Conducting client site risk assessments

Tony Security 2 Comments

Keeping security staff safe at work

In the modern security industry, we all know that contracts change hands overnight and clients will call at short notice for security cover. That’s the nature of the business and the companies that can adapt and provide these services at short notice have an undoubted advantage over their competitors. However that competitive advantage should never be gained at the expense of staff safety. Staff should never be sent to a site without a detailed risk assessment by a ‘competent person’ being undertaken first and that competent person signing off on the control measures that would be required to provide security cover to that site. Yes this takes time and yes it costs money but its the only legal and correct way of doing it. Doing it right means having the courage to stand up to the client and sometimes turning down bad business but in the long term is good for those who want to stand out as quality suppliers. In this article I want to take about the importance of those site risk assessments; who should do them, how to do them and what to do with them afterwards.

The Law

The law is quite clear on this. Under Safety Health and Welfare at Work Act 2005 every employer must conduct a detailed risk assessment of any workplace prior to allowing employees work on it. It doesn’t matter if the client already has one done. The client is not the employer and they aren’t asking their staff to conduct a security role.

The PSA 28:2013 standard is also very clear on this. The risk assessment for each site (particularly in relation to threats and violence) must be carried out and the assignment instructions designed before work can begin on a site.

If there is no risk assessment, if it is done after work commences or if the risk assessment isn’t up to standard then the employer is breaking the law by sending staff to work on that site. It is also required to make staff aware of that risk assessment, make it available on site and have staff trained and signed off on the contents of it.

Who should do a site risk assessment

Let’s start off with who shouldn’t be doing it. Sales people, contract managers or key account managers. Why because their priority and focus is on generating business (and rightly so). They will also never be the ones who have to work the site so why would they be doing a risk assessment? Now the law is a bit vague on this part. It just says a competent person must carry out the risk assessment. The person must have knowledge of the role undertaken and of risk assessment principles. If the person has no knowledge of the role then they shouldn’t be risk assessing it.

The first three documents I ask for when I look at a case for court are the assignment instructions (or procedures manuals), the risk assessment and the details of the person who designed both of the above. If number 3 isn’t up to standard then 1 and 2 don’t mean a thing.

One of the (many) changes I would like to see when the review of the PSA 28:2013 standard comes around is that a specific person (or people) from the operational security team are given specific training in risk assessment and they carry out the role or at least have input and can raise issue prior to staff being sent on site.Similar to the health and safety rep role in many other workplaces. These are the people on the coal face and they should be consulted (like all employees) on matters relating to health and safety.

Carrying out a risk assessment

Carrying out the risk assessment doesn’t need to be time consuming or costly. Quick visit to site. Walk around the area. Job spec in hand. Few photos and a lot of common sense. If you know what your looking for it straightforward but it’s never a box ticking exercise. Real people will have to secure that site following the risk assessment. It’s not just a bit of paper you have to fill in. The main areas I look at during anew site risk assessment include:

Geographical risk

Where is the site? Is it urban or rural? What is the phone or WiFi signal like if help is needed. How close to a Garda station or fire station is it (google maps is your friend)? Have you got other sites nearby? Is it a high crime area (once again google is your friend) ?

Societal risk

What type of area is it? Is it known for high levels of anti social behaviour? Is it a site that attracts bad publicity? How is the client perceived locally?

Physical risk

How many access points to the site? How are they secured? What is the perimeter security? What security systems are available ( CCTV, alarms etc,) , what are the high value items on site? What is the grounding, lighting etc.?

Operational risk

How many security staff are requested? What sort of tasks are expected? What equipment is available/required (radios, BWCCTV etc)? What is the risk of threats and violence? What welfare and supervision facilities are available?

Of course these are only start points and each site will have its own unique risks to assess. It is a start point though to build your site assessment template. You can have mine if you want. I use iAuditor to complete mine but I’m happy to share the paper template to anyone who wants it.

