An Integrated Approach to

Managing Security Operations

Ikram Sehgal, Chairman, Pathfinder Group, Karachi, Pakistan

Brigadier General Muhammad Musaddiq Abbasi, Chief Operations Officer,

Research and Collection Services (Pvt.) Ltd [RCS], Islamabad, Pakistan

Jerry W. Torres, President & CEO, Torres Advanced Enterprise Solutions, LLC, Falls Church, VA

ASIS International 62nd Annual Seminar & Exhibits, Orlando, Florida, USA
Tuesday, September 13, 2016, 11:00 am – 12 Noon
 SMS and Torres Security Services in Pakistan
• Security & Management Services (SMS) –
Pathfinder Group Pakistan has had the
contract to protect the American embassy
and consulates throughout Pakistan for 28
years.
• Joint venture with Torres AES in Pakistan for
5 years.
• SMS also provides protection for the UN
mission and other international and national
clients.
• Therefore, SMS and Torres are implementing
the ISO18788 standard and ANSI/ASIS/PSC.1
standard for security operations, now a
requirement for contracting.
2
 Centralized Recruitment & Training
Nerve Ops & Cmd Facility Management
Centre Centres
Background Screening

Response Sabre &

Force Hunter Teams
Integrated Electronic Security
Security
Quality Operations
SOMS Control &
Org Assurance SMS IT Solutions

• Procurement Dept. UAVs for

• Supply Chain Dept. Surveillance and
• Internal Financial Audit Mapping
• Finance Division
• HR Dept. Cash Transit
• Management Committees Services
• Operational Committees Admin Support
• Town Hall Meetings Integration System 3
 Business Improvement and Professionalism
• SMS’s and Torres’s decision to implement the ISO18788 standard and
ANSI/ASIS/PSC.1 standards was not simply to achieve certification for
contracting. The real driver was:
• A differentiator - exceeding the internationally recognized benchmark for
conducting security operations with respect for human rights.
• Demonstrate our commitment to human rights in addition to membership in
the International Code of Conduct Association (ICoCA).
• Use a business and risk management tool to identify opportunities for
improvement in the provision of our services and the management of our
businesses.
• Bottom line – a better run business is a more profitable business.

4
 Getting Started – Expandable Pilot
Project Approach
• Do not eat the entire
elephant in one bite – use
a pilot project approach.

5
 Getting Started – Expandable Pilot
Project Approach
• Do not eat the entire
elephant in one bite – use
a pilot project approach.

6
 Getting Started – Expandable Pilot
Project Approach
• Do not eat the entire
elephant in one bite – use
a pilot project approach.

7
 Why an Integrated Approach Using ASIS
Standards?
• The value of implementing a standard is improved business
performance, certification is the gravy.
• Pursuing simultaneous certification to ISO18788 and ANSI/ASIS/PSC.1 standards
for managing security operations and ISO9001 for quality management.
• Best kept secrets about the ASIS PSC series of standards:
• ISO18788 and ANSI/ASIS/PSC.1 are not “security operations” standards – they are the first
comprehensive enterprise risk management standards
• ISO18788 and ANSI/ASIS/PSC.1 cover all the requirements of the newly released
ISO9001:2015 Quality Management System Standard
• The ANSI/ASIS/PSC.3 maturity model standard gives a benchmarking approach for developing
an implementation plan
• All human rights obligations contained in the ICoC, Montreux Document and UN Guiding
Principles are covered by the ISO18788 and ANSI/ASIS/PSC.1
• The ANSI/ASIS/PSC.1 is written in a much more user-friendly fashion and easier
to use for implementation.
8
An Integrated Approach Using the ASIS Family
of Standards
• The ASIS family of management standards gives a comprehensive tool
for building a better business – seamlessly plugging into the ISO18788
and ANSI/ASIS/PSC.1 standards.
• The ANSI/ASIS/RIMS.RA.1 risk assessment standard gives a comprehensive
approach to assessing strategic, tactical and operational risk including human
rights risks and supply chain risk
• The ANSI/ASIS.SPC.2 auditing standard give a detailed approach to
developing an internal auditing capacity to identify opportunities for
improvement
• The ANSI/ASIS.SCRM.1 supply chain standard gives guidance in assessing and
minimizing supply chain risk
• Used together, all the pieces of the puzzle come into place.

