Risk assessment or product placement?

Residential Estate Security Handbook 2019 Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)

You get various types of risk assessments, each driven by certain needs from the assessor or the user. The most common one is provided by the company providing a security service to you. Unfortunately, some of these are merely a best guess in terms of what your budget can handle and what the salesperson has to sell rather than what would be the best option for your estate.

Hi-Tech Security Solutions asked a couple of experts in risk assessments for residential estates to delve a little deeper into the concept of a risk assessment to provide estate managers and security managers with some insights into what a ‘real’ risk assessment includes. We approached Brian Sharkey from SMC (Security Management Consultants) and Andre Mundell, an independent security risk assessor from Alwinco.

Brian Sharkey
Brian Sharkey

When looking at the options for risk assessments for estates, Mundell says, “Yes, there are various types of risk assessments, and while the ‘free assessment’ is certainly the most appealing one, when it comes to security, it’s definitely not the best option. A free assessment is merely guesswork and often based on what the salesperson sells or what the installer prefers to install. It is hardly ever based on the risks on and around the property, which is ultimately the reason for crime in the first place.”

Andre Mundell
Andre Mundell

So what is a ‘real’ risk assessment?

Sharkey explains that a risk assessment should be a critical examination of the client’s security system, including manpower, equipment, physical aspects and technology. “The outcome of the assessment should be an honest and impartial overview of the client’s security status, the identification of any risks posed and the systems and technology in place, as well as an honest and impartial overview of the service being delivered.

“The outcome of the assessment should also offer a short, medium and long term plan in addressing any shortcomings or issues identified. These recommendations and plans may include some simple procedural changes, while others may require financial budget planning for the client’s future needs.”

Mundell expands on this, noting that a risk assessment is an in-depth investigation into the current status of your security. “This means that an assessor spends a vast amount of time on your property to identify any physical risks on the property that contributes to the opportunity for crime.

“A risk assessment further entails establishing the intangible elements such as patterns, habits, routines and the like that can create the opportunity for a crime. This type of assessment needs to be conducted prior to the purchasing or installation of any security hardware or software, as it is the link between spending money wisely or throwing it down the drain.”

Mundell compares purchasing before an assessment to going to a pharmacy when sick to receive whatever random medication the pharmacist decides to give you to treat the symptoms. Chances are that you will eventually have to visit the doctor because the medicine you received from the pharmacist just treated the symptoms and not the root cause.

“However, if you visit the doctor first, he will be able to do a thorough examination and will thereafter tell you what your illness is and will give you a prescription that will target the root cause of the illness. A security risk assessment is much the same.

“Going to a salesperson first is the same as going to a pharmacist. It might treat the symptoms in the interim, but you will eventually have to call upon an expert for assistance when the initial ‘cosmetic remedy’ fails.”

And while a risk assessment may cost more, Mundell believes it is worth it. “People wrongly assume that security equipment is what makes the security system successful. I beg to differ. Even the most state-of-the-art secured facilities have been breached. Does that mean that the criminals are too good? Absolutely not. It only means that the security is not managed and maintained.

“Therefore, getting the security hardware from the salesperson does not mean that the security risk is being stopped. And that is where the problem lies. Security hardware that does not eliminate the security risk is like putting make-up on. It might change the appearance, but it certainly does not change the personality.”

It’s about opportunity

Mundell is direct when he says “The lack of safety if security fails is the sole reason for the blood trail in South Africa. Where do you go if your security fails? Do you have a plan in place? Part of a security risk assessment is to establish if the security is managed and balanced to ensure a successful security system.”

He also states that the Risk Matrix often used in security risk assessments “is better off in the trash”. This is, according to Mundell, because risk cannot be measured in terms of ‘probability’ or ‘likelihood’. “A risk is an opportunity and the opportunity makes the thief. Many men and women have committed crimes purely because the opportunity was there.”

An independent assessor?

When considering a security solution, it is often more convenient and cheaper to make use of an assessment from your installer or service provider. As noted above, this can be a challenge as one doesn’t know if the assessor will provide a proper assessment or will devise a solution to suit his/her company’s products or services. On the other hand, many rely on ethical processes from their service providers and trust they would provide a proper assessment, especially since any problems would reflect negatively on said service provider.

