Steps to Implement the Private Security Company Quality and Risk Management Standard

Recently ANSI published a new management system standard formally titled Management System for Quality of Private Security Company Operations – Requirements with Guidance (PSC.1).  This standard has also been the basis to develop an International Standard ISO 18788 Management system for private security operations – Requirements with guidance to be published later in 2015.  Many companies ask what do I need to do to implement the standard?  The very first question to answer is does my company/organization want to comply with the standard or conform to the standard?  Compliance versus conformity, what does that mean?  If an organization elects not to get certified, they have decided to comply with a standard and in many instances may self-declare their compliance.  Should an organization decide to get certified by an accredited third party, they will participate in a conformity assessment to a standard.

Another question that is frequently asked about in becoming PSC.1 or ISO 18788 certified is how does my company get certified?  The question that should be asked before that is: Should my company get certified?  There are reasons to get certified (from supply chain requirements, to competition) and even some reasons not to (for example, your organization may not have a driving need to get certified, and the one most frequently cited reason, but not necessarily correct, it’s too expensive).

In general, the question to ask the organization is why do all the work and not get your certificate?  The remainder of this article is a series of ten steps for an organization to take to get certified.  Only two of the steps can be eliminated if an organization has decided to comply with a standard.

Steps to Implement either PSC.1 or ISO 18788

1. Pick a standard – There are currently 2 options: ISO 18788 (not yet published) and ANSI/ASIS PSC.1:2012.  As previously stated, ISO 18788 builds on the PSC.1 standard.

How does an organization go about picking a standard? Can an organization pick and choose between the various standards? These are frequently asked questions. First some clarification.  You may certify to multiple standards, but you cannot take pieces from each standard to get a certification.  The certification is per standard.   It is important to note that it is probable that if you get certified to PSC.1 you will be grandfathered into ISO 18788 through the requirements of an upgrade audit.

In some instances due to the very different requirements of a business, multiple certificates may work best.  If the organization chooses multiple certificates, it must submit to multiple certification audits for each identified certificate.  One example may be that the corporate functions might wish to obtain one certificate, while the organization decides that each diverse geographic area is covered under a different certification.

2. Set a scope – Once an organization has picked a standard, the next most important thing for the organization to accomplish is to set a scope for its system. This is typically a formal scope statement that becomes part of the Private Security Company Management System Policy.   This scope statement may be defined with various boundaries, including geographic, business line, and business function.

Important to defining the scope is that senior management must agree to the scope and it needs to make sense for the organization.  In some organizations, the scope has been defined geographically, in others it includes the entire organization.  Limiting the scope can allow for a proof of concept approach to ease the roll out of the management system.  Management systems have very specific requirements, and for an organization new the implementing an ISO type management system, these requirements may be a little difficult to understand and implement company wide.

A frequent complaint I hear as a consultant is, “Of course we have a management system in place, we made XXX dollars last year.”  I commend these organizations; unfortunately for many of those organizations they don’t necessarily have an ISO type “management system” in place.

An ISO management system works on the premise of Plan-Do-Check-Act with a continual improvement cycle driven by management accountability.

Also key to implementing either PSC.1 or ISO 18788 are human rights.  In fact human rights are mentioned 133 times in the PSC.1 standard.  Keep in mind that to successfully implement this type of system, a human rights risk assessment and demonstrated training must be developed and rolled out.

3. Perform a self or pre-assessment – This type of review is specifically against the standard that the organization has adopted. A self-assessment may be performed either by the organization or a competent consultant.  A pre-assessment is a term specifically used by a registrar (also known as a certification body) and is performed prior to a registration conformance assessment.  In both cases gaps to the standard are identified.  In the case of a self-assessment remediation plan suggestions may also be included.

4. Close the gaps – There may be some gaps defined as an output from the gap assessment. These gaps can be sorted into two types of areas, management system gaps or security operations and human rights discipline gaps.

  1. Management System Gaps – These are gaps that are standard to any management system. A management system follows not only the Plan-Do-Check-Act lifecycle, but also has a number of common elements.  Management commitment, resources and training, management review, internal audit, and continual improvement are present in all management systems.  Setting a scope and, in most cases, measurable objectives are also requirements.
  2. Security and Human Rights Discipline Gaps – These are the types of gaps that management would be most familiar with. They would include gaps to a Security and Human Rights Risk Assessment, internal and external communication processes, outsourced vendor management, prevention and management of undesirable or disruptive events, and operational controls.

