As security professionals, we are accustomed to identifying assets and protecting them. We are also familiar with the process by which this is accomplished: identify our assets, identify the threats to those assets, assess our vulnerability to those threats, and - finally - manage the risk by decreasing the threat or vulnerability.
Most of us are also accustomed to assuming that our own professional training, and the training of our team members, is a key tool in the ongoing process of reducing the risks faced by our organization. This is certainly the case, but it is equally important to recognize the ways in which the converse can be true. Inadequate training is, in and of itself, an additional risk factor, and - as with more traditional threats - we need reliable means of assessing the risks posed by inadequate training.
This is particularly true considering the significant developments that have taken place over the last few decades in the various areas which comprise security management. In every area, from IT to patrol, the expectations for security professionals have changed dramatically. If your training methods and protocols have not kept pace, and if you have not updated your means of evaluating those procedures, then your training program could prove more of a liability than an asset. All security organizations can benefit from a structured, formal approach to assessing the effectiveness of the level of training within their workforce.
Although the methods and mechanics of that assessment must adapt to changing environments, the basic principles are well established. Thirty years ago, Dr. Norman Bottom published an innovative systems approach to security management, in which he identified "Training" as one of the tripartite fundamentals of loss control, and along with that observation he introduced the acronym WAECUP:
The WAECUP model asserts that these variables, and their inter-relationships, are at the heart of what security professionals must protect against. A loss due to any one of the above variables has the potential of escalating into additional losses, not the least of which may be those associated with subsequent civil litigation. One means of assessing the efficacy of a training program, therefore, is identifying whether or not it is sufficiently comprehensive to address potential threats and vulnerabilities associated with all of the identified categories.
In addition to this general framework, it is important to assess training in terms of measurable standards. When I conduct an assessment of an organization's training, I typically ask three initial questions to determine whether or not their personnel are properly trained. I'm sure it is not always the case, but it has been my experience that the organization's approach to training is likely to be risk-laden if the answer to any of the following questions is "no."
The first place to start is government guidelines. Many training programs, even in national organizations, are still relying on the conclusions of the earliest studies on security procedures: the Rand Study (1971)2 and the National Advisory Commission Report (1974)3. Although these studies were groundbreaking for their time, over the past forty years many state and federal agencies have moved far beyond the foundation laid by this early research. It is incumbent on all security professionals that they continually research the constantly-evolving federal and state guidelines relevant to their organization, and then assess their training accordingly. At a minimum, this should include familiarity with:
This is only the beginning. In addition to government guidelines, security professionals also need to regularly evaluate the relevance of recommendations published by other entities. Although these publications cover a wide range of specialties, the ones that are relevant to the assessment standards I recommend must all meet a common criterion. They are all developed through an in-depth process of research, discussion and expert consensus. The flow chart included in this article illustrates one example of that process [see chart, p9: www.asisonline.org/guidelines/docs/SGquickReferenceGuide.pdf]. As a starting point, all of the following are useful sources:
This list is far from exhaustive, but it does provide a starting point for assessing the currency and liability of an organization's training criteria and protocols.
John Villines, MS, ICPS, CPP is a Certified Crime Prevention Specialist and a Board Certified Security Manager. He has been a Security Consultant, Author, Seminar Presenter and Expert Witness since 1979. Mr. Villines' clients include Fortune 100 corporations.
©Copyright - All Rights Reserved
DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.