Do we need to be better at saying no to clients for the sake of quality?
Lately I’ve been reading quite a bit around security providers responses to client requests and new business requests during this pandemic. LinkedIn is awash with boasts of account managers regarding how they got a call for security cover and had it covered in 2 hours. My question is, how is this achieved? How can a professional services provider assess, contract, staff and train a new client deployment in 2 hours all while keeping within the legal confines of quality standards, employment and health and safety law? My opinion is that they can’t. So do we need to get better at saying no to client requests and better at having a formal deployment methodology that is both legal and operationally sound.
I really dislike this fallacy of ‘fastball cover’. It basically means that security isn’t a priority for a client, but an afterthought or a necessary evil. Of course there are exceptions but generally not. They didn’t bother to think of security and when it finally occurred to them they reached out to the lowest bidder with the quickest cover. Not quality, not value but cost and speed. As long as providers continue to cover it then so called ‘fastball’ requests will be made. Lets take an analogy from a different profession. I forget to do my accounts and I call an accountant the day its due. I tell them that I need them to do my accounts today and I tell them exactly how much tax I’m going to pay at the end of the day. How many accountants would take me on? I would say none. Because profesional accountants value their profession and the value that it brings to them.
If you want to provide a quality (and legally compliant) service then let’s look at the requirements and the timelines. This staged process is one that we have developed for clients in a number of countries with slight geographical tweaks. It works and it ensures a quality serivce for quality clients.
Stage 1: Scoping
A scoping exercise is undertaken by the provider to ascertain the type, duration, frequency and volume of cover as well as the specific location, general operational activity and reporting mechanisms. The expectations and limitations of security provision is discussed and documented and sent to the client for approval.
Stage 2: Site visit
A suitably qualified and competent person (not a sales person) from the provider is sent to site to gather site specific data to inform the next stages.
Stage 3: Risk assessment
Based on the site visit a detailed risk assessment is conducted detailing the existing and potential risks and suitable treatment plans.
Stage 4: Service Proposal
A security service proposal is designed and delivered to clients with a range of solutions that the provider can safely provide (within the confines of the risk assessment) and a costing for each of these solutions
Stage 5: Contract or Service Level Agreement
Once the client agrees a solution at a price a contract is developed outlining payment terms and all of the other legal requirements and the providers certification (insurance, licencing etc.) is exchanged with the client.
Stage 6: Assignment instruction
The site assignment instructions, SOP’s and training plan are developed based on the site visit, risk assessment and scope of service.
Stage 7: Staff recruitment or selection
If an employee has to be recruited specifically for the project then this takes time to advertise, select, interview and recruit for the position. If an internal re-deployment is used then there is still a selection process to get an adequate employee and adjust the exisitng operational roster to esnure cover for the selected employee.
Stage 8: Client/employee set up
The client is set up with the Finance and Operations departments. The command and control procedures are updated and the employee and site equipment for deployment is procured. This includes things like site equipment requirements, uniform and PPE as well as welfare arrangements. (This stage can happen simultaneously to Stage 7)
Stage 9: Site induction and training
The employees are site inducted and receive the site training package to include the risk assessment and SOP training.
Stage 10: Commencement
The client site commences with fully trained staff and all operational requirements in place. Welfare and supervision procedures begin.
Realistically how long does this take do you think? I’m my experience to do it correctly on a simple low complexity project is anywhere between 3 and 7 days and on complex projects anywhere between 7-30 days. Of course these vary but if it can be done safely, legally and in a professional way in less time then I welcome anybody commenting and telling me how. If you take a shortcut and send non trained employees to non risk assessed sites without correct equipment you are breaking the law (in most jurisdictions) and don’t care about your employees welfare. So how can anybody cover a site in 2 or 3 hours then? If you as a security provider consider the implications of this then how could you in good conscience take the risk? If you are a buyer then consider what you are being sold.
Do we say no?
What business will ever say no to a request like this you might ask? Well governed, quality assured businesses is my answer. We have to be much better than that and much stronger. We are the security professionals not the client . Do you think a surgeon would take the advice of their patient on what they need to carry out an operation? We are either a professional service or we are not. No middle ground or no sometimes. We need to be better at saying no. Getting better at sayin no makes us better atsaying yes to the quality clients when they come along and they consition the not so good clients that they cannot rely on fastball cover any more if they want a professional service.
This article is two things. Firstly, a basic overview of a delivery methodology for security companies who may not yet have developed one. Secondly, a set of good reasons why you should develop one. A client calls a security provider to transfer risk. How much of that clients unwanted risk a provider will accept is up to them. What a provider must remember however is that they are the final risk transfer. They accept and manage the risk. To do so on someone else’s terms or in a way that compromises laws or safety sets a trend that’s difficult to reverse.