Topic X Policies and

10 Procedures in
Security
Management
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Explain the need for policies and procedures in security
management;
2. Describe the organisational structure for policies and
procedures;
3. Explain the procedure of documenting policies and procedures;
4. Discuss the benefits of and need for compliance to policies and
procedures;
5. Explain the importance of written policy; and
6. Discuss the format and mechanics of policies and procedures.

X INTRODUCTION
Policies and procedures play a strategic role in a company environment in which
employees make decisions. Policies and procedures become the media by which
business processes are documented and published. Through a well-conceived
policy and procedure system, the companyÊs vision becomes an integral part of
company operations. These operations are the day-to-day planning and decision
making which guide the processes of development, security department and its
functions.
 TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 153

Policies and procedures provide decision-makers with limits, alternatives, and

general guidelines. They help to make instructions definite, provide a common
understanding of a policy interpretation, and provide quick settlement of
misunderstandings. Policies set boundary conditions so that actions and
decisions are channelled along a particular path in pursuit of an objective.
Policies allow management to operate without constant intervention and, once
established, enable others to work within that framework. Policies and
procedures need to be in a standard format because they cover recurring
situations or processes. They help reduce the range of individual decisions and
encourage management by exception. The manager only needs to give special
attention to unusual problems not covered by a specific policy or procedure. As
more policies and procedures are written to cover recurring situations, managers
will begin to make decisions that will be consistent from one functional area to
the next. Consistent and objective decisions should be the goals of all companies.
They often reflect vision in action and will aid the integration of a companyÊs
strategic goals into day-to-day management decisions. Aligning policies and
procedures to the vision is straightforward.

10.1 MEANING OF POLICY AND PROCEDURE

Understanding the meaning of a policy or procedure will prove to be a major step

in using these terms properly. A policy is a „predetermined course of action
established as a guide towards accepted business strategies and objectives.‰
A procedure is a „method by which a policy can be accomplished; it provides the
instructions necessary to carry out a policy statement.‰ Each procedure has an
action, decision, or repetition step. Additionally, there is always a starting point
(initial conditions) and ending point (goal).

Policies and procedures (or operating practices) more often than not develop
slowly, informally, in an unstructured fashion over a given period. This could
range from months to years, depending on the nature of the organisation. Of
course, they evolve from the passing on of instructions-word-of-mouth
communication. Sooner or later these policies and procedures are documented in
writing.

Experience plays an important role in the formalisation of policies and

procedures. Consequently, new security organisations typically may have few
written policies and procedures; conversely, more established departments have
sophisticated and comprehensive written policies and procedures.
154 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

10.2 THE NEED FOR POLICIES AND

PROCEDURES
One of the most difficult questions to answer is why companies need policies and
procedures when they have been operating for years without them. Many
companies rely solely upon verbal instructions or a series of company
memoranda. An irrefutable answer to this question will be explained in the
following discussion. This answer is meant to be used as ammunition for those
who struggle with obtaining management approval and support for creating a
policy and procedure system. The following sections explains the need for
policies and procedures.

10.2.1 Technical Application

The answer to the aforementioned question is based on the relationship between
a companyÊs internal control system and its organisational structure. The
successful operation of an organisation is dependent on an effective system of
internal controls. A valid control system can assure that commands are being
carried out as required and warn the central decision-making function of changes
in circumstances that require new sets of commands.

In a corporate organisation, management installs whatever internal controls it

considers vital and necessary to the continued well-being of the company; the
controls exist for and because of management. The internal control system is
concerned with all aspects that contribute to the existence and well-being of an
organisation, in which case, management assures itself that actions taken by its
employees conform to its policies and procedures.

10.2.2 Three Internal Controls

There are three internal controls that are essentially the same in all business
organisations. These controls are described below:

(a) Administrative Controls are non-financial and encompass all business

activities. They are concerned with operational efficiency and with the
adherence to managerial policies. These controls are involved with the
decision-making processes that precede managementÊs authorisation of
transactions.
 TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 155

(b) Accounting Controls are financial and provide the checks and balances in
the accounting system to:

(i) Prevent errors before transactions (sales, purchases, cash receipts, cash
disbursements, or payroll) are recorded;
(ii) Detect and correct errors in the accounting records; and
(iii) Safeguard the companyÊs assets.

(c) Data Processing Controls may overlap both administrative and accounting
controls or they involve the input, processing, and output of computerised
transactions.