“With respect to both the clients and installers, it is always better to get an independent assessment,” states Sharkey. “Some installers may over spec or under spec certain equipment or systems; some may simply offer what they know is available rather than what could be offered as an alternative option. The use of an independent assessment company ensures that the technology or systems proposed are fit for purpose.

“Clients are focused on their particular area of expertise, so does it not make sense to go with an independent expert? Not only to source the solution, but importantly, to ensure that as and when installed, it is compliant and effective.”

Putting it in terms we can all understand, Mundell says: “To get a security risk assessment done by the same company you retain is like asking your mom if you are fat. She will not tell you the truth because she doesn’t want to hurt your feelings. And, while a little white lie about your weight might not have severe repercussions, not knowing the truth about your security certainly has severe and sometimes deadly repercussions.”

Mundell is adamant that a security company cannot perform an impartial security risk assessment, “as their assessment is weighted towards the promotion and sale of their own products and services, as well as the management of their current and/or future contract, in the protection of themselves and their own risk exposure.”

He continues that an independent party assesses the property ‘blind’, which means that he or she does not have a predetermined product in mind while conducting the assessment. The only objective an independent assessor has is to accurately identify the risks and only thereafter conduct research to find the applicable and risk-specific solution.

“Remember, the independent assessor will not be familiar with the property and the buildings or people. In contrast, the retainer company is already familiar with the area, property, buildings and people, which makes it all the easier to miss something. How many times have you driven home and when you think about it, you cannot remember anything you saw next to the road, let alone if you stopped at a red robot? Or how many times do you walk through the kitchen before you notice that something changed? It’s called habit and when you get used to something, you tend to miss the small things.”

In addition to this, he adds that if the assessment is conducted by someone who is part of the group or entity, they tend to be easily influenced. If the management team remarks or discusses in a meeting that the security budget is tight, the internal assessor will do the assessment with ‘budget’ glasses on. He might omit a risk purely because it might not fit into the budget.

Mundell notes that in-house security cannot do a security risk assessment as they often find it difficult to assess their own management and processes. An independent assessor is not intimidated or influenced. A risk is a risk and whether the assessed entity can afford to remedy the risk immediately is not part of the equation when risks are identified, and solutions are recommended.

In addition, he says “a risk manager cannot conduct a security risk assessment. They can only manage the risks that have already been identified. There is a vast difference between risk management and a security risk assessment.

“I have seen where qualified risk managers were unable to accurately conduct a security risk assessment, leaving multiple risks unidentified and thus still providing the opportunity for crime. Many of them have never even witnessed a real crime scene or been involved in any form of operational security deployment or security management.”

Part of their job

Some may feel that the assessment should be part of the installer’s job as the company is being paid in any case, and paying more for a different, independent risk assessment is yet another drag on the budget. In response to this, Sharkey notes that quality control can be an issue, and in some instances, the installers’ interests are looked after rather than the clients.

“An independent consultant should be knowledgeable enough to safeguard the client’s needs in ensuring the systems, product or solution is fully compliant and effective,” Sharkey adds. “Importantly, the independent assessor who has only the client’s best interests at heart should only approve payment by the client once he/she is satisfied and has signed-off the job.”

In the current economic times, Mundell says this can be a valid argument, however, it is important to keep in mind that every baker you find will always tell you that their cakes are the best. Is this necessarily the truth?

“The same principle applies to security risk assessments conducted by someone who sells and installs products. If you go to Toyota to purchase a 4X4, do you honestly think they will refer you to Ford even if a Ford would better match your requirements?”

An independent security risk assessor’s job is to assess a property for risks. The assessor then needs to confer with his team of experts to find the most suitable solutions, states Mundell. “A risk is not going to change to suit the solution; the solution needs to suit the risk.

“If you eliminate the risk, you eliminate the opportunity for crime. Isn’t that what we all want at the end of the day? An independent assessor does not benefit from recommending a specific product or installer. The recommendation is done based on the identified risks.”

