This is what you need to know first
At least once a month I get a call or email from somebody who is considering the possibility of setting up a security company in Ireland. I’m always happy to help and talk them through the process but more often than not when they hear the pitfalls and costs involved as well as the margins at which many companies are operating they rarely go ahead. This is not to put a negative spin on running a security company as there are some fantastic small security companies out there. The reality is that running a small security company is tough work. Its expensive, time consuming and risky. Regulation has played a huge part in creating significant barriers to entry and in recent months that regulation has become even tighter. In this article I want to talk through the process of setting up a security company in Ireland and more specifically about the new PSA31:2019 quality standard for new security companies.
In 2019 the Private Security Authority made some significant changes to the audit process for new security companies. Like I mentioned on last weeks podcast there are some of the changes that I agree with and some that I don’t but to be fair to the PSA they have made the changes for exactly the right reasons. The intention is absolutely to make sure that the right people are running security companies in Ireland and those people are fit to do so.
One of the biggest changes is the new clause 3.14 stipulation. This clause says that any person wishing to provide a security service in Ireland must have 5 years operational experience in the last 10 years in that sector. They have a little get out clause in there that says if you don’t have that experience you must show you have the required skills and experience to run a company. In theory it’s a good principle to introduce but as I see it there are a number of issues with it.
- The directors of many of the large and medium sized existing providers do not have 5 year large operational experience in the last 10 years.
- Just because someone has 5 years experience in security doesn’t make them fit to run a security company.
- I don’t think it would stand up to a legal challenge in court. If a company met all other aspects of the standard (which is why the PSA are now requiring you to fulfil this section before they will even consider your application).
This isn’t a bashing exercise though. I think it’s not a perfect clause but it’s done for the right reasons.
The regulator has become really strict on companies having the correct amounts and sources of finance to operate a security company. The first and most important element is that the auditor will want to see that the potential company has start up capital sitting in the company account to start trading. Realistically you are to need at least the first 3 months trading expenses sitting in your account. This includes your rent, insurance, utilities, payroll and all of the other things you will have to spend money on to get your first contracts up and running. Realistically it may take a month to get a contract, staff it for another month and then get paid on 30 days credit so this is a sensible clause.
Once the auditor sees that you have the money in your account they then want to see where that money came from. If it is from personal savings they want to see the account that it came from. If it is a loan or funding of some sort they want to the see the source and the terms. They will also want to see who can access your account and anybody who has a material interest or can benefit form your company. Again this is a good clause to stop any rogue directors who may not be able to get a licence themselves from setting up through another person. Some may see this part as going beyond the remit of a regulator (and I agree to a certain extent) but it is again for good reason.
The next step is to produce a cash flow plan for the first 6 months of business with all of your projected sales, costs and expenses as well as expected profits (if any). Thus should detail start up loans and repayments etc. You also have to break down where your sales estimates are coming from and the auditor must believe that your rates and estimated hours are realistic and achievable.
Every security company needs an office. While the days of starting your security company from your kitchen table are not quite gone it is becoming harder and harder to do so. The requirements are for a safe and secure space from which the business can be administered. A kitchen table is rarely still an appropriate option. Of course a spare room may be but there are stipulations. These include the room being alarmed and this alarm must be installed and monitored by a PSA licenced company. The room must have adequate safe and secure storage for files, documents and keys and may have to function as a command and control centre for the company. Bear this in mind when deciding whether to operate from an office or home.
The reality is that it is almost impossible for a start up company to get the required insurance for the door supervisor sector. This is due in the main to the conduct of existing security businesses and the number of claims under the deliberate act section making it very hard to underwrite a new business. Even for the event sector it is getting increasingly difficult to obtain good insurance without very high excess on the policy. The regulator has identified this and in addition to having the required insurance in place they also require a new business to set aside 3 times the value of any excess on their policy in the event of claims in the first year.
The requirements for staffing are in general the same as for the later PSA28:2013 standard in that each employee must have a file with the required contents and each should have the relevant 5 year screening completed before being deployed to a site. For anybody looking to start a company the amount of work to be completed in the hiring and screening process is not to be underestimated. There are significant time and money costs involved before a person can be deployed to site. The person has to be selected, interviewed, hired, trained, given a uniform, equipment and then screened. All of this before you make a cent.
You must appoint a competent person within the management team to oversee training. This doesn’t mean that the person must deliver the training but they must schedule it and book it and ensure the that trainers are competent to deliver it. In a small start up it is likely that this administrator will also be the MD or similar and that’s fine. They can deliver training themselves if they are qualified to do so or more than likely they can nominate a qualified person internally or externally to provide the training. Training is expensive whether you provide it internally or externally and you will be asked to show provision for induction training, refresher training, site training,specialist and supervisory training. To plan and do this right takes some time.
I’ve helped a number of companies to achieve the standard and the following PSA 28:2013 standard. Many come to me only after failing an initial audit. One of the biggest audit non compliance areas is in risk assessment. You a re required to have a risk assessment procedure risk assessment survey and produce a safety statement. Straight forward in theory but so many miss out in this area. Some of the reasons for this are copy/paste statements and risk assessments from other employers. Using a template that works is fine as long you as you make the document your own and specific to your business and company. If you bring in a consultant to help with this then make sure the document template they use suits your business. You will also need to show the auditor how you survey a new site and what risks you look for in a site specific risk assessment. This section is really about owning the risk in your business and not outsourcing it to copy/paste in MS Word.
The last section you need to fulfill is Operations. This section talks about the basics of incident and accident reports but most importantly about assignment instructions and command and control functions. The requirement is for a sample of an assignment instruction of a site similar to what you wish to undertake. So once again a ‘sample’ doesn’t mean a template with heading or a copy and paste job. There is an easy way by just copying the headings from the audit and writing a few lines in each but this defeats the purpose. To do the job right you need to invest time and energy in writing an AI that will work for your business and your employees based on the resources and clients you intend to have. Again using outside help to build this is fine as long as you make it your own.
The command and control system is next and this can be another unseen investment that is required. The level of detail auditors are going through this section with is growing and growing. This area details how you will roster and deploy your staff and how you will supervise them in the field.Every company must have either a fixed command and control office or a shared or outsourced office. From this place all sites must be checked in with at least every two hours for the duration of their shift and phone records of this must be maintained. At the start of a company if you have 24 hour sites it isn’t reasonable to say that you will be making and taking those calls 24 hours a day. The easiest way to manage this is to outsource the out of hours calls to a monitoring centre and detail the escalation process for unanswered calls in the command and control procedures. Again though this has a cots to it. As many contingencies as possible should be planned for and detailed including absence form a site, failure to check in , lateness, illness, client complaint, emergency cover request and more.
Following the audit
Following the audit the regulator will issue a report stating whether you passed (very unusual first time) or require further documents. You will then be given 5 weeks to supply these documents and get a pass on the audit. Only once this is done can you start even looking for business and all the time this business is costing money in the background. Once up and running you must engage a certification body to come back within 6 month and assess you against the PSA28:2013 standard but that’s a whole other story again .
I don’t want to frighten people off from starting a security company but I do want people to be realistic. If you are considering it then you need to go into it with your eyes open and with all of the information. Otherwise you can spend a significant amount of money without ever getting to trade a day. If you are considering it then do it right and do it professionally. If the thought has crossed your mind feel free to get in touch and I’m happy to talk you through the process (without trying to sell you anything) .