern security systems, that is no longer the case. Using one card or a mobile app for everything from building access to printing supports a frictionless experience for students and staff, while simultaneously helping you manage risks and compliance as a normal part of everyday business practice.
Risk mitigation through integrated security
Risks to your university can be mitigated through integrations between security, human resources, and other platforms. With the right security system, you can enforce university policies and remove human error from the process.
Why does all this matter so much? Maybe you already have policies in place to mitigate everything on your risk register. That is enough, is it not? Unfortunately, not.
Administrative controls are worth nothing if you do not know, without a doubt, whether everyone is complying with them, every single day. Integrated security systems ensure compliance by alerting you to a policy breach and by giving you options for how to respond.
Take for example a university medical research laboratory working on a cutting-edge treatment for breast cancer. It is critical to ensure only qualified people enter the lab, that a senior team member is there first, that there are no more than four people in the room at a time, that they don’t exceed daily or monthly exposure times, and that everything is locked and alarmed when the last person leaves.
With a fully configured system in place, the following scenario could play out: A post-graduate researcher arrives early and uses the mobile app on their phone to try to unlock the door. The app checks in with the central management system to review the researcher’s induction status, and whether relevant training and safety procedure requirements have been met. The answer is yes, but it also notes that a research team leader (or designated ‘first person’) needs to have entered the room first.
The researcher receives a message asking them to wait, and the door remains locked. When the team leader arrives, they enter the room, which automatically turns on lights and air conditioning.
Later in the day, the team is hard at work. An assistant lecturer decides to pop in and see how things are going. When they badge their card at the door, the system recognises the room is at maximum occupancy and notifies them of this. They decide to go in anyway, triggering an automated notification to the lab manager who can decide what to do next.
Now, it is getting dark and just a few of the team are left. They want to finish up before heading home, although they have exceeded the six-hour maximum daily exposure time for this room. The system detects that they have not exited the room and sends an automated notification to the security room operator, who might then call the laboratory manager to check what is going on. They might decide it is okay because the team is very nearly done (acceptable risk).
Alternatively, they might know this is a serious situation (unacceptable risk) and personally ask everyone to leave, generates an alarm or escalate it to a security guard. Once everyone has gone for the day, the lights and air conditioning will turn off automatically and the lab manager (or any person with the correct privileges) can use their phone to double-check the room is secure and alarmed, from the comfort of their living room. That is peace of mind.
Afterwards, the lab manager can generate reports detailing who was in the room, entrance and exit times, exposure times, alerts or alarms received, actions taken, and when the room was locked and alarmed. The various compliance committees within the university can easily undertake further reviews of room activity at any time for assurance purposes.
Risks beyond the laboratory
The policy breaches in situations like the above example are high stake situations. Intellectual property theft, accidental release or exposure to dangerous or genetic material, or breach of research integrity can result in damage to the university’s reputation, lost research funding, or a potentially catastrophic biosecurity outbreak that could impact public health or an entire industry. It is worth taking seriously.
Laboratories are not the only high-risk locations on campus. With a wealth of innovation, traffic, and collaboration at the heart of operations, universities are vulnerable to an assortment of unique risk factors.
For example, universities balance heritage with growth, requiring a security solution that protects buildings constructed across different eras to the same contemporary standards. Those buildings welcome thousands of students, faculty, staff, and visitors each year, each with different physical and digital needs, not to mention vulnerabilities. Universities in the Ring of Fire are at risk of earthquakes and tsunamis, those in major cities face the threat of terrorism, and universities everywhere are susceptible to fires, theft, pandemics, and various forms of violence.
Universities are also home to unique resources that carry equally distinctive risks. Take, for instance, the University of Exeter, which is home to an engineering workshop housing state-of-the-art machinery for participation in Formula Student, enabling students to design and build racecars for competition. For all the benefits the machinery carry, they also pose health and safety threats to those without proper training. An integrated security system keeps both students and equipment safe from improper use.
Unexpected benefits of an integrated security system
Beyond all-encompassing protections for people, data, and property, integrated security systems help universities achieve green initiatives, reduce overheads, and enhance the overall student experience.
Lights and air conditioning turn on and off automatically based on room occupancy to reduce both energy usage and utility costs. Mobile solutions enable security guards to monitor and control access to spaces remotely, on the move, and in the moment. Digital booking systems keep track of room and resource usage. By providing a visible security presence on campus, students feel safer in their home away from home.
Managing risk and compliance is not only easier with an integrated system but contributes to the holistic health of the university as well, ensuring long-term protection for the community.
How well does your campus understand risk?
As a first step in improving risk management and compliance, ask if your policies are enforced, and what happens if they are breached.
With an understanding of what is involved in best practice risk management, and the many layers of security that feed into it, it becomes clear that it is easier to mitigate risk with an integrated security approach.
|+27 11 971 4200
|+27 11 974 2853
|More information and articles about Gallagher
© Technews Publishing (Pty) Ltd. | All Rights Reserved.