When it comes to paying for an independent assessment, you are paying for expert advice on your security. Ultimately, you are paying for the foundation of your security, a foundation that is strong and reliable and that can be built upon far into the future.”

So what goes into an assessment?

It’s all well to talk about independent or other assessments, but for the estate manager or security manager, what should they expect from a risk assessment? Is it a list of risks and vulnerabilities, a set of products they should install, advice on which company to retain to do the installation and guarding? Does the assessor walk around and decide where there are potential vulnerabilities, or is there a broader process for estate security?

Walking around and identifying vulnerabilities is part of the process, but it goes much deeper than that, notes Mundell. A security risk assessment starts in the neighbourhood as this is where outer crime comes from and disappears into. Furthermore, the property line, from both the inside and outside, is thoroughly assessed at different times of the day and night as opportunities vary at different times.

“Each and every part of the entire security aspect is taken into account: access control, gates, building doors and windows, access protocols, management of security, communication, reporting line, security knowledge and awareness, the general attitude towards security, security meetings with the neighbourhood, security meetings with the security staff, employees, residents and the like, control of security, monitoring, habits, guarding, security company standard operating procedures, PSIRA registration, and so much more is looked at in detail and included in the assessment,” explains Mundell.

“It is also the understanding of how the entire estate functions as a whole when it comes to security. Security risk assessments do not have a fixed or direct set of rules. In assessments, like any investigation, you follow the information as it unfolds. The process requires one to adjust and adapt to the information. A well-structured security risk assessment focuses on the opportunity of risks identified, not from the point of view of the estate manager/members or security companies, but from the viewpoint of the opportunities presented to the criminal element.”

“In conducting a detailed assessment for a residential property or estate, we tend to look at the broader picture first, in that we look at crime trends in the area of our client’s location, followed by a critical examination of the infrastructure and systems currently on site,” agrees Sharkey.

“Usually we start with the perimeter defences first (determining its effectiveness), not only in terms of a physical deterrent value, but also in its ability to act as an early warning to a possible intrusion. Technology is playing an increased role here.”

He continues that this is followed by looking at the estate’s access controls. “There are numerous categories of entrants to an estate all requiring different procedures in terms of how they are handled, and technology combined with a security manpower interface is essential to ensure the well-being of residents and owners.”

In addition, he adds that the quality of the service being provided by the estate’s service providers is another area examined in detail, including ensuring that the company carries out the agreed policies and procedures in an effective manner. “We look at the quality of personnel being supplied, the standard of equipment being supplied as well as costs being incurred. It is important for the client to be assured that they are getting what they are paying for.”

Sharkey adds: “While estates are similar in concept, each and every one has different needs and requirements. Developing and understanding these individual needs is critical in delivering a good security assessment.”

Playing the budget game

It can come as no surprise that, having gone through the process of a complete risk assessment, an estate may find (and probably will find) it is unable to implement all the security measures suggested. In a case like this, the client may want to break down the assessment into more manageable chunks that can be implemented in phases. The question the estate needs to consider is what changes or addendums the assessment suggests should be prioritised.

This is far from an uncommon issue according to Sharkey. The estate may not

have expected the number and cost of the changes suggested, and may have to dig into savings or initiate special levies to pay for

the upgrade – definitely not a popular option.

“In cases like this, prioritising the various components of an upgrade is the key in ensuring safety and security,” he continues. “There are, of course, other options available such as a full maintenance lease which offers a quick solution as not only is the equipment installed, but also fully maintained over the rental period. This can apply to perimeter fencing, access control and CCTV equipment and so on.”

He adds that an SMC security assessment will always include a short-, medium- and long-term plan to allow the client to think of the current requirements and the bigger picture. “This plan may contain simple procedural changes, but will most certainly allow the client to plan financially for upgrades required in the future.”

Mundell agrees that the changes can be implemented in phases, but notes the priorities can only be established once the assessment has been finalised as no two properties have the exact same risks. “While we will always remain of the opinion that all risks are equally important and require urgent attention and that no risk is acceptable, we are able to prioritise the risks once the assessment is finalised and presented to the client. Additionally, not every security suggestion will cost the estate money.”

