22
Nov

0
SLA,service level agreements,risk management

Service-level agreements are crucial in security

[Security Services & Risk Management]

CEO of Crest advisory Africa, Nico Snyman was interviewed by Andrew Seldon of TechNews for the below article. It was first published in HighTech Security Solutions Magazine.
Service-level agreements (SLAs) are an important part of any security operation. When a company defines the SLA and key performance indicators (KPIs) its security service provider needs to follow, it becomes easier to determine if the services provided are up to standard or not. It has also become standard to include performance clauses in SLAs. This allows the customer to demand service delivery as defined in the SLA and if the performance standards are not met, to institute a mutually agreed process to mitigate the service shortcomings. This could result in the retention of a significant portion of the contract fee if the service provider does not meet all the requirements in the contract.

When it came to securing the Gautrain, SLAs and KPIs became the foundation to effective security operations and profitability. Therefore, when Nico Snyman was assigned the task of developing and securing the Gautrain, an enormous task that covered the security of people and assets over the whole operation, he was faced with not only an operational and logistical challenge, but a financial one as well.

As noted in the previous article on the Gautrain (www.securitysa.com/8221a), the team responsible for the Gautrain’s security operations were measured on two primary KPIs:

1. Ensuring passenger safety by keeping the incidents involving attacks on people at or below three per million passengers per month.

2. Ensuring incidents involving passengers’ property were at or below seven per million passengers per month.

Punctuality may not seem like an issue security needs to attend to, but the complex structure of the Gautrain project made it an important aspect of the security operations. For example, cable theft could lead to the trains running at only 30 km/h instead of 160 km/h, which would make everyone late. Similarly, vagrants on the train lines would also cause delays which would reduce the overall punctuality. So, while not strictly a security KPI, the requirement of maintaining a punctuality rate of 97.5% for the train operations was also part of the security department’s deliverables.

Snyman explains that the security operation also had a significant financial aspect as the concession agreement, signed between all the relevant parties to the Gautrain stipulated that not meeting its targets would mean a financial penalty or performance deduction. The operational penalty for not meeting the Gautrain’s KPIs – across the whole operation, including security – was set at a maximum of 11% of the total monthly operating fee, while the security penalty was up to 20% of this amount. This was derived from the two primary KPIs: the physical security of passengers (15% penalty) and the safety of passengers’ property (5% penalty).

It doesn’t take a mathematics genius to understand that if the operation was to lose 11% of its fee in a month, the operation would take a significant knock to its profitability. On top of that, there is the reputational aspect to consider. If the Gautrain became known as an unsafe operation, the whole multi-billion rand project would fail.

People, processes and technology

Snyman says that the only way to create a security operation that met and exceeded these KPIs was a careful combination of people, processes and technology. Designing the appropriate SLAs to cover all three areas in an integrated approach to security was the only way in which this mammoth project could be secured to the level that would meet the KPIs and avoid penalties.

When dealing with people, specifically guards, the Gautrain outsourced to guarding companies that provided about 1000 guards, of which 337 worked on every shift. Moreover, these guards needed to be trained in how they were to operate within the Gautrain environment, holding up the brand and its reputation while meeting its security demands.

The guards all worked in Gautrain uniforms instead of their company uniforms, meaning they represented the Gautrain brand. Any failures on their part would not reflect badly on their employer, but on the Gautrain. They were therefore trained on site and go through refresher courses every three months to ensure they maintained the high standards set for them. Overall, they were measured according to nine deliverables.

There were also 22 points relating to the guards’ behaviour that each individual needed to adhere to. This related to all aspects of their job, from how to speak on the radio through to access control procedures. Should the guards not meet the standards required, the guarding company was penalised and could lose part of its monthly fee.

A contract manager was also appointed to manage the guards and their activities, ensuring the SLAs were met and providing regular reports on their operations. The job of writing the reports was assisted by the various standard operating procedures (SOPs) that defined the guards’ activities and responsibilities, making it easier to determine if they were meeting the requirements of their jobs or not.

Snyman provides the example of guards continually monitoring the cars parked in the parking bays, noting which cars were there, when and if they had their spare wheels. This strange SOP was created because a few 4×4 drivers had come back to the Gautrain operations centre in its early years claiming that their expensive spare tyres had been stolen while parked in a Gautrain parking garage. With guards following the SOP of taking note of the cars in the garages during their patrols, combined with the entry/exit camera footage, these people were put on the spot as management could easily prove that their property was not touched.

The guards were also empowered by the SOPs in terms of what they could do. For example, there were certain behaviours that were unacceptable on the trains and guards were instructed to enforce them. This automatically gave the guards the authority to enforce these rules, as well as the process to follow when someone would not follow the rules. Snyman says this avoids the problem of guards being intimidated by passengers and gives them real authority – they are simply adhering to the company’s SOPs.

Snyman says it was critical that the guards understood their jobs and the effect of their actions in the national icon, and knew what they were expected to do and how. Understanding their SOPs gave them the confidence to act appropriately and maintain security.

Beyond the station

Apart from the guards patrolling on foot, the Gautrain also has armed response guards that patrol the grounds in vehicles. The cost of these patrols was high as the guards were on site 24×7, but they were necessary. The patrols initially used the guarding company’s vehicles, which were often old, badly maintained cars and were not managed by the Gautrain security team. This was obviously a weak link in the security chain.

To solve the problem, Snyman insisted that the patrols use vehicles supplied by the security department, which were new vehicles that were not inclined to break down. More importantly, the vehicles were also equipped with tracking and fleet management technology, which meant the security department was able to monitor the patrols, again according to the SOPs, and penalise infractions such as not patrolling on schedule, not responding to events, reckless driving and so forth.

Some of the technology used in the people, process and technology integration was supplied by BloodHound, Online Intelligence, Car Track and Abloy Locks. The technology suppliers were also contracted to strict SLAs and penalised if they failed to meet the stipulations – such as fixing technical problems within a certain time.

Snyman says the integration of people, processes and technology was crucial in ensuring the security department could meet its KPIs and avoid incurring penalties. There was no room for error or even reactive actions from the security team. They had to understand the risks they faced and ensure the processes were in place to deal with them.

Snyman concludes that an SLA is one of the most important, if not the most important tool any security manager has as long as they know the environment, the risks and what they need to defend. You can then design or reengineer any process and link it to a step-by-step approach to resolving every issue via SOPs.

[Footer] Nico Snyman is the managing director of Crest Advisory Africa, specialising in risk management, corporate governance and advanced technologies. For more information, contact nico@crestadvisoryafrica.com or +27 (0)76 403 4307.