9
 What We Learned – Cultural Shift

• Do not focus on certification – focus on business improvement and changing the culture
of the organization.
• Cultural change is not driven by external consultants but driven by management
commitment and dedication to meeting objectives.
• Cultural change is an top down – bottom up approach:
• Create a “family attitude” in the organization so everyone feels part of the family.
• Everyone who is a risk maker and a risk taker is a risk manager.
• Empower people to contribute – openness has it’s benefits, your employees are the best early
warning system for potential problems.
• Proactive risk management helps prevent potential undesirable events while identifying possible
opportunities for improvement.
• Reaping the benefits of implementation comes from everyone in the organization understanding
the benefits of their contribution.
• When employees feel valued, their loyalty to the company increases and turnover
decreases.
• Pathfinder SMS has over 6000 guards with a turnover rate of approximately 2%
10
 What We Learned – Getting Started
• Learning how to conduct an internal audit is an essential
tool for getting started.
• Simultaneously learn how to interpret the clauses of the
ISO18788 and ANSI/ASIS/PSC.1 standards and how to
evaluate where you are at:
• Serves as a training and awareness exercise
• Emphasizes and demonstrates management commitment to
implementing the management system
• Identifies resources and area to focus on when conducting the
implementation process
• Builds internal capacity to both implement and evaluate the
progress of the implementation process

11
 What We Learned – Building Capacity

• Select and train a team of people within your organization to serve as an

internal auditing team.
• Pick people from different divisions within your organization so they do
not have to audit their own work.
• The audit team members are a force multiplier who can spread awareness
about implementation of the management system and meeting
organizational objective throughout your organization.
• Provides you with a capacity to conduct second-party audits of your supply
chain partners to minimize your risk.
• Creates a new marketable business service.
• Ability to mentor other security companies in Pakistan to improve the
professionalism of the entire.
12
 What We Learned – Human Capacity
Maturity Model
• Break down the implementation of the standard into doable
bits that can be built on.
• Promotes a mentality of success breeds success:
• Achieving interim goals builds a sense of accomplishment and
excitement about the implementation process
• Start with the low-hanging fruit that demonstrates a known problem
has been solved
• Start with simpler concepts in the standard to introduce people to the
concepts of a management system
• Emphasize teamwork and everyone’s input is welcome and no question
is too small or silly
• People learn from simpler examples before tackling more difficult
issues
• Maximizes the use of time and resources.
13
 The Risk Assessment and Management
Approach
• Use ANSI/ASIS/RIMS RA.1-2015 Risk Assessment standard with the
ISO31000 Risk Management standard.

Source: ISO18788
http://www.acq.osd.mil/log/ps/psc.html
14
 What We Learned – Context

• Pakistan is not the United States – local culture, customs, economics, social
dynamics, and the political and legal environment will have profound
impact on your security operations and must be understood.
• Before beginning a risk assessment, you must understand the risk
environment and factors that will impact your objectives.
• Who are your stakeholders:
• Stakeholders are not just your people and your clients, don’t forget the different
communities you operate in.
• How will the internal and external stakeholders impact your security operations?
• How will your security operations impact the internal and external stakeholders?
• YOUR REPUTATION AND BRAND IS YOUR MOST PRIZED ASSET!

15
 What We Learned – Risk Appetite

• “Your” risk appetite is a myth.

• To determine a risk appetite you must consider:
• Your company’s risk attitude
• Your client’s risk attitude
• NGO’s perceptions of risk and activism in your area of operation
• Impacted communities’ perceptions of risk and activism in your area of operation
• Perceived risk can outweigh actual risk and cannot be dismissed as “they
don’t understand”.
• Establish a risk committee with top management and representatives of
the various functions in the organization to consider strategic, tactical,
reputational and operational risk.
16
 What We Learned – Human Rights

• Respecting human rights is not just the ethical thing to do – it is the

business sensible thing to do.
• A human rights risk and impact analysis considers:
• Respecting people and their dignity in the workplace
• Providing adequate remuneration and benefits to employees
• The perceptions of external stakeholders
• Potential impact of the company’s activities on internal and external stakeholders
• Information flow to support proactive risk management in security operations
• PROTECTS REPUTATION OF THE ORGANIZATION AND ITS CLIENTS
• Respecting human rights pays for itself and builds positive morale.

17
 What We Learned – Risk Thinking

• Ongoing monitoring of risk profile with daily updates of risk profile.

• In all operational procedures:
• What are the risks that need to be considered?
• Who are the internal and external stakeholders that may be impacted?
• Evaluate if the operational procedure decreases the uncertainty in achieving its
objectives?
• Are their opportunities for improvements?
• Review the risks considered in the operating procedures when conducting
performance evaluation.
• YOU ARE USING YOUR PROPCEDURES AS A RISK MANAGEMENT MECHANISM.
18
 What We Learned – Supply Chain Risk