10.3 ORGANISATIONAL STRUCTURE FOR

POLICIES AND PROCEDURES
The organisation should provide for the coordination of all personnel so that the
companyÊs goals and objectives will be met. Management uses the knowledge,
talents, and wisdom of its personnel to accomplish these objectives. It is through
this team effort that internal control is achieved. An organisational structure
provides the framework within which decisions are made. The work of an
organisation is divided so that each officer, traditionally, a manager reporting
directly to the chief executive officer, has the authority to act in a given area of
activity. These activities may include security checking, posting guards on
various sites, supervising the guards, and enhancing the reliability on the security
system and security personnel of the company.

The management of an organisation is responsible for making employees aware

that policies and procedures will be monitored and that failure to follow the
established guidelines will be detected. To assure the cooperation of
subordinates, it is important that authorisation levels are realistic and consistent
with the importance of the matter, as well as with the responsibilities of the
people concerned.

10.3.1 Policies and Procedures Define Employee Roles

Policies create expectations and guides for action. Procedures provide the means
by which the actions can be carried out by management and by employees. The
segregation of duties established within the organisational structure can be used
as a guide when writing policies and procedures for assigning specific
responsibilities and tasks to employees and functional areas. Once responsibilities
156 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

have been assigned, policies and procedures take on meaning as responsible

individuals are assigned important tasks within the workflow.

10.3.2 Policies and Procedures are Considered Internal

Controls
Well-conceived guidelines that satisfy internal controls will ensure a continual
coordination of group efforts within the organisation towards the achievement of
company goals and objectives. Company goals and objectives cannot be achieved
when consistency and continuity are lacking in management decisions. Without
policies and procedures, this group effort may not materialise because
management and employees would have to regularly reinterpret routine and
recurring situations.

SELF-CHECK 10.1

1. How do policies and procedures help decision-makers and

employees?

2. What are the differences between policy and procedures?

ACTIVITY 10.1

As the policies and procedures are substantial for the smooth

functioning of the organisation, do you think the admission policies and
procedures of your college help to make the admission procedure
smooth? Write your views.

10.4 DOCUMENTING POLICIES AND

PROCEDURES
Besides the technical reasons explained above, there are many other reasons for
documenting policies and procedures. These include, but are not limited to:

(a) Every job has constraints surrounding it. Without written policies and
procedures, employees would be on their own to discover these constraints
by trial and error. The organisation would become disorganised and its
 TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 157

managers would not have the means to direct and harmonise their staffÊs
activities.

(b) Policies and procedures enable managers and their subordinates to clearly
understand the individual and group responsibilities including the
boundaries within they have to work and the demands upon them.

(c) Policies and procedures set clear boundaries for jobs so that each employee
knows in advance what response he will get from others when making
decisions.

(d) Policies and procedures create a baseline to which subsequent change can
be referred and through which the way things are done is enabled.

(e) Policies and procedures enable managers to decide whether a subordinateÊs

improper action or decision was due simply to poor judgment or to an
infringement of the rules. If no rules exist, the subordinate cannot be
criticised for using his judgment, however poorly he may use it. If a rule
exists, management has to establish whether it was accidently or
deliberately broken, for the latter is a disciplinary offense. Without written
policies and procedures, employees would not know where they stand and
any decision may create an unwanted precedent.

(f) Policies and procedures provide individuals the freedom to make decisions
in the execution of their duties within defined boundaries and to help
avoid-control by managers. If people are uncertain about the limits of their
job, they cannot feel free to act.

(g) Policies and procedures enable management to exercise control by

exception rather than by every action and decision of their subordinates.

(h) Policies and procedures enable managers to control events in advance.

Before the action begins, employees know the rules and are more likely to
produce the right result the first time. Without policies and procedures,
management is forced to control events after they happen and the results
may cause dissatisfaction. Alternatively, a manager must be on the scene of
the event to respond when the situation approaches its limits. This is a
costly use of managerÊs time.

Figure 10.1 and 10.2 show examples of procedure documentation.

158 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

Figure 10.1: Example of a procedure documentation for psychological testing

Figure 10.2: Example of a procedure documentation for verification of former employers

 TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 159

10.5 BENEFITS OF WRITTEN POLICY

The benefits and logic of the written policy and procedure should be self-evident;
however, they are worthy of examination in some depth, including such factors
as consistency in performance, reduction of decision-making time, enhancement
of controls, and provision for objective performance evaluation.

(a) Consistency in Performance

The written procedure contributes to performance consistency because it
requires each employee to do a given task or process the same way; thus we
can predict the end results. If employees donÊt have a procedure to follow
(and a procedure is like a road map), theyÊll do things in a way that we canÊt
predict with any degree of certainty.

