Regulation and the smaller contractor: what has happened?

With the arrival of a new chairman at the Security Industry Authority (SIA) and a new chief executive at some point in the spring, the time appears to be ripe for some constructive debate concerning regulation, recognition of the lessons that should have been learned and an understanding of the changes that need to be made. Hopefully, what follows will help energise that essential debate.

There will be many practitioners with different priorities and experiences to my own. That has to be a good thing, I would suggest. The key is to kick-start the debate. If the industry misses this golden chance to help set the new regime’s agenda then a real opportunity will have been lost.

The fact that we need a debate should not be taken as a criticism of the departing chief executive. Indeed, real credit and many thanks are due to John Saunders for introducing any regulation at all. The challenges he faced and subsequently overcame are not to be underestimated. The idea is really that the debate should build on the past to make the future better.

While regulation and licensing has been both a difficult and expensive process for smaller security contractors, one such – namely C UK Security Services – is upbeat about its outcome.

However, while the intent behind the legislation espoused in the Private Security Industry Act 2001 is sound, what has left most to be desired, it seems, is the way in which the Regulator has conducted some of its business.

Although it really had no choice but to do so, C UK Security Services actively welcomed and supported the SIA’s goal of raising standards among security providers. A goal that was long overdue. Although the Regulator changed the licensing standards it required during implementation (which was somewhat unhelpful), was slow at decision-making and harboured a degree of bureaucracy that was both excessive and challenging, the regulation procedures leant a focus to the business that had been missing.

Engaging with the SIA

While C UK Security Services was already changing so that it could constantly improve on the quality of service it provided, the length of time needed to make the necessary changes was condensed by the arrival of legislation. This was clearly a positive. What the company did feel, however, was that it did not have a voice or a way of engaging properly with the Regulator about the processes involved as they came on stream. While the British Security Industry Association (BSIA) has always had the ear of the SIA and, thus, was able to exert some influence over what happened, those companies outside of BSIA membership were virtually ignored.

That is not intended as a criticism of the BSIA or its leadership, which did all one would expect in representing its members. What it is, however, is a criticism of the fact that the Regulator did not fully appreciate the truism that the industry is a complex grouping of separate entities. Not all of the industry’s relevant interests are represented by the BSIA. Even if they are not members of the BSIA, smaller entities still harbour an absolute right to be listened to.

In fact, the wider industry has really had no mechanism in place to engage with the SIA following the unilateral disbandment of the Stakeholder Advisory Body in the middle of 2004. Since then, the Regulator has engaged with only those in (and, for that matter, outside) the industry it has chosen. This group hardly represents the whole security industry community (in particular those smaller security companies who operate on an independent basis).

The very companies, in truth, who would find regulation the greatest challenge and who need to be considered at all times.

It is to be hoped that one of the first things Baroness Ruth Henig does as chairman of the Regulator is to establish a really effective Stakeholder Advisory Body (or at least a version of it), while at the same time ensuring every credible company and legitimate interest group – whatever their size or point of view – is listened to and their opinions noted. Membership of any single trade body must not be seen as the defining reason as to whether or not you are granted an audience by the SIA.

The underlying principles

The basic principles underpinning regulation – including the requirement for effective background and criminal record checks and the enhanced training of security officers – cannot be faulted. Whether, in practice, the checks and training are audited as well as they should be to ensure that everyone is working to the same goals and standards is a little less clear.

For example, C UK Security Services has found that some of the training staff joining the company are supposed to have received (and seek to evidence) is so poor (or actually non-compliant with the approved standards, for example due to being given the answers to all questions posed) that, as a matter of company policy, C UK Security Services retrains and re-tests any members of staff about whom it is unsure. Thereafter, a consistently high quality of service is delivered.

While the explanation may be the high demand for qualified staff, this does not say much for the auditing of training providers by the SIA. The end result of all this? An unfair distortion in the marketplace. The SIA really does have a vital role to play in making sure that its standards are enforced and that the corrupt are weeded out of the industry.