The standard you select will dictate to you the requirements of your management system via what is termed ‘shall’ statements.  As in most management systems if the statement includes the word ‘shall’ then a policy, procedure, or process needs to be implemented to support that requirement.

5. Select a registrar – This is the first area where compliance and conformity to a standard diverge. If you are looking for compliance, you don’t need to select a registrar.  If you want to be certified as being in conformity you will need to select a registrar.  Due diligence is required.  As of the publication date of this article, there were two registrars that have been designated as PSC.1 accredited registrars.  Both of the registrars are accredited under the United Kingdom Accreditation Service (UKAS) and they can be found here.  When selecting a registrar ask for the resume of the auditor you will be dealing with.  It is not the sales person, but rather the auditor who will be communicating with you over a three year period.  If your organization has other management system certifications like ISO 9001 or ISO 14000, contact the management representative in your organization for those standards and ask them for assistance.

6. Provide training – Competence of personnel within the management system is required by most of the standards, including not just competence with the functions of the organization, but also with the standard you selected. For these particular standards human rights training is also a must.  An awareness training class should be considered for all members directly supporting the private security management system and for key interested parties.

7. Operate your system – Conformity to a standard is much more than creating documentation. Both of the standards require operating the system, or a ‘do’ phase.  This is the process where evidence is collected over a period of time.  This evidence shows an auditor that you are in fact operating within your management system.  This includes such things as management review minutes, internal audit reports, proof of updates to security and human risks risk assessments, training, and communication and preventative management of undesirable events.

8. Conduct an internal audit – An internal audit is part of every management system standard. An internal audit should be conducted annually.  It is a little different from typical internal audits which are mainly based on financial, operational, and/or system internal controls.  This internal audit is against the standard.  Issues or gaps that are noted during an internal audit are typically considered non-conformities and are brought forward as part of the management review process and the continual improvement process. 

If you are seeking certification, you will need an internal audit conducted prior to your Stage 1 and your Stage 2 registration audit.

9. Certification path – This is the second area that is not required if the organization is seeking compliance to a standard. However if you are seeking certification or conformity to a Private Security Company standard, this is your path to certification.

  1. Stage 1a documentation review. This is a review by your registrar auditor to determine that you have all the required documents in place and that the elements of the standard are present in these documents.
  2. Stage 2 – an effectiveness review. This is a conformity assessment against the operation of your organization’s management system.  In order to be successful with this review you will need to show evidence that you are operating according to your processes developed for step seven above.  Upon successful completion of this review, you will be recommended for certification.
  3. Certification – Typically between 4-8 weeks after your successful completion of your Stage 2 audit, you will receive a certificate of certification. This certificate will include your agreed to scope statement as you defined in step two above.

10. Improve your system – Just as your current security and human rights processes are not stagnant, your management system will also not be stagnant. Throughout your certification period you will be identifying areas for improvement, upgrading your system, and conducting internal audits and management reviews.  Continual improvement is really what a great management system is about.

Your certification is good for three years and during this time your registration auditor will visit you no less than annually and will be reviewing certain elements of your system against the standard.  Keep in mind that if your certification supports many geographic locations, the audits will be conducted in those locations.  At the end of the three years, you receive a re-certification audit and the three year cycle continues.

Should you decide to follow eight steps to compliance or ten steps to conformity your adherence to a standard will provide your organization with more maturity to your program.

Radian Compliance, LLC www.radiancompliance.com provides Governance, Risk and Compliance services with offices in Chicago, IL and Washington, DC.  We guide our clients to the best processes and solutions enabling them to make sound operational, security, and human rights decisions to meet and exceed the requirements of management system based standards.  Radian Compliance works in an advisory role to ensure the organization has the education and tools to continue managing their compliance requirements beyond our engagements.

Lisa DuBrock, CPA, CBCP, MBCI, ldubrock@radiancompliance.com is a Managing Partner for Radian Compliance, LLC where she specializes in implementing Private Security Company Management System standards as well as Information Security standards for her clients.  She is a commission member of ASIS International’s Standards and Guidelines Commission and a member of the ISO 18788 US-TAG.  Lisa is a university lecturer and international speaker on the benefits of implementing standards.  She welcomes and will respond to any specific questions you may have on the Standards discussed in this article.