Compliance versus Conformance in the Security Design Process Compliance is a fundamental process in any enterprise, yet all-too-often its true importance and the opportunities it offers are missed. As Darren Ward observes in detail, compliance should not simply be a case of ensuring that the ‘rules’ are followed. It must also be about establishing a culture of conformance that both recognises and shares Best Practice 44 www.risk-uk.com There’s a general misconception around what compliance really is and, often, what compliance may be used for within a given business. On many occasions, we will be privy to phrases such as: “Our intention is to ensure that we are compliant in order to drive and exceed the required standards”. To be frank, the individuals uttering such phrases are really talking about conformance. Conformance applies to strategies and plans adopted within the business in a bid for that organisation to be more productive or to improve on quality. Compliance, on the other hand, applies to laws and regulations that the organisation has no option but to follow or risk facing penalties. Laws and regulations may potentially be productive for society as a whole or a particular client, but don’t necessarily contribute towards an organisation’s end goals. There are several key benefits that a riskbased compliance framework will provide for any business. These are the avoidance of criminal charges, the building of a positive reputation, improved operations and productivity, enhanced consistency and the stimulation of staff engagement. Such a framework can also serve as a driver for change and innovation when required. Historically, there had been little or no selfregulation in the private security sector and standards varied widely. The Private Security Industry Act 2001 was passed into law to protect and reassure the public and businesses by preventing unsuitable individuals from occupying and working in positions of trust and raising standards generally within the industry. Specifically, the Private Security Industry Act 2001 established ‘rules’ and required the implementation of compliance audits to ensure private security companies complied with both the Act and its related standards. The Approved Contractor Scheme (ACS) was formulated to encourage businesses to raise their standards in nine different areas, the most significant of which is people management. As a result, individuals working within the private security industry are given assurances towards their welfare and professional development by working for an ACS-registered company. Among others, the benefits include better training, improved working hours and a more streamlined management process. While the Private Security Industry Act 2001 and the ACS have served to increase operating costs for security companies, end user customers of registered businesses are afforded a level of comfort that they’re employing a security service provider regularly audited to an agreed standard of operating capability and conformity. Increased regulation isn’t something every industry sector welcomes, but in our space it exists to improve operating standards and has most certainly been instrumental in enhancing reputations as well as creating a greater level of competence in the UK’s private security industry as a whole. Only expect what you inspect The basis of any protective security solution worth its salt revolves around four main effects: Detect, Deter, Deny, Respond. While transacting my own duties as a compliance and performance manager for our business, I always have these four words in mind. We’re looking to detect non-compliant staff as well as non-compliant working practices. We want to deter bad working practices and any ignorance of applicable regulations. There’s always a strong desire to deny penalties or fines to both our company and our clients and deny non-compliant staff access to our clients. Last, but not least, we want procedures in place to respond to a security event in tandem with competent and well-trained staff capable of providing the required level of response.
Security Services: Best Practice Casebook Non-compliance is simply not a risk you can take in the security industry and yet it does happen. If you choose not to go beyond the base level requirements of ‘the inspected’ you will only see what you ‘expect’ to see. You will not learn and develop beyond those very basic requirements necessary to ensure protective security systems remain fit for purpose. Not being compliant with screening procedures, for example, could mean a company aids the infiltration of staff who shouldn’t be deployed in the security industry. This could be anyone from a person with a criminal record to an individual with terrorist links. Take this to its conclusion and you can see why it’s so vitally important to get it right. The best compliance procedures and systems should be easy to understand and use, logical, valid and add value to the business rather than hindering its progress. A great compliance manager is someone who doesn’t view things in black and white, but will assess each situation in a measured way, using experience and knowledge of the boundaries to reach acceptable solutions for both the company’s clients and operating businesses. Implementing Best Practice Compliance frameworks often vary in design, but they all have the same purpose: to ensure that established ‘rules’ are followed in order to safeguard people and the business. Furthermore, a good compliance framework will provide a platform for engagement with staff and encouraging the right behaviours and agreeable ways of working. By developing conformance into our compliance framework, we’re able to engage and motivate staff, improve our working practices and overall performance and establish protective security systems relevant to both the defined need and assessed risk. In my role as a compliance manager, I work from a compliance framework that outlines our quality assurance process and provides the basis of what I need to examine. This process needs to remain robust in order to ensure continual improvement in what we do. Our documents and managed processes that formulate our compliance framework are designed to achieve such an outcome. Working through our quality assurance process, I’m able to more effectively review our sites’ key documents and systems and better observe operating practices. This process has several key components, beginning with how a given site is complying with the contractual agreements in place that defines what we have agreed to deliver as a service. Second, I’m able to identify and examine key documents such as security plans, procedures and those records required to meet the varied regulations and standards that govern the private security industry. At Wilson James, we maintain certification to a number of standards including ISO 9001, ISO 14001 and OHSAS 18001. Within our ISO 9001 certification are included the Codes of Practice BS 7499, BS 7858, BS 7958 and BS 7960. These relate to security guarding, the screening of security staff, CCTV management and door supervision. Finally, and importantly, we incorporate our own internal company standards that enable us to ‘deep dive’ into the protective security systems in use and determine their individual and collective effectiveness. Our quality assurance process incorporates all of these standards to ensure that the ‘rules’ and Best Practice are regularly examined. Plugging any gaps The contents of the British and ISO Standards listed above are wide-ranging. For us, rather than just being ‘compliant’ in terms of delivering a service, the whole business is examined at Board level to not only capture our compliance obligations, but also to fully understand the personal opinions of the people working for us and the quality of the varied systems in use. This ensures that any gaps are quickly identified and filled. Compliance reaches into the heart of our company finances, our attitude towards Corporate Social Responsibility, equality, diversity and inclusion and our approach to new legislation such as the Modern Slavery Act. Of great importance is the fact that our compliance framework allows us to recognise how we must continually change in order to professionalise our security service offerings and meet the challenges presented by what is a dynamic working environment. We have to address the risk profile so as to safeguard our customers’ interests. For us, the compliance framework is about far more than an audit. Rather, it provides the foundation upon which to govern the business and drive our direction to continuously improve upon what it is that we do and how we do it. The framework is a platform from which we can continually improve what we do as a business. Darren Ward: Business Performance Director at Wilson James “Compliance reaches into the heart of our company finances, our attitude towards Corporate Social Responsibility, equality, diversity and inclusion and our approach towards new legislation” 45 www.risk-uk.com