Control measures

The next step is to look at all of risks identified and prioritise them. You can use the LxS method or the LVI or RTVA or whatever works for you. Once you prioritise the risks the competent person should be able to design control measures that would make the site reasonably safe to staff.

It’s worth recognising here that a competent person after undertaking the risk assessment may have to come back and tell the client that they can’t provide security at the number or price that they request.

The hierarchy of risk control is a system used all over the world for the purpose of prioritising risk management controls. There are a number of varieties but this one is the the Health and Safety Authority website in Ireland

How might these levels apply to a security site risk assessment :


The company may decline to supply the service as the risk to the security operatives cannot be justified.


The hazard (usually threats and violence) cannot be substituted but the type of security service may be. The provider may recommend a service such as remote CCTV monitoring, vehicle patrols or a K9 only service (or a combination of these) as a more appropriate service than a security on site. I always think that security providers should have partnerships with providers of these services for just such an occasion.


Thos involves isolating the hazard from the person or the person from the hazard. It might involve a secured control room, a vehicle patrol instead of foot patrol, hardening access to the site with gates, walls or fences or any other measures that put layers between the security team and the risk.

Engineering controls

Providing equipment to reduce the likliehood or severity of risk. These may include CCTV or alarms at the perimeter to give early warning of issues. Panic alarms, guard tours systems or lone worker systems to track monitor and record security operatives activity and safety.

Administrative controls

Policies, procedures, risk assessments, systems of work and training all fall in here. When an incident happens what is the security expected to do. The duties and indeed limitations of the contract and the systems of work should be spelled out clearly to the client.

Personal protective equipment

The last layer is PPE. What equipment does the security person (team) require to perform their role safety. It could range from the basic hi-vis to safety shoes and right up to sharps resistant clothing. This is last line of defence however and shouldn’t relied upon as a primary way of keeping employees safe. ‘We gave him a stab vest to he’s safer now if he gets stabbed’ will not hold up in court on its own as a safety measures. The first question will be what did you to to eliminate or reduce the likelihood of him being stabbed?

Presenting the findings

Once all of the hazards have been prioritised and control measures suggested it should leave the remaining level of risk obvious. It’s now up to the security provider to decide whether that level of risk is acceptable or not. A proper risk assessment presentation should include the risk level of providing the service that the client requested and a risk assessment of what it would take to safely provide the service to the client. Those two things aren’t always the same. Based on these risk assessments the provider can decide to decline the work or cost the job on what is actually required.

I know as well as you all do that this is only done by the minority of companies and those that are engaged in the price war race to the bottom won’t ever change until something happens. It does appear however that more and more companies are starting to do this cost benefit analysis and turn down work that is just not cost effective or not worth the risk of a large personal injury claim or WRC issue. It’s only when more begin to do this will clients begin to start taking paying for security seriously.

Assignment instruction and SLA

Once a risk assessment with an acceptable risk level has been designed and the proposal and cost accepted by the client the assignment instruction can be built around this. The procedures are built upon the risk controls in the assessment and the service level agreement with the client will reflect the costs and duties agreed. Then you have a contract that is both safe and cost effective for both parties and the provider can begin to show value for money.


This might seem like a lot of effort for a small to medium sized provider but in the long term it’s worth it. If you want to be a provider that grabs every bit of work a client wants drovers how they want it then work away. Just remember that a client contacts a security provider with a request for what they want. We are the security experts who should advise them on what they need. Those two things may not be the same. Sometimes you can come to an acceptable middle ground and sometimes you have to walk away from work. If you want to play with the big boys who don’t buy security based purely on price then this is the quality brand behaviour that should be aspired to that makes a small provider stand out from the crowd. More important than that it makes for safe, happy and loyal staff who don’t feel like pawns in a money making game. Those staff will provide your clients with real value.

Comments 2

  1. I think the management in the security industry need more training I have seen Frist hand on how they access the suitaion and not not good at all ,good point on the training for them to attend

Leave a Reply

Your email address will not be published. Required fields are marked *