In previous blogs (Intelligence at the Heart of Security Risk Management and Merging Physical and Cyber Security), I championed the idea of physical and cybersecurity teams merging to form a unified defence against increasingly merging physical/digital threats and risks. Before COVID, there was an indication that this was the direction of travel for some companies. However, there is growing evidence that the impact of COVID staff reductions is leading hotel companies to merge their security and safety capabilities. Such a merger might seem straightforward on paper, but the reality is likely to be more of a challenge if security and safety are to continue to meet guest, stakeholder, reputational and regulatory demands.
Especially if security and safety programs are to withstand post-incident scrutiny and meet company duty of care responsibility.
Confusion sometimes surrounds the differentiation between safety and security. This is not helped in some areas of the world because they have the same definition in some languages. Any confusion is understandable because security and safety aims are largely the same: preventing harm to people, assets and reputation. The difference lies in the source and methods that lead to potential harm. In consideration of merging safety and security, let us review the differences between the two disciplines.
The Origin of Harm
Security ‘harm’ is derived from human malintent. The potential for security ‘harm’ is highly dynamic and only bounded by the extent of human imagination and ingenuity. Security ‘harms’ are generated by those with intent and capability to harm, including serious & organised crime, petty criminals, dishonest staff, terrorists, cybercriminals, fraudsters, activists and hostile governments.
Security threats and risks can be highly unpredictable, and their management depends largely on active, protective intelligence to enable anticipation and proactive countermeasures to deter, detect, delay, respond and mitigate threats and risks.
In comparison, Safety ‘harms’ largely emanate from static hazards and/or human omissions linked to safety issues including fire, food, leisure, illness, infestation and working practices; for example, the water in a swimming pool does not have the intention or capability to leap out of the pool and drown somebody sunbathing poolside, neither does it have the intention or motivation to drown a swimmer. Hazards can evolve but usually at a much slower and predictable rate as operational activities and equipment evolve. Safety is no less a challenge than security, but safety and security specialists can often have a different mindset and methodologies. A security specialist will have the capability to deal with a terrorist attack but would be found wanting in a food poisoning investigation and vice versa; this is not insurmountable but needs to be considered. Additionally, whilst the merged team may be able to manage routine operational safety and security, but will it have the capability to deal with extraordinary events requiring such as natural catastrophes or highly unstable geopolitical situations?
Both safety and security are critical to hotel operations and both require high levels of expertise, each across a broad range of subjects. Individuals with high levels of expertise across both are rare because of the span of the disciplines, their complexity and the standard expected. Of course, one solution is to drop standards and the challenge of ‘double hatting’ is lessened but this might not be a responsible way to run safety and security, bearing in mind that people’s wellbeing and, indeed, lives are at stake. The other solutions might involve ‘up gunning’ those who remain in the team, by formally training safety managers in security and security managers in safety, but this can be costly and time-consuming. Alternatively, hotel security consultants might be employed to provide operational security threat and risk management support and a security ‘fire service’ to plug capability and capacity gaps, especially if the team is weighted towards safety, which many appear to be.
Merging Begins With Review
Merging of safety and security goes well beyond making widespread redundancies, changing job descriptions and renaming teams. It is vital that the whole security and safety governance, management, planning, organisation, training, communication and way of working are reviewed and remodelled to ensure that it continues to meet wider business objectives. This type of review can be a challenge if senior management does not have the requisite understanding of safety and security disciplines to enable objective and effective findings.
I suppose the nub of the problem for senior managers is ‘how to do more with less?’, ‘how to maintain standards?’ and ‘will the resulting merged program stand up to external legal and moral scrutiny?’ It will come as little surprise that I believe that part of the solution is intelligence: internal risk management intelligence not protective intelligence. Security and Safety program managers need far better insight into what is going on at hotels and in their operation; they need a detailed understanding of security and safety risk management performance and to identify systemic issues that need addressing. With such insight, limited resources can be focussed where they are needed, in the right amount and at the right time. Without this, denuded teams are likely to become overwhelmed or standards will unintentionally drop. Internal Intelligence platforms need to be integrated, proactive and assessable, giving a coherent picture across the operation at all levels.
Another critical element of ‘doing more with less’ is stiffening accountability, ensuring that operational leaders take on more responsibility for safety and security in their operations. This cannot be done with a stroke of a pen. Operational leaders and their operational chain of command need to be trained to give them the capability to fulfil their responsibilities and likewise their performance needs to be measured and linked to compensation.
Let’s take this opportunity to think differently and take security and safety to a new more effective place.
Questions for Consideration:
- Will your reduction in safety and security resources be defendable to external scrutiny?
- Do you have a coherent and transparent plan and process in place to manage security and safety merging?
- Do you have an effective internal risk management intelligence platform to provide the insights required to deliver more with less?
If you face any of the challenges mentioned in this blog and would like assistance, Northpoint International would be happy to discuss and lend support.