(b) Reduction of Decision-Making Time

The written procedure has most, if not all, of the necessary decisions built
right into it; thus, time need not be spent deciding what to do, how to do it,
where to do it, and when to do it.

(c) Enhancement of Controls

Certainly an important function in the whole management process is the
maintenance of control. The written procedure is a control because it
controls behaviour (action) before it occurs. Case in point: To ensure against
a lawsuit for negligent hiring, certain pre-hire actions are most important in
our society today. A well-written procedure on how to conduct the
background investigation of an applicant protects the company because it
controls all those necessary pre-hire steps. If there was no written procedure
on how to screen new applicants, I guarantee that there would be as many
ways to check the applicantÊs background (or not to check it) as there are
individuals charged with that responsibility. In other words, there is no
control.

(d) Provision for Objective Performance Evaluation

The written procedure is simply another tool that can be used to objectively
evaluate an employeeÊs performance. It only makes good sense that if the
procedure spells out what to do and an employee does otherwise, that
deviation is a discussion point for correcting the performance.
160 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

10.6 COMPLIANCE TO POLICIES AND

PROCEDURES
The question of how closely one must adhere to, or comply with, policies or
procedures is a problem. A security executive may spend 10 minutes
emphasising the importance of a given policy or Standard Operating Procedure
(SOP) and conclude by saying something to the effect of, „On the other hand, we
want some flexibility here.‰ What kind of flexibility?

Too often, ranking executives will massage policies and procedures to meet
particular circumstances, such as when security discovers an executive involved
in some form of internal theft and the amount stolen is not substantial. The policy
of the company is to terminate all employees caught stealing. The procedure for
terminating such employees, step-by-step, clearly defines the discharge process.

To avoid conflicts over compliance with written procedures, some firms operate
under „guidelines,‰ which lie somewhere between policies and procedures.
Guidelines, by their very name, suggest direction but avoid any hint of absolute
compliance. One would have to stray far afield before being guilty of violating
any of the guidelines-theyÊre just that loose and flexible.

10.7 COMBINING POLICIES AND PROCEDURES

Some organisations combine policy (the what) with their SOP (the how) (Figure
10.3). The following is an example taken from the contents of one firmÊs
procedural manual; following that is the actual statement of policy and
procedure.
TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 161

Figure 10.3: An example of a combined policy and procedure

162 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

Note the logical division of security activities/categories and how reasonable the
codifying system is. LetÊs look at section 10.8 to see what the policy statement
says about interrogations. (Remember: this is an example of the combined policy
and procedure.)

10.8 INVESTIGATIVE AND SECURITY

INTERVIEWS
It is to define and establish standards for interviewing that will ensure maximum
results and fair and consistent treatment. It will protect the company against
subsequent civil liability arising there from.

(a) Investigative Interview

The questioning of employee looking for information and/or explanations.
It is a fact-gathering process without challenges or charges. The information
gathered during such an interview is afterwards evaluated and may or may
not lead to a security interview.

(b) Security Interview

The security interview is an accusatory encounter and is used only in cases
of dishonesty or other extremely serious violations of rules.

10.8.1 Procedures
(a) Individuals being interviewed must be told at the outset that they are not
being forcibly detained and need not choose to submit to questioning.

(b) Security interviews must be conducted in the privacy of four walls

preferably in a room.

(c) A witness is required, preferably another woman, if a female employee is

the interviewee.

10.8.2 Free-Standing Policies

Procedures always are related to a policy because they provide the detailed
instructions for employees to carry out the purposes of a policy. On the contrary,
there may be policies for which procedures are not necessary-free-standing
policies.
 TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 163

SELF-CHECK 10.2

1. What are the reasons for which policies and procedures are being
documented?

2. What are the benefits of documenting policies and procedures?

ACTIVITY 10.2

Prepare a useful questionnaire for investigative and security interview of

the candidates.

10.9 IMPORTANCE OF THE WRITTEN POLICY

In our so called civlised society, major employers are deemed desirable targets for
lawsuits, the existence or absence of a written policy could be a significant factor
in the final litigation outcome. If by chance an applicant was denied employment
for some reason other than the fact that he had a criminal arrest and conviction
record and if there were no written policy saying that convictions are not a bar to
employment, an applicant could conceivably set off and successfully pursue a
cause of action based on criminal conviction discrimination. The written policy,
however, would be an important defense in this case.

