DTR014 Maintaining Sustainable Capability

Downloadable PDF Resources

  1. English
  2. English/Spanish
  3. English/Russian

This module will take you through Maintaining Sustainable Capability.

  1. Introduction
  2. Effective Protocols
  3. Crisis Cognition
  4. From Incident to Crisis
  5. By becoming aware of a potential problem earlier rather than later in its development cycle:
  6. By being unaware of a potential problem, or by ignoring a problem you are aware of:
  7. ‘Normal Accidents’
  8. Complexity
  9. Information Transfer
  10. Clear Lines of Responsibility
  11. Regular Reviews
  12. And Finally…
  13. Summary

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’


As has already been mentioned in previous sections, the secret of creating effective security management capability is to ensure that whatever programmes and protocols are introduced are not seen as one-off events, but are embedded into the organisation so that they become a natural part of its operating procedures and its organisational culture. For many security management systems, this is the hardest part of the management process. Protocols can be written, programmes designed and personnel trained, but to create organisational change is one of the hardest things for any manager to achieve, and even if they have succeeded in doing so, the natural tendency is for organisations to revert to previous practices. This module will introduce some ideas as to how security managers can self-audit their own organisation, and can identify areas where weak practices or lack of management oversight are likely to produce vulnerabilities that could allow small scale potential problems to develop into genuine problems.

Creating multi-team operational capability is not something that can be left to chance, or can be established once a crisis situation has occurred. The development of such capabilities is something that must be managed over time in a continuous cycle of learning, reviewing and improvement.

Effective Protocols

There is often a desire in security management to try and identify every possible problem, and then to introduce increasingly detailed and situation-specific protocols to try and manage those scenarios. The problem is that in any organisation, if the control systems become too intrusive and disruptive, the natural reaction is to ignore them or to switch them off. This is then not just a problem with that particular situation, but creates a culture where it is not only permissible, but is accepted practice to ignore guidelines and directives. The purpose of the security management team should always be to support the overall operations and objectives of the organisation, and though it may be tempting to introduce more and more controls, that is self-defeating in the long-run. It is better to have a few guidelines that are accepted and adhered to, rather than a whole raft of directives that are ignored.

Crisis Cognition

It is a basic rule in life that the earlier you are aware of a potential problem, the more likely you are to be able to deal with it smoothly, effectively and with the minimum of disruption to the rest of the operating network. If you allow that problem to go unmanaged, it is likely to escalate to a level where it sets alarm bells ringing, at which point the system takes notice and responds, but will often need a much higher level of intervention to deal with the situation than if it had been detected and managed earlier in the escalation cycle.

From Incident to Crisis

  • An Incident is something that happens
  • A Problem is when that incident impacts on your operation
  • A Crisis is what happens when you lack the capability to respond effectively or appropriately.

By becoming aware of a potential problem earlier rather than later in its development cycle:

  • You have more options to deal with it
  • You can respond with a lower level of intervention
  • You are safer from both a personal and organisational perspective

By being unaware of a potential problem, or by ignoring a problem you are aware of:

  • You will have less options to deal with it
  • You will need to respond with a higher level of intervention
  • You will be in greater danger from both a personal and organisational perspective

‘Normal Accidents’

In most situations, crises do not just happen. They are only the final stage in a long process of gestation and development. In most situations, the reason that a major problem occurs is not because of an outside event, but rather because there is a lack of ability to respond effectively. In almost all situations, there will have been warning signs that the conditions that will allow the crisis to develop are in place, and there are what have been called ‘Normal Accidents’ that occur on a repeated basis, which highlight the organisational weakness that is allowing those situations to occur, but which are ignored or accepted.


Many organisations are complex – that is the nature of our inter-connected world. However, it has been well-recognised that organisational complexity itself creates an increased likelihood of problems arising – or even catastrophic failure, which threatens the continued existence of an organisation. Although the issue of organisational complexity is a subject in itself, from the security managers perspective there are two clear consequences of an organisation’s over-complexity which may well (actually, undoubtedly will) create avoidable situations that have the likelihood of developing into genuine and serious problems.

Information Transfer

One of the clearest signs of harmful organisational complexity is if there are regular breakdowns in transfer of information. This can either be because the lines of communications between different sections of the organisation are ineffective, or because different sections of the organisation are unaware of the need to pass information across to other sections.

An example that many security managers might recognise is if the Business Development section creates plans to open a new office or factory in a country where there is genuine risk, whether political, social, criminal or health based. These are problems that the security department would be well aware of, and could highlight if they were part of the business development process. A Risk Analysis of any new country (or even city) should be a natural part of the business development process, but this is dependent on the working relationship between the different divisions.

A similar example would be if the HR department is responsible for booking flight tickets for travelling executives, but doesn’t inform the security department if one of the company’s managers is travelling to what could be perceived as a high-risk area. If the first time that the security department is aware of a problem is when the HR department contact them because that executive’s wife has called them because she hasn’t heard from her husband in five days, then there is clearly a breakdown in organisational communication and planning.

Clear Lines of Responsibility

One of the hidden effects of organisational complexity is that it blurs lines of responsibility. In some cases, complexity is introduced specifically to allow people to avoid individual responsibility for decisions and policies that they know to be questionable, flawed or even illegal. Many of the major incidents that hit the national headlines are a direct result of organisational over-complexity that left a vaccuum where clear responsibilty and leadership should have been. This includes the FEMA (Federal Emergency Management Agency) response to Hurricane Katrina (2005), the Japanese government’s response to the Fukushima disaster (2011), BP (British Petroleum) response to Deepwater Horizon Gulf of Mexico oil spill (2010) or G4S failure to supply security personnel to the London 2012 Olympics (2012).

Regular Reviews

One of the fundamental developments in security management since 9/11 has been the realisation that rather than something that is limited to a security department, security management should be an integral part of every aspect of an organisation’s operations and culture. In a similar way, security protocols are no longer seen as static things that are written and then forgotten, but are living documents that develop and evolve in the same way that any other part of the organisation would develop and evolve. Regular reviews of every aspect of the security management system play an important role in ensuring that security management capabilities are maintained at the highest possible level. As well as reviewing existing protocols and documentation, regular reviews also allow the security managers to develop their relationships with managers and personnel in other divisions or departments, which in turn helps facilitate the personal relationships which underpin effective security management at every level of an organisation.

And Finally…

In many ways, security management fulfils a different role from every other activity within an organisation. Whilst mistakes in most other divisions are recoverable, and can often be resolved by way of a simple apology, mistakes made in the security department can often have much more significant consequences, are not recoverable, and may, in the worst circumstances, lead to death, injury or catastrophic impacts. The responsibility of the security manager is to create the correct balance between freedom of movement and activity on the one hand, and safety and security on the other, but also to ensure that lessons are learned, mistakes rectified and the overall system strengthened and improved on an on-going and continuous basis.

Security management in its fundamental form is a simple art, but it is the ability to maintain standards, and to manage them effectively over time, that is the ultimate test of the success or otherwise of the security management system.


It is almost certain that the front page of the newspaper you brought this morning carries an example of where failures in security management have had significant impacts, and quite possibly have led to actual disasters. The likelihood is that these failures did not happen because of some catastrophic outside event, but are the result of a breakdown of what should be basic management controls. The reasons for these failures are usually predictable and well known, but have in some way been ignored or side-stepped. The issues covered in this chapter will give any security manager the ability to audit their own operations, and to identify problems that have a high likelihood of leading to significant operational failures.