Mundell offers a few priorities that should be addressed in the first phase (these priorities will differ from estate to estate):

1. Estate security needs to be balanced and the best place to start is with the management of the security component.

2. Management must get all the members in the estate talking the same security langue by using the assessment as a guideline.

3. Management must get all members in the estate interested in the estate’s security and keep them interested.

4. Security awareness.

5. Communication.

6. Minuted security meetings.

7. The estate needs to get involved in training.

8. Property line secured.

9. Gate security.

10. Capture all security data.

11. Audit captured data daily.

12. Ensure that the security equipment you purchase is in line with your security risk.

In conclusion

In summing up, Mundell says that one of the problems of doing risk assessments for any organisation starts with reading. He explains: The biggest security challenges the risk assessor faces daily is the fact that people don’t want to read.

“This applies to a security risk assessment proposal. If you don’t physically read the information provided in the documentation, you will not be able to understand the security concept and the reasoning behind certain applications. Another related issue is that when people only read a few words here and there, they start to form their own ideas and make their own assumptions; assumptions are where the biggest problem lies.”

That being said, the best place to start is with an independent security risk assessment. This document is the answer to all the security-related questions you might have. An independent security risk assessment will supply you with all the identified risks, risk-specific and viable solutions, and various product options to choose from. In addition to this, the independent assessor will put you in touch with all the right people to get the ball rolling once the assessment is finished.

Sharkey adds that another challenge is when assessors are tasked with submitting recommendations on installers, because “we as consultants have to procure the best possible solutions in meeting our client’s needs. In many cases we are called upon to project manage our recommendations. We prefer this option as it ensures delivery of the system based on our recommendations.

“There are of course estate’s that, once

having received all the relevant recommendations, feel they can save the expense of the project management fees charged and oversee the upgrade or installation themselves. Sometimes you can lead the horse to water, but you cannot force it to drink!”

For more information, contact:

• Alwinco, +27 62 341 3419, andre@alwinco.co.za, www.alwinco.co.za

• SMC (Security Management Consultants), +27 82 904 3336, info@smc-security.co.za, www.smc-security.co.za


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Issue 1 2021 , Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

Continual electric fence monitoring
Issue 2 2021 , Perimeter Security, Alarms & Intruder Detection, Residential Estate (Industry)
In today’s security conscious world, one of the top priorities of residential estate living is ensuring that the electric fence is always operational.

Smart healthcare
Issue 2 2021 , Editor's Choice
In the past year, hospitals, elder care and other healthcare facilities have found themselves overwhelmed with new patients, COVID-19 regulations and other side effects of the pandemic. As efforts focused ...

Platform-based access management solution
Issue 2 2021, ASSA ABLOY South Africa , Editor's Choice
Available in South Africa and throughout sub-Saharan Africa, new Incedo Business connects all your security software and hardware within one platform. You can easily scale it up or down, based on your needs, to keep your people moving and your business growing.

FS Systems celebrates 50 years
Issue 2 2021 , Editor's Choice
This year, FS Systems celebrates 50 years in the fire detection and enterprise security market, successfully executing projects in over nine countries in Africa and LATAM.

Formative AI and distributed cloud among four megatrends revealed at MIPS 2021
Issue 2 2021, Milestone Systems , Editor's Choice
Almost 4000 participants representing end customers, technology partners and media from across the globe attended the first virtual MIPS conference, held over two days in March 2021.

Kiss passwords G00dby3
Issue 2 2021 , Editor's Choice
Cisco Secure has unveiled infrastructure agnostic, passwordless authentication by Duo which enables enterprise users to skip the password and securely log into cloud applications via security keys or biometrics built into modern laptops and smartphones.

200 000 daily access transactions
Issue 2 2021, Impro Technologies , Editor's Choice
The University of KwaZulu-Natal’s legacy access control system was suffering from increasingly limited support, both in terms of hardware and software, with maintenance becoming a pressing concern as it on-boards approximately 9000 new students each year across five campuses.