Richard Flint, Technical and Commercial Lead – Physical Security at BRE discusses risk assessment in design processes.
During a recent conversation with a well-respected security consultant, I was asked for my opinion on: “Why do many commissioning security design services typically omit security threat and risk assessment from the scope? Is this still a lack of education, or a sign security design is becoming commoditised?”
My initial response, as someone who does not deliver security design work but provides assurance services to those that do, was: “What? Really? Why?”. I started to recognise projects I’d come across where that was almost certainly the case and to unravel the possible reasons why.
Questions which need to be answered
Having conducted security product performance evaluations for almost 25 years, I have supported consultants and architects on many projects, including several iconic projects around the globe. Thinking back, it was easy to identify the projects where threat and risk had been considered ahead of performance standards and classifications being specified, let alone specific products being selected.
This was because when discussing an end user’s requirements with those consultants and architects, it was clear some thought had gone into ensuring the solutions we are being asked to benchmark the performance of had been selected because of their potential suitability to mitigate the risks identified. On the other hand, we shudder when approached by those who are simply asking for the highest rating possible because they perceive it to be suitable regardless – even if unachievable or unaffordable.
In other cases, we see the apparent arbitrary specification of standards that are not suited to the environment or assets being protected – for example, the specification of PAS24 or EN1627 RC1 to RC3 levels, irrespective of whether there is a threat that intruders would not be dissuaded from using entry techniques likely to generate a sustained level of noise, for example, during a marauding terrorist attack.
These are sadly situations I have witnessed playing out around the globe. Even more concerning though is that all too often that work was being delivered by multinational engineering practices. Why? Perhaps it was because these practices employed teams with backgrounds primarily in alarm and CCTV installation, structural engineering or blast engineering, but who had limited or no experience in manual forced entry protection or risk and threat assessment.
I am therefore not sure whether the approach suggested in the opening question – one which starts with the products rather than the risks – is the result of poor education, naivety, budget constraints, laziness, fear or simply as put to me, commoditisation. I’ve heard a lot about ‘cut and paste culture’ within some security design practices – to the extent that the design outputs sometimes refer to a different project or building.
Are such practices caused by the lack of knowledge and experience held by those delivering such work, or is it a symptom of funding, resources and the speed at which the world around us wants us to deliver results? It is certainly the case that you cannot benchmark the suitability of a design if you do not know what that design sets out to achieve – in this case, what security risks is it intended to mitigate? Omitting the threat and risk assessment therefore leaves projects wide open to abuse from a delivery perspective and susceptible to ‘value engineering’ because no one really knows what the design needs to deliver.
A risk-based approach
One thing is for sure, in the case of security, idleness of thought and understanding can somewhat be fostered by the publication of tick-box style standards and guides. Though some literature may suggest what measures are required to protect facilities, while this guidance has a very valuable role in assisting those otherwise ill-informed in security matters, there can sometimes be a danger that those who should know better rely on such guidance even when it is not best suited to a particular situation.
National and international standards, such as BS8220 (UK) and EN14383 (Europe), also have a major influence. Each describes what they claim is best practice in relation to the deployment of protective security measures within homes, places of work and even petrol stations (TR14383-5-2010). As a specific international example, while HCIS (High Commission for Industrial Security in Saudi Arabia) regulations recognise four levels of protection, the requirements contained within them are highly prescriptive and are often not based on performance criteria, choosing instead to define measures ‘by design’. Why is one common design of turnstile defined for all levels, while different levels of performance are expected of fences?
All of these factors can influence those who commission security design to take a more general approach to security, rather than an approach founded on a thorough threat and risk assessment which takes into account the specifics of the facility to be designed and how it is to be used. Ultimately, this drives commoditisation.
I have certainly witnessed the same issue in respect to the design of security products. For many years at the start of my career, many specifiers, insurers and certainly manufacturers simply wanted us to provide design-based standards. For example, UL291 defined the performance of ATM safes ‘by design’. Thankfully, performance based standards such as LPS1175 have become far more widely recognised and adopted over recent years. While such standards may not instruct a manufacturer how to design a product that affords the required performance, they define how to measure that product’s capacity to deliver levels of protection suiting various defined levels of threat.
Security design at the built asset and masterplan levels must take a similar approach. I just hope it does not take 25 years to get there. To help the sector move in the right direction, BRE not only publishes performance-based product standards such as LPS1175, but it has also developed SABRE (Security Assurance by BRE).
SABRE champions the adoption of a design framework. It rewards a strategic approach to facility security and places great importance upon the risk assessment process, as it is this process which acts as the foundation for the project team to develop the most appropriate, proportionate and robust design specifications.
SABRE is supported by independent assessment and offers third party assurance, to those that want it, that an appropriate process has been followed. In doing so, SABRE provides a mechanism by which those who are proficient in security design can demonstrate the value they offer and the efficacy of the designs they deliver.
While SABRE will not help those who do not have the knowledge to deliver tailored security solutions, it provides an alternative pathway to delivering security of buildings and other built assets. As with its sister standard, BREEAM, SABRE recognises and rewards the use of better security design practices and supports the delivery of better security outcomes in the built environment.
To find out more information, visit: https://www.bregroup.com/
This article was originally published in the February edition of Security Journal UK. To read your FREE digital edition, click here.