Mike Sopp considers whether organisational security is becoming a mainstream health and safety function.
In February 2020, the UK Government announced plans to introduce a law which will require owners and operators of public spaces and venues to put in place measures to keep the public safe from a terrorist attack (see Duty to protect public spaces from terrorism).
Commenting on the forthcoming consultation, Security Minister James Brokenshire stated that “our first priority is keeping the public safe and preventing more families from suffering the heartbreak of losing a loved one”.
With current UK Government security guidance already linking a failure to plan for terrorist incidents and other security matters to potential health and safety legislative non-compliance (discussed below), the question arises as to whether organisational security is becoming a mainstream health and safety function.
Duty to protect
As part of its manifesto, the UK Government committed itself to improve the safety and security of public venues. In spring 2020, consultation will be undertaken on a new law that would “require venue operators to consider the risk of a terrorist attack and take proportionate and reasonable measures to prepare for and protect the public from such an attack”.
This would effectively put into a legislative framework the good practice guidance that already exists.
For example, the Centre for the Protection of National Infrastructure guidance document, Protecting Against Terrorism, already offers security advice and good practice for any organisation looking to protect against the risk of a terrorist act or to limit the damage such an incident could cause.
More succinctly, the National Counter Terrorism Security Office has planning guidance for those involved with managing crowded places.
Of interest, both of these documents make reference to health and safety legislation. The former document states that “health and safety at work regulations place a legal responsibility on the owner or occupier of premises to have a ’duty of care’ for staff and visitors. In the event of an incident, any subsequent inquiry or court proceeding will look for evidence that the relevant legislation was followed.”
Similarly, the latter document states that “there is the potential of criminal prosecution and penalties under health and safety legislation for companies and individuals, particularly when statutory duties have not been met”.
Recently, this concept has been broadened in guidance for schools issued by the Department for Education on security matters. It states that health and safety law “requires employers to take a common sense and proportionate approach to identify, assess and keep under review health and safety related risks and take steps to reduce or eliminate those risks. This includes security risks where there is a threat of attack on staff and students from within or outside the school or college”
In certain areas, security measures are seen as potential risk control options. For example, when managing the potential for violence and aggression towards employees, Health and Safety Executive best practice guidance recommends the use of physical security measures (see our recent feature, Violence in public areas).
The health and safety practitioner will be the “custodian” of health and safety legislation for the organisation, ensuring that it is doing all that is reasonably practicable to meet its legal obligations.
Security and safety risk interconnectivity
Clearly, there is synergy between health and safety legislation and security. But to determine whether organisational security is becoming a mainstream health and safety function, we need to define what is meant by security.
British Standard 16000:2015 Security Management. Strategic and Operational Guidelines defines security as the “condition of being protected against damage, harm or loss, achieved through the management of adverse consequences associated with natural events and the intentional and/or unwanted actions of others”.
This is clearly a very wide definition and will include not only harm to those who are owed a duty of care but harm/loss to assets and information as well.
Security therefore constitutes a variety of elements that will inevitably require specialisms and skills in various areas. For example, cyber and/or information threats will be managed by IT specialists, while physical asset protection may come under the responsibility of a facilities management service.
Health and safety practitioners may be more familiar and involved with aspects that could result in physical harm to those who are owed a duty of care. Most typically -as has been identified — this will be from threats such as violence and aggression or terrorism, and practitioners may be familiar in working with colleagues in these areas, recognising that a failure in security measures could result in harm coming to individuals.
However, the health and safety aspects of these other security areas cannot be ignored. Increasingly, there is an interconnectivity of risks, which means that risk materialisation in one area could potentially give rise to risk in other areas. For example, cyberattacks on Industrial Automation Control Systems (IACS) could result in physical harm.
From the above, it can be concluded that health and safety is a requirement in various security-related disciplines in a modern work environment — but this does not necessarily mean that security is becoming a health and safety function or that the practitioner has to be an expert in security functions.
The key challenge for organisations is to determine how best the related disciplines can work effectively to meet the legislative requirements and organisational needs.
BS 16000 states that “increasingly, good practice in security management acknowledges the need for close alignment between related security disciplines and, indeed, with other disciplines that rely upon, or are relied upon by, security”.
To achieve close alignment the organisation must consider the following questions.
Who will be responsible for undertaking the necessary operational functions (eg security risk assessment, completion of response planning, etc).
How will the disciplines be managed to ensure alignment in respect of management elements?
How will the organisation take a strategic view to ensure all risk disciplines are aligned?
It may be the case that in some enterprises the person and/or section responsible for health and safety will also have specialist functions such as quality and environmental management within their remit. It is not inconceivable that security functions may be included in a combined function.
In particular, this may be the case where the health and safety function is an “enabling” one, where its purpose is to set the agenda and framework that enables others to manage risks effectively while co-ordinating and monitoring progress.
Recent years have seen notable professional bodies and insurers recognising the need for a more holistic and integrated approach to managing risks so as to improve organisational resilience.
This is recognised in BS 65000:2014 Guidance on Organisational Resilience, which states that, to ensure organisational resilience, “the organisation should integrate the risk management activities and operational disciplines”.
Similarly, the now withdrawn BS 18004:2008 Guide to Achieving Effective Occupational Health and Safety Performance, stated that “the absence of such an approach can lead to an OH&S management system not being fully embedded in the organisation’s operations”.
With an integrated system, an organisation becomes a unified whole, with each function aligned behind a single goal, improving the performance of the entire organisation.
Instead of a “silo” approach, there is a co-ordinated system that provides a clear, holistic picture of all aspects of the organisation, how they affect each other, and their associated risks. This is certainly a useful approach to ensuring organisational security and health and safety functions work in tandem.
Current best practice guidance and potentially new legislation recognises the link between security requirements and possible failures in meeting health and safety legislative requirements.
With risk interconnectivity it is certainly the case that a materialisation of a primary security risk may also result in a health and safety risk.
There is clearly a need for all risk disciplines within an organisation to work collaboratively to achieve the strategic objectives.
This does not necessarily mean that one individual is responsible for operational application, rather that specialists should work together.
However, as an enabling function, one person or department could be responsible for aligning disciplines through integrated management systems and organisational resilience approaches.
It is recognised in British Standards and other best practice guidance that integration can have benefits and ensure alignment.
BS 65000:2014 Guidance on Organisational Resilience, BSI.
BS 16000:2015 Security Management. Strategic and Operational Guidelines, BSI.
Crowded Places Guidance (2017), National Counter Terrorism Security Office.
Protecting Against Terrorism (3rd edition), Centre for the Protection of National Infrastructure.