F&RM speaks to Don Oakley about the value of third-party certification in the security systems sector
Independent third-party certification is a key theme in the fire safety world and is one indicator often relied upon to demonstrate competence; but what does this look like in the security systems sector in relation to commercial premises and who provides the certification?
F&RM: What are the challenges to overcome in building a wider sense of the importance of third-party certification in the security systems sector?
Don Oakley: Having spoken to security sector buyers at events and conferences about independent third-party certification, I am clearly a strong advocate of the value that this brings.
In Q&A sessions there were several interesting views expressed from the audience, which highlighted some long-held opinions which can often still influence buyers views and to some degree still need to be ‘de-bunked’.
I would suggest that many customers in security, facilities, and procurement roles still don’t always fully understand the benefits of third-party certification and what it means for them as buyers of security systems.
F&RM: What benefits does third-party certification bring to a buyer?
DO: A key benefit of any service that is third-party certified is that someone else has completed a ‘first stage due diligence’ for the buyer. This can then save them a lot of time when making the choice of which provider to use.
You could interpret the phrase ‘due diligence’ as simply meaning to ‘have a really good look at’. In my mind, if the independent third-party auditor has been in from a United Kingdom Accreditation Service (UKAS)-approved certification body, then somebody else has had that ‘really good look’ already. The buyer can then choose from their own shortlist, secure in the knowledge that the basic checks have been done, in addition to whatever they decide to undertake on top of this.
I believe that third-party certification is the starting point and just that. Buyers should look at the registers of firms and then make their own choice from the companies that best suit their needs, where service, price, or added value can then be considered.
An additional benefit that buyers should be aware of is that the certification body continues to annually review the company for the period of the certification. It means that if you appoint a company then someone else is also having a regular look at them, even if you are not.
It should be noted, however, that third-party certification is certainly not a guarantee of quality by any means, but it does provide a good base for the procurement process.
F&RM: How do external requirements impact the need for third-party certification?
DO: The police recommend third-party certification for all security systems, and go a step further by requiring it if your system needs an automated police response. Given that the need for an automated police response is why many commercial firms buy systems, the need for buyers to be aware of third-party certification schemes is clear.
The National Police Chiefs Council (NPCC) and Police Scotland’s policies are also key drivers for third-party certification. Earlier this year, the NPCC released an update to Police Operational Advice and Security Industry Requirements for Response to Security Systems. It recognised the rapid development of technology and its use within security systems, detailing the expected police response to an electronic security system.
To be compliant with the requirements for security systems, a system must comply with a recognised standard or code of practice that controls its manufacture, installation, maintenance, and operation. In addition, the installation, maintenance, and monitoring provided by companies needs to be certificated by a UKAS-accredited certification body who they then list by name.
The main point here as far as buyers are concerned is, why would you commission and install a system if it did not comply with current best advice and guidance from the police?
In addition to the benefits for the buyer, the increased use of the approved company model for automated response has been credited with a significant reduction in false alarms for police forces over an extended period. Simply from the perspective of savings to the public purse that has to be applauded as the police do attend a very high proportion of alarm activations, despite the significant challenges that poses for them.
F&RM: Who are the certification bodies?
DO: There are two certification bodies that operate in relation to the design, maintenance, and installation of security systems in the UK and Northern Ireland, the National Security Inspectorate (NSI) and the Security Systems and Alarm Inspection Board (SSAIB). Both of these bodies are not for profit and their company objects are shown clearly on companies house.
The NSI and the SSAIB each hold registers of companies which are well designed and easy for buyers to access, with company finders available, and they both operate to the UKAS model. UKAS is the National Accreditation Body for the United Kingdom and is appointed by government to assess and accredit organisations that provide services for certification, testing, inspection, and calibration. UKAS are therefore the people who ‘check the checkers’, enforcing a tough annual audit process for certification bodies to go through.
It is interesting to note that the NPCC are appointed in the role as an observer on both NSI and SSAIB boards. The NPCC take an active interest in the operation of the certification bodies that they currently specify within their policy.
Having just two inspectorate bodies means there is a benefit of having specialist auditors who have the required knowledge, expertise, training, and experience.
For NSI and SSAIB there is also a reciprocal requirement for them to ensure high quality audits, with competence and training high on their own agenda.
