Security and Resilience

Standards – Changing
the business of security
Dr. Marc Siegel
Commissioner
management
Global Standards
Initiative KAITS International Industrial
ASIS International Security Seminar
Brussels, Belgium 27 October 2015
Copyright © 2015 ASIS International
 Standards – Setting the
Benchmark for
Professional Practice
— Views security and resilience management as
facilitators of overall business and risk management.
— Risk management is tailored to the business – not
vice-versa.
— Risk manager that recognizes that it is about value
creation, products, and services.
— For organizations to cost-effectively manage risk they
must develop balanced strategies to
adaptively, proactively and reactively to
minimize events with negative outcomes
and exploit opportunities for positive
outcomes.
Copyright © 2015 ASIS International 2
 Bottom Line: Risk Managers
are Business Managers

Old View New View

Event Focused Objectives Focused

Copyright © 2015 ASIS International
 Risk Management

— IS a discipline for building a strong

organizational foundation
— IS a competency for informed decision
making
— IS a process for maximizing opportunities
while minimizing harm and loss
— IS used to support proactive measures to
enhance agility and the adaptive capacity of
an organization
— IS NOT an end in and of itself, but a
capability for achieving objectives

Copyright © 2015 ASIS International 4

 Risk Assessment Drives
Decision Making
— Risk management is based on specific
business objectives and is objectives focused
— Risk assessment is defined in terms of
organizational objectives
— Key performance indicators linked to
business objectives
— Risk management supports decision making,
and is therefore proactive
— Risk management protects and creates value
— Risk management process consistency
depends on clear governance structure

Copyright © 2015 ASIS International 5

 Identify Value –
Understanding the
Organization
— What is important to the organization?
— What are short, medium, and long-
term strategic, tactical and operational
objectives?
— What are the human, tangible and
intangible assets?
— What and who determines value?
— What are the measures of success?
— What is the risk attitude?

Copyright © 2015 ASIS International 6

 Navier–Stokes Equations –
Navier–
Provide the Basis for Risk
Management

The Navier–Stokes equations are nonlinear

partial differential equations describing
almost every real situation.

Copyright © 2015 ASIS International

 PDCA - Plan - Do - Check - Act
Approach to structured problem solving
focused on continual improvement

Plan
Define & Analyze a
Problem and
Identify the Root
Cause
Do
Act
Devise a Solution
Standardize Develop Detailed
Solution Action Plan &
Review and Define Implement It
Next Issues Systematically

Check
Confirm Outcomes
Against Plan
Identify Deviations
and Issues

Copyright © 2015 ASIS International 8

 American National Standard
ANSI/ASIS PSC.1-
PSC.1-2012
Management System for Quality of
Private Security Company Operations –
Requirements with Guidance

ANSI/ASIS PSC.1-2012 provides auditable

requirements for third party certification
of private security service providers
working for any client.

A management system approach for

quality of private security services and the
assurance of human rights.

Builds on the Montreux Document and

International Code of Conduct.
Copyright © 2015 ASIS International 9
 International Organization
for Standardization Version
Developed by ISO/PC284
— International ISO standard based
on the ANSI/ASIS.PSC.1
— Considered an equivalent to the
ANSI/ASIS.PSC.1
— Normative references:
◦ Montreux Document on Pertinent International Legal
Obligations and Good Practices for States related to
Operations of Private Military and Security
Companies during Armed Conflict (09/2008)
◦ International Code of Conduct for Private Security
Service Providers (ICoC) (11/2010)
◦ Guiding Principles on Business and Human Rights;
Implementing the United Nations “Protect, Respect
and Remedy” Framework 2011
Copyright © 2015 ASIS International 10
 American National Standard
ANSI/ASIS PSC.2-
PSC.2-2012
Conformity Assessment and Auditing
Management Systems for Quality of
Private Security Company Operations

ANSI/ASIS PSC.2-2012 provides

requirements for certification bodies
providing independent third party
certification of private security service
providers working for any client.

Supplement to ISO/IEC 17021:2011.

Provides criteria for auditing and

certification process, as well as required
auditor competence.
Copyright © 2015 ASIS International 11
 American National Standard
ANSI/ASIS PSC.3-
PSC.3-2012
Maturity Model – Phased Implementation

ANSI/ASIS PSC.3-2012 provides a series of

structured steps designed to help as
organization:
◦ Evaluate where they currently are with
regard to security, risk, and human rights
management
◦ Set goals for where they want to go
◦ Benchmark where they are relative to the
goals
◦ Plot a business sensible path to get there
◦ Achieve a balance between business
needs, and time and financial constraints.
◦ Establish achievable and maintainable
goals within resource constraints.

Copyright © 2015 ASIS International 12

 PSC.1 Basic Flow Diagram

Copyright © 2015 ASIS International

 Reality
A Systems Approach

Copyright © 2015 ASIS International

 A Management Tool – Not a
Management System
— The standards provide industry good
practices to establish an investigations or
risk assessment program and conduct
individual investigations or assessments.
— It is a management tool designed to be
integrated into any security/risk/business
management system.
— Provides a basis to demonstrate a
credible documented, and repeatable
investigative process consistent with
jurisdictional laws and regulations.
— Helps the organization achieve its
objectives.
Copyright © 2015 ASIS International 15
 American National Standard
ANSI/ASIS/RIMS RA.1-
RA.1-2015
The standard is a guidance document:
•Describes the risk assessment process
•Provides a basis for internal auditing and
continual improvement

Provides a framework for establishing and

implementing an organizational risk
assessment program including:
•Principles of risk assessments
•Establishing and managing an
organizational risk assessment program
•Conducting internal and external risk
assessments
•Conducting individual risk assessments
•Guidance on the evaluation of competence
of individuals involved in the risk assessment
process.
Copyright © 2015 ASIS International 16
 Risk Assessment PDCA Flow
Diagram

Copyright © 2015 ASIS International 17

 American National Standard
ANSI/ASIS INV.1-
INV.1-2015
The standard is a guidance document:
•No certification requirement
•Provides a basis for internal auditing and
continual improvement

Provides a framework for establishing and

implementing an organizational
investigations program including:
•Principles of investigations
•Establishing and managing an
organizational investigations program
•Conducting internal and external
investigations
•Conducting individual investigations
•Guidance on the evaluation of competence
of individuals involved in the investigation
process.
Copyright © 2015 ASIS International 18
 Investigation PDCA Flow
Diagram

Copyright © 2015 ASIS International 19

 Supply Chain Risk Management:
Compilation of Best Practices

— Developed in collaboration with the

Supply Chain Risk Leadership
Council.
— Provides a framework for
collecting, developing,
understanding, and implementing
current best practices for supply
chain risk management (SCRM).
— Practitioner’s guide to SCRM
within the organization and its end-
to-end supply chain.
— Provides guidelines and tools to
assess and address supply-chain
risks.
— Submitted to ISO as a NWIP.
Copyright © 2015 ASIS International 20
 Don’t Put the Cart Before
the Horse

It’s all about value creation,

resilience, and agility in the
organization.

Copyright © 2015 ASIS International

 Thank You – Questions?

Dr. Marc Siegel

Commissioner
Global Standards Initiative
ASIS International
European Bureau
Brussels, Belgium

www.asisonline.org
Standards@asisonline.org
Siegel@ymail.com

Download ANSI/ASIS
Standards:
www.asisonline.org/resources
Copyright © 2015 ASIS International 22