EXCLUSIVE: Managing risk and compliance with integrated systems

Risk management and integrated systems

Share this content


Steve Bell, Chief Technology Officer at Gallagher Security explores the various ways integrated systems can help organizations to monitor and reduce risk.

Integrated systems

In the beginning, security systems had a limited goal: manage door access.

Although the capabilities of integrated systems have changed drastically over the past 35 years, for many, that limited perception of what’s possible persists.

However, today’s integrated systems are sophisticated, flexible platforms capable of performing a wide range of routine and critical tasks, making them a perfect solution for risk management, even for organizations with the strictest of regulations.

Understanding best practice for risk management

Risk management encompasses a wide range of practices which include ensuring the physical safety of people and property, protection of personal information and intellectual property, maintaining compliance with a variety of standards and regulations, securing funding from a variety of income streams and identifying strategic, political and reputational risks, which can be harder to quantify.

In other words, it’s a lot.

Best practice risk management models identify, analyze, evaluate, treat and monitor risks over time, resulting in a comprehensive management strategy that includes a risk register, policies and other treatment methods intended to mitigate threats, including a review cycle intended to ensure the strategy remains relevant and effective.

At worst, these strategies become a tick-box exercise that is approved and then shelved. The risk register gathers virtual dust until the next review cycle rolls around again.

At best, a risk management strategy is clearly linked to ensuring the achievement of well-defined business objectives.

The organization understands its appetite for risk and ensures potential threats are managed appropriately by mitigation measures seamlessly embedded into everyday practices.

Organizations have assurance they will achieve their business objectives and that their risk mitigation tools have the agility to evolve in an ever-changing threat landscape.

Risk mitigation through integrated systems

The challenge lies in translating a comprehensive risk management plan into action and embedding risk mitigation measures into everyday practice across an organization.

Many organizations may question why it’s necessary to merge practices with a security system when policies are already in place to mitigate identified concerns on a risk register.

The truth is that administrative controls and written policies are worth nothing if an organization can’t prove – without a doubt – that policies are being complied with by every person, every day.  

Integrated systems, however, ensure compliance by flagging when a policy has been breached and giving organizations options for how to respond.

A day in the life of an integrated system

Take a medical research laboratory for example.

To maintain integrity, it’s critical to ensure only qualified individuals have access to the space and equipment and that all compliances for exposure times, staff numbers and procedures are followed.

With an integrated system in place, the following scenario could play out.

A post-grad researcher arrives early and uses the security mobile app on their phone to try and unlock the door.

The app checks in with the integrated system to review whether the researcher has been inducted and completed relevant training and safety procedure requirements.

The answer is yes, but it also notes that a research team leader (or designated ‘first person’) needs to have entered the room first. The researcher is notified to wait and the door remains locked.

When the team leader arrives and enters the room, the lights and air conditioning are automatically turned on.

Later in the day, the team is hard at work. A researcher from an adjacent team decides to visit the lab to check on the progress of a mutual project.

When they badge their access card at the door, the system recognizes that the room is at maximum occupancy and sends a warning.

They decide to go in anyway, triggering an automated notification to the lab manager who can decide how to handle the situation.

By the end of the day, just a few members of the team are left. They want to finish up before heading home, but they’ve exceeded the six-hour maximum daily exposure time for this room.

The system detects that they haven’t exited the room and sends an automated notification to the security room operator, who might then call the laboratory manager to check in on the situation.

They might decide it’s okay because the team is very nearly done (acceptable risk).

Alternatively, they might know this is a serious situation (unacceptable risk) and personally ask everyone to leave, generate an alarm or escalate the situation to a security guard.

Once everyone has gone for the day, the lights and air conditioning will turn off automatically and the lab manager (or any person with the right privileges) can use their phone to double-check that the room is secure and alarmed from the comfort of their living room. That’s peace of mind.  

Afterwards, the lab manager can generate reports detailing room attendance, entrance and exit times, exposure times, alerts or alarms received, actions taken and when the room was locked and alarmed.

The various compliance committees within the organization can easily undertake further reviews of room activity at any time for assurance purposes. 

Everyone on the team can share visibility on the events, learn from mistakes and take steps to ensure compliances continue to be maintained.

How well does your organization understand risk?

As a first step in improving risk management and compliance, ask if your policies are enforced and what happens if they’re breached. 

With an understanding of best practices – and the many layers of security that can help manage compliance – it becomes clear that it’s easier to mitigate risk with an integrated system security approach.

This article was originally published in the August edition of Security Journal Americas. To read your FREE digital edition, click here.

Receive the latest breaking news straight to your inbox