F&RM: Why does a company operating in the design, maintenance, and installation of a commercial alarm (or high value domestic alarm) pay for an independent audit of their services?
DO: Most companies operating in the security systems sector will strive to become approved to give their customers confidence and to prove they are benchmarking against the standards they are operating to.
Whilst most companies see the value of going through the audit process and many really value the benchmarking and assistance gained from that audit, there are a minority where it can be seen as a grudge purchase that is required to gain automated police response. My experience is that the majority see it as independent validation of their work and embrace it, with many companies taking huge pride in passing their annual audit and being able to state they are on a particular register having achieved the benchmark.
A key point here is that it does not cost the buyer any extra for the independent certification. It does cost the approved company and in this instance the fees that they pay are to ‘not for profit’ organisations, therefore the daily rates they are charged are typically less than they would pay for other consultancy or accounting services.
F&RM: What does a third-party certification audit entail for the firm you are buying from?
DO: They will receive a thorough in-depth audit by a qualified auditor from an independent firm which will involve checks on the firm’s financial position, directors, process and procedures against the applicable British and European standards and operating codes of practice, training, complaints policy, and systems.
How long it takes the certification body depends on size of the firm and is governed by UKAS requirements. It can range from a minimum of one day (for a very small firm) up to 70 days (albeit across a wider range of approvals). The annual checks can also include site-based reviews to observe routine installation and maintenance visits and often there can be more than one auditor assigned.
The point is that it is a thorough, robust audit to look at a business at single point in time and then review it periodically. As a buyer, when would you be able to go into that depth of assessment?
One other key point to be made is that the audit changes the benchmark to gain certification from the ‘you should’ stated in the standards to ‘you must’. More importantly the firm must be able to evidence this to the independent auditor and that ensures buyers can have confidence the firm does operate to the full scope of the standards expected and removes any ambiguity.
F&RM: Are all certifications the same?
DO: No they are not. The base entry point requirement for NPCC policy is the same, however the certification bodies have their own approaches to additional certifications. Each inspectorate’s own products and services can give wider approvals and differ from each other.
NSI have their Gold approval, which in addition includes management systems approval to ISO9001, whereas SSAIB have a modular approach to add ISO9001 if the firm requests it.
F&RM: Does the buyer need to check the approval certificate?
DO: You must check that the certification is for the service you want. If you want an automated police response and it is only the Alarm Receiving Centre that is certificated rather than the whole chain including design, installation, maintenance, or equipment, you won’t qualify for it.
To put it another way, would you look to get a landscape gardener to plumb in your new bathroom? No, because you are looking for specialist skills to undertake the job required. However, when it comes to security systems it can be a little less obvious. This is where the NSI’s and SSAIB’s company finders are really helpful as the buyer can look for the specific services they require, and if in any doubt they can also ask for details of the certificate from a potential supplier and then check this with NSI or SSAIB.
F&RM: Do you see companies being removed for noncompliance?
DO: Yes absolutely, and the company finders are linked so a firm will automatically be taken off it if their certification is removed. Firms are given an opportunity to sort out a minor non-compliance, but if it is not evidenced and not corrected then ultimately they are removed.
If a company switches inspectorate body, they are required to inform the relevant police force to maintain any automated response of any systems installed.
F&RM: Are NSI and SSAIB membership bodies?
DO: No. They exist to provide registers of firms operating to standards. They are distinctly different from membership associations and as such have a suitable level of objectivity in granting the certification. The UKAS-certification model means that the days of anyone signing off an approval that is not merited are long gone.
F&RM: Is third-party certification compulsory?
DO: Technically, third-party certification is not compulsory, but a buyer may find at some stage that this is a requirement of a central facilities or procurement team, or their insurers if they require a security system to be installed.
In my view though, it should be compulsory. That is the direction of travel in fire and life safety, and it makes sense for security systems to be the same. NPCC policy to date has effectively driven third-party certification towards being compulsory and therefore, in terms of whether it is of benefit the answer is a straightforward yes.
Fire & Risk Management is the UK’s market leading fire safety journal, published 10 times a year, and is available exclusively to FPA members in digital and print format depending on your requirements. You can find out more about our membership scheme here.
Don Oakley is a Technical Consultant at the FPA