Years ago we ran a course on ISO9000 quality management. In fact you can see how many of those quality principles are embedded in security management today.
We opened the course by quoting from Philip Crosby’s book “Quality is Free”. “Quality is Free” we said “well that’s a lie”. And it got a big laugh.
OK, Quality isn’t free but it is a really good investment.
And like quality, SeMS is a great investment, even closer to being free than quality.
The physical and financial investment is tiny and there is often almost instant payback. One of our clients spotted a vulnerability in the security patrols from the very first prototype SeMS report. It had never been noticed before because their normal security reports did not pick up patterns and trends.
The hardest part of the SeMS does require effort from managers – leading the cultural evolution. This is a slow-burn which may take a while to show dividends, and will in some ways be never-ending: but it is genuinely free – because that leadership is the manager’s day job. SeMS is just giving it direction, purpose and consistency.
SeMS defrosts the security windscreen
On a frosty morning you see so many cars being driven with just a tiny porthole of ice cleared from the windscreen. It’s obvious that’s not a safe way to drive, with such a limited view and no peripheral vision of traffic emerging from the sides
When security performance is limited to ensuring compliance with existing regulations, operators are looking through a porthole, they don’t have any peripheral vision of emerging threats
The SeMS wipes all the ice off the windscreen to give a clear view of known threats
But that’s not all, not even the best bit. SeMS adds a better view of potential threats. It’s as if the driver has access to the analysis of passed road traffic to show black spots, busy times and satnav guidance
This comprehensive assurance of security is for the board and security manager alike – not simply spot-check compliance
And, by the way, the industry has a vested interest in early adoption as a big critical mass will have an influence on regulators as they start to design regulations to make SeMS mandatory
But that’s not all
SeMS does a lot of good things for an organisation which add up to a continuous assurance of security – You can only address issues you can see and a real SeMS shows the organisation a full picture of the security situation, enabling it to manage risks and performance with confidence.
How? It does this in several tangible ways, real benefits that business decision makers can understand.
The most obvious perhaps is improved compliance. Compliance remains as important as ever, and SeMS doesn’t change this, but it does improve how organisations achieve and assure their compliance standards. The SeMS ensures that risks are being managed and performance measured. It can even measure how well risks are being managed. Organisations see deviations and can fix them in good time. There are no surprises, and no preparation is needed for the inspector’s visit.
That also means that security itself is improved: The increased certainty about security performance, and much fuller picture of risks, not just snapshots, results in improved security for organisations.
And there’s more: as custodians on behalf of the shareholders, the directors have a duty of care for the security of staff, customers, the public and the business itself. The SeMS equips directors to fulfil that duty: it safeguards the organisation from security-related business risks, and protects people from harm.
Now, you’ll have heard the phrase “abundance of caution” – What that usually means is, “We don’t really understand our risks or know how secure we are”. This ‘just in case’ attitude is not only wasteful, but can introduce new safety and security risks. With greater assurance and more confidence in the organisation’s security measures, it becomes possible to target resources better at where they are most needed and eliminate ‘Just in Case’ activities. This means lower costs without a reduction in the level of security; in other words, increased productivity. Organisations with a real SeMS find that their productivity improves, resulting in direct financial benefit. Minimising unplanned work to deal with incidents and avoiding remediation re-work clearly reduces an organisation’s costs.
Cost reduction is one aspect of productivity. The other side of it is a positive contribution to revenue. SeMS does that too, because a better understanding of the risks helps organisations make better decisions on future plans. That new airline route might look too risky, but with proper assessment and mitigation, SeMS might mean the route can be introduced, bringing in profit that would otherwise have been lost.
And last but not least, SeMS nurtures a positive culture. We hear that word bandied about a lot but what it really means is “the way we do things round here”. Doing things the right way – the best way – is achieved by leading and motivating people to do a job they believe is valuable, by training and equipping them to do a good job, and by generating a collective sense of responsibility for security.
The SeMS framework highlights the importance of this positive security culture and every component, every chapter of the framework, helps to nudge the security culture forward. Eliminating ‘abundance of caution’ is one practical example of how this works. People know when a task they are expected to do is pointless, so when management acknowledge it and eliminate that task, the workforce feels they have been heard, and it nudges the culture forward.
Final thoughts
In these virus-challenged times “Stay Safe” has a clear and sincere meaning. That’s important of course, but we at 3DAssurance also urge you to Stay Safe with security managed by a SeMS that does the very best it can to keep you safe. Perhaps the time has come for your organisation to add a SeMS to its New Year resolutions.
Andy Blackwell Director, 3DAssurance.
Andy is widely acknowledged as a SeMS and aviation security expert. As Head of Security at Virgin Atlantic, he was the first to implement the SeMS Framework. Now a leading SeMS exponent, Andy has authored numerous articles on SeMS and security, and speaks regularly at international security events.
John Wood Director, 3DAssurance.
John was responsible at the UK CAA for developing the SeMS framework, working with and guiding many industry stakeholders. Experienced in design and implementation of effective strategic change in public and private sectors, John has been a lead designer of numerous governance, risk and compliance systems.
SeMS+ is a framework to manage security corporately, to bring an organisation’s security management into the core of the business as a strategic capability, supporting the business’s sales, marketing, operations and resilience goals. It is based on proven, simple concepts and methods that ensure the best possible response to risks, incidents and crises, minimising the chaos, damage and harm that might otherwise be caused.
