PSA28:2013 Part 2: Managing Threats and Violence

Tony Security 2 Comments

Last week we started off talking about the contents of the PSA 28:2013 standard for the security industry. It was supposed to be a two-part article concluding this week and with a look at the training and operations area of the sector. However there is a subject which should have been covered in last weeks section that I think needs a section all to itself. That subject is the management of threats and violence.  Its about the process which companies are obliged to undertake to deal with these risks. I’ll discuss what is required, where I see the failings and what can be done to make the industry safer for both the employee and the employer.


In the PSA 28:2013 standard it requires a comprehensive risk assessment to be undertaken and all risks to identified, eliminated or managed through the development of a security risk management plan. This is nothing new though and regardless of whether you are a security company seeking a standard or any employer who places staff in a high risk situation there are legal obligations under health and safety legislation to assess all risks to employees and manage those risks. The standard doesn’t change this it simply adds to it.

The standard also says that the risk assessment should be carried out by a competent person with both health & safety and risk assessment experience.

Once this process is complete the company must put in place all relevant control measures including appropriate staff levels, equipment, specific violence related training and supports for staff.

These are all what the standard says MUST happen but there a number of issues I see regularly with this process including many where it isn’t followed at all.

Who assesses risk

Here’s the first issue. In some larger companies the first point of contact with a client will be a sales team member. The sales team member promises the client whatever they want to get the business long before they know whether it is safe to do so. This will then be followed up with an operational site visit to conduct the risk assessment to see the actual risks long after the level and cost of security provision has been agreed.

If we think of it from a practical point of view. If I’m a manager who is asked to complete a risk assessment on a site before providing security. I know it’s in my interest to risk assess the site as safe. I know if I go back to my boss and say it is not safe we lose business or we have to provide additional equipment or training or support to staff to make it safe. If my job is to bring in new business then this site should be risk assessed as safe. That manager may have no experience of health and safety but they know the risk assessment has to say it’s safe before they ever arrive. I know there are many exceptional managers out there who value staff safety above all else but unfortunately there are also some who don’t.

I dealt with a case last year where a company risk assessed a late night fast food takeaway as low risk for a single worker. When asked for the basis for this and was told that the client would only pay for one person so they had to make the risk assessment fit the business. The other reason it was safe was because they had no previous reports of violence there. Mainly because they hadn’t started working there yet.

My suggestion is for either:

1. An independent safety/security assessment carried out on all sites every two years as part of the audit criteria.

2. Minimum staffing levels stipulated for types of venue in the PSA standard.


The standard actually states “ risk mitigating measures shall include special training and safety routines in place where the risk assessment has shown that there is a significant likelihood and severity of consequence of violence”.

Many companies abdicate responsibility in this on their risk assessments. The single control measure will be ‘ all employees are trained to QQI Level 4’. I’m afraid this doesn’t wash however. I’ve spent  time with some really great companies over the past number of years who invest heavily in training those staff for conflict and risk but this is not the norm. Others still send their staff on some sort of martial arts/self-defence programme which also isn’t fit for purpose. Any potential claim by a patron or member of staff where either of the above is a factor is most likely a losing case for the company. Good training is expensive but it’s an investment. It’s reduces liability, injury to staff and absenteeism.

Staff also have a responsibility here. Firstly to stand up and admit when they aren’t equipped for the job and ask for training. Many won’t do this because they are afraid of losing those job. If it comes down to losing a dangerous job (even though this is both unlikely and illegal) or getting hurt which is the lesser evil? Secondly the staff have a responsibility to attend and use the training provided when required.

My suggestion here is that mandatory advanced conflict and physical skills be outlined in the standard with prescribed content in the same way that manual handling is outlined in safety legislation.


Section 4.6.5 of the standard says “ tasks involving a high risk of violence shall be identified in the risk assessment and shall be carried out by two or more operatives working together”. I met a company owner last year who I had to commend. He had turned down the opportunity for new business in a new bar because they only wanted 1 person and he felt it was unsafe to provide a single worker. This is a really difficult decision to take knowing that a competitor will take that business and he was losing out on providing employment for a staff member but it was necessary. He took the sensible option of balancing the profit to be made against staff safety and the likelihood of a civil claim following an incident.

The issue here is that the auditor who reviews the site risk assessments specialises in quality control and has no idea whether the venue is high, medium or low risk. They can’t be expected to. I go back to my earlier suggestion of an independents safety review every two years on each site.

Recording and investigation

Section 4.6.6 of the standard say “Incidents involving violence shall be recorded and investigated fully by the organisation. Any remedial course of action recommended as a result of the investigation shall be acted upon by the organisation within reasonable timeframes.”. There is again dual responsibility here. The employee is responsible for making proper reports of incidents and submitting them to management. The management is responsible for investigating each incident and completing remedial action. If one side fails to live up to their part of the deal then it becomes pointless. There is almost always a break in communication between the person making the report and the management. Either management don’t get the report or they carry out remedial action (SOP changes etc) and don’t feed back to the staff.

The obvious solution is an online reporting platform which are becoming more and more popular but this again is an investment cost.


The final part of this section of the standard covers the support required when employees are subjected to incidents of violence. This includes both physical supports (medical treatment) and psychological support ( debriefing and across to professional support). These supports are also outlined in the security industry ERO as a requirement for an employer to provide. They are available and I think should be used more. Not to bring unnecessary cost to an employer but to save on long-term physical and emotional illness brought on by tough guys not wanting to admit they need help. Most companies are happy to help and the ones that aren’t are legally obliged to.


This is an overview of the most critical part of the standard for companies to get right. Not just to meet the standard but to safeguard their employees and their business. I don’t want to seem overly negative towards companies. There are many great companies operating out there who do this stuff really well. There are however still rogue operators out there who don’t and who exploit staff in this area. I also believe there are things that can be done which can improve this and show the good companies  apart from the rest. If you have any other suggestions I would love to hear them.

Comments 2

  1. How does one do a Security risk assessment
    How does one achieve a standard were by they can do a recognised/legal risk assessment.
    Thomas .

    1. Tony O Brien Post

      It’s a bit of a grey area Thomas. Legally there is no standard it just says you must be a competent person.
      The PSA standard for security risk assessments says you must be both trained and experienced in the area being assessed and in risk assessment itself.

Leave a Reply

Your email address will not be published. Required fields are marked *