There is little need here to do anything other than observe that the application and processing systems adopted by the SIA were poor and that a backlog which could so easily have been predicted was poorly managed. The lack of response by the SIA to the problems it caused – because it had no way of hearing from great swathes of the industry – is something that the new regime will (hopefully) address.

I remain firmly of the view that regulation was seen by some as a very good way of reconfiguring the marketplace to the benefit of the few. Never forget that the former SIA chief executive always said there would be far fewer security companies in existence once regulation was in place. A good example of the Regulator’s unhelpful approach to smaller security companies was its refusal to consider phasing-in licensing and changing the fee structure to early applications or help the smaller companies with their cash flow.

Approved Contractor Scheme

In many ways, the requirements of the Approved Contractor Scheme (ACS) led C UK Security Services in the direction it was already heading – with the ultimate aim of building a good business based on quality. C UK Security Services already had the ISO quality standard for operational and business processes and procedures in place. Imposing the ACS added a greater focus on strategy and people processes. No bad thing.

The ACS Standard consists of 89 indicators split into nine sections. The SIA has developed an Assessment Workbook and a Workbook Guide, the latter clarifying the requirement for each indicator while also offering some tips in respect of Best Practice. This information proved to be very useful indeed, and the SIA should be commended.

To be awarded Approved Contractor Scheme status, companies have to demonstrate that they are reaching the correct level (or above) in every one of these 89 areas. Achieving over the requirement in one indicator does not offset any underachievement in another area. This was a real mountain to climb for the smaller contractor, but it must be said that the pain was worthwhile – if, of course, everybody experienced the same pain. It is perhaps in ensuring the equality of pain felt across the industry that the SIA has failed – and continues to fail – in its role of creating a level playing field for all.

Given that C UK Security Services was already ISO 9001 ‘rated’ and had achieved certification to the relevant British Standards – as well as having the required percentage levels of licensed staff – it was able to apply for ACS status via the fast track route. This was set up by the SIA to ensure a groundswell of support such that the scheme could be established on a quick basis.

The cynic in me wonders whether, because of the initial requirement for self-assessment only, some companies declared themselves to be competent a little too far ahead of their time. They felt they could resolve any problems before the full audit occurred.

While a little reluctant to admit it, C UK Security Services considered this option (given that there was a distinct attractiveness in being able to use the ACS accreditation to support tenders, etc). However, the company resisted temptation and made the difficult decision to go with the spirit of the scheme instead of the letter. The company recognised that there were a number of areas where it did not have the systems in place, but also appreciated the fact that there was no long term gain to be made from declaring itself competent until such time as these issues were addressed. C UK Security Services’ self-assessment was a true reflection of the company’s capabilities.

In order not to mislead those who buy and manage security services, maybe there is a case for the SIA to make it known which companies have self-audited (and are awaiting external inspection) and which have already been fully audited. This would then render the whole process truly transparent.

Additionally, while it is essential to maintain the quality of the ACS a new audit every year may seem excessive. Given that there is ongoing self-assessment, maybe an external review, say, every two years would be more reasonable in the cold light of day.

The devil’s in the detail

The start of the ACS process was to go through each of the indicators and outline what the evidence of capability was and what still needed to be done before the company could claim to be at the right level. While it may seem trivial, one of the practical problems for companies applying for ACS status was obtaining the standard in a way where notes could be added and updated. It came as a PDF file, or in hard copy only. To make it useable, the data was manually transferred to an Excel spreadsheet. This was time consuming, but the guide specifically said it was copyright and could not be reproduced.

The deficiencies spotted through a full internal audit process could be split into two types: a mere lack of paperwork or a requirement to alter a procedure, or more fundamental changes demanding an about-turn in culture or managerial approach.

The initial category (‘Just do it’) was tackled first, while the other became agenda items for a series of management meetings. Actions to achieve the latter required dedicated project management – in addition, of course, to some kind of financial investment. n

• Richard Childs QPM BSc FSyI is a non-executive director of C UK Security Services
• Richard’s article continues in this month’s Guarding Watch Section on page 53