10.10 POLICIES, PROCEDURES, AND THE

SECURITY MANUAL
In the security industry, departmental as well as corporate policies and
procedures frequently are brought together in a main and central source of
reference-the security manual. The following is the table of contents from the
manual of a major retailer in the United States. Retail personnel arrest literally
thousands of customers and employees each year and have, over the years,
evolved into a highly sophisticated and professionally managed organisation, as
evident from the manualÊs detail.
164 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

The security manual, then, is the repository of all written policies and SOPs that
pertain to the security function. The security manual of course contains other
material and information, such as job descriptions for all security classifications,
training materials, reports, and forms used by security personnel. However, the
contents of the manual are constituted mainly by written policies and procedures.
Today, word processing enables procedures and the manual to be more easily
created (and revised) in a timely manner and with relative ease.

In Multinational Corporation or local company which are involved in multi

section of business i.e., hotel, leisure, gaming, servicing, food outlet, supermarket
etc., are required to deploy its security personnel which need to refer to Standard
Operating Procedures (SOP) or Duty Operation Manual as a guide for them to
follow. In addition, each section is also required to follow Work Instruction.

10.11 FORMAT AND MECHANICS

Written policies and procedures deserve a special look, a format that sets such
important documents apart from more routine documents. Figure 10.4 is an
example of the format generally used:
 TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 165

Figure 10.4: Format for written policies and procedures

Legend:

M Each page should reflect the name of the particular procedure.

N Each procedure and the contents therein should be codified for easy
reference. In Figure 10.4 the General Security Committee procedure is
Security Procedure 11.01, and bomb threat incidents reported to that
committee are 11.01.2.e.
166 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

O That special look in this case is a vertical line margin with company logo on
the lower left bottom.

P Logo identifies the company. This procedure is unquestionably an SSI

Corporation procedure.

Q Each procedure should be dated. The presence of the date could suggest itÊs
time to reassess its viability or could reflect its absolute timeliness.

R A two-page procedure noted.

10.12 POST ORDERS

Post orders are the written procedures for security officers assigned to a specific
location or function. These orders are typically posted on the wall or placed in a
folder for ease of reference. They contain such site and task specific information
that even a stranger to that post should be able to read the orders and, based on
the instructions, perform the security tasks required. The following list is an
example of the kinds of information that may be found in post orders:

(a) Telephone numbers to call in the event of an emergency

(b) Names and numbers of key personnel
(c) Opening and closing procedures for that post
(d) Patrol routes and locations of mandatory checks
(e) Samples of authorised badges and passes (for pedestrian and vehicles)
(f) Samples of forms and documents that are required to be filled-in or
completed
(g) What the security officerÊs purpose and mission is for this assignment
(h) What to do in the event of . . .

10.13 WRITING FORMAT

The writing format is the heart of a policies and procedures system. It provides a
structure for information collected during the research phase. A logical,
structured format is a basic necessity for any policy or procedure. Cohesiveness is
 TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 167

developed by a smooth flow of thought and by the logical flow of information. It

can be very frustrating to a reader if the information is not clearly presented in a
logical order from one procedure to the next. It is seen many a time policies and
procedures written with few, or no headings, or with headings that change from
procedure to procedure. This type of discrepancy can make it difficult to read a
policy or procedure.

The writing format is the heart of any policy and procedures system. Without a
standard method of writing, policies and procedures tend to be inconsistent,
inaccurate, and inefficient.

For policies and procedures, the structure remains the same, only the content
changes. This writing format enables the reader to understand the main
objectives, ideas, methods, or processes being presented in the first several pages
of a document. Sometimes the reader may not have to read any further. This is a
benefit to the reader because heÊs more inclined to read something that appears
structured and orderly than something that appears unstructured and
disorganised.

SELF-CHECK 10.3

1. Comment on the writing format of the policies and procedures of

an organisation.

2. What do you mean by the term „post order‰?

ACTIVITY 10.3

Write an informative article on the topic „Importance of the written

policy‰.
168 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT

x The difference between policies and procedures is best described as follows:

A policy tends to be a guide to what management wants and a procedure
specifically prescribes how it is to be accomplished.

x The development tends to be an evolution from the spoken to the written

word.

x Policies and procedures are tools for controlling and measuring performance.

x There's a degree of flexibility required when following procedures, and not all
policies require procedures for implementation.

x Security policies and procedures tend to be the core of the department's

operating manual.

Investigative Interview Procedures

Organisational Structure Security Interview
Policies Security Manual
Post Orders

1. Explain the difference between a policy and a procedure.

2. Guidelines are more stringent than a standard operating procedure. True or

false? Why?

3. If the policy is to terminate employees for theft and the procedure spells out
that process in detail, then every employee caught stealing will
automatically be terminated. True or false? Why?

4. For every policy there must be a procedure. True or false? Why?