• The risk in your supply chain is your risk and you are responsible.
• A supply chain partner can impact your reputation and that of your clients
• Incorporate analysis of continuity of operations and human rights
when conducting your due diligence for selection preferred
suppliers and contractors.
• Provide your suppliers and contractors with your Statement of
Conformance to respect human rights and your Code of Ethics –
have them agree to abide by the provisions in these documents.
• Provide your suppliers and contractors with a simple questionnaire
to assess their risks for continuity of operations and human rights.
• Supplier and contractor performance review should consider if they
have lived up to their commitments.
19
What We Learned – Command Structure
• A clearly defined command and
communication structure is essential.
• Define where strategic, tactical and
operation risk and planning decisions
will be made.
• Develop mechanisms for the flow of
information in both directions.
• Check and balances, including auditing
of processes minimizes risk and
enhances solving problems before they
escalate.
20
 What We Learned – Implementation
Awareness and Training
• The key to success is a well-trained workforce - in any service industry, the risk
mitigation technique with the greatest return on investment is training.
• An investment in training pays back in professionalism and a positive
relationship with the client.
• The guards need to understand their role in achieving the organization’s
objectives:
• Guards who understand their risk environment know what to look for and understand the
importance of “see something, say something”
• Guards who understand you prioritize their safety will share their concerns
• Guards understand that their appearance and behavior impacts the way clients and the
people they impact with perceive them
• They feel valued and appreciated
• Guards know they are a desired as being recognized as having a value skill set.
21
 What We Learned – Implementation
Use of Force Policy
• Having a use of force policy and procedures for the use of force prevents
problems.
• Minimizes accidents and violations of human rights
• Provide training on Use of Force Policy articulating that use of force should be reasonably
necessary, proportional and lawful
• De-escalation of the threat is the primary objective
• Outline parameters for an escalation and de-escalation of force relative to changes in threat
levels
• Force should be reasonable in intensity, duration and magnitude based on totality of
circumstances to counter the threat
• Explain organizational procedures for control, storage and issuing of weapons, including
procedures for holding people accountable for the weapons and ammunition issued to them
• Training should include classroom, mechanical, live fire and scenario based training based
on situations similar to those faced by the guards

22
 What We Learned – Implementation
Facilitate Communication
• Communications are a two-way street:
• Communicate to your employees the importance of the management system and
their role in it.
• Lead by example – top management needs to follow its own procedures and
demonstrate commitment to the management system and employees
• Recognize people who contribute to identifying and managing risk
• Establish “town hall” meetings and recognition and reward programs
• Encourage internal and external stakeholders to communicate both the good and the
bad – you learn from mistakes and weaknesses
• Establish mechanisms for grievances and whistleblowers show you will address them
• Make sure everyone (internal and external stakeholders) clearly understands the
security operations policy, Statement of Conformance with human rights codes, the
Code of Conduct, and Code of Ethics
• Active shooter – security awareness training for clients
23
 What We Learned – Implementation
Improved Business Management
• Doing the right thing pays:
• Client satisfaction
• Reputation enhancement
• Loyal workforce
• Lower turnover – lower recruitment and training costs
• Business development based on reputation, no need for advertising
• Biggest benefit – improved management of our business using an
enterprise risk management approach:
• The ISO18788 and ANSI/ASIS/PSC.1 standards walked us through an analysis
of all aspects of our business allowing us to find enhancements in our system
of management and making us a better run more efficient company

24
 What We Learned – Implementation
of a Management System
• Shoot for Stage TWO!
• Stage One – Documentation review and definition of system of management
• Stage Two – Auditing the effectiveness of the management system
• Define what your target is using the maturity model.
• A management system standard is a living, organic system of management
in your organization – the human element is key!
• Management commitment is essential
• Start by building excitement and having everyone understand they are an integral
part
• Don’t just write procedures, live them
• Show people that their contribution is improving their ability to do their job and
manage the risks they touch
25
 What We Learned – Building a
National Capacity
• “A rising tide lifts all boats” philosophy.
• Serving as a role model to become the first company certified to the
ISO18788 standard and ANSI/ASIS/PSC.1 standards in South Asia.
• Working with PSQCA, Accreditation Council of Pakistan, and Ministry of
Commerce to implement ANSI/ASIS.PSC.3 maturity model standard as
“recognition program” for all Pakistani security companies:
• Important to set achievable goals to break inertia
• Certification should not be a competitive barrier
• Improvement of the industry benefits all companies
• Having competitors makes you a stronger company
• Improves honor and reputation of the country while enhancing capabilities in a high
risk environment
26
 Resources – US Department of Defense
and ASIS International
• The Unites States Department of Defense Office of the Assistant
Secretary of Defense for Logistics & Materiel Readiness provides a
wealth of information for private security companies:
• Free access to the relevant laws, regulations, international agreements,
contracting information, and the PSC standards.
• Visit: http://www.acq.osd.mil/log/ps/psc.html
• ASIS members can download all the ASIS standards for free at:
• https://www.asisonline.org/Standards-Guidelines/Guidelines/Published/Pages/default.aspx

27
Pathfinder Group, Karachi, Pakistan: http://www.pathfinder9.com/
Torres Advance Enterprise Solutions: http://www.torresco.com/

28