printer friendly version

Successful security contracts

Wayne Hermanson and Garth Briggs of Physical Risk offer advice on what contract a buyer should create to ensure his security consultants and service providers deliver what he wants instead of what they want.

The first question we deal with is how customers should contract with a security management consultant to ensure they are suitably protected and will receive the services agreed to.

Hermanson says the manner in which customers contract the services of a security management consultant is key to the success of the professional relationship and should have a clear audit trail. The key outputs should form part of the contracting process as a minimum.

The initial client meeting is used to explore the customer’s service needs and devise a service proposal, should the customer not already have the scope of services defined.

The service proposal is the source document for the description of the security management consulting services to be rendered by the SMC. Service proposals vary in format style, however there are a number of proposal elements that should be included to demonstrate the SMC’s expertise to perform the proposed services. These include but are not limited to the following:

* Cover letter. To thank the prospective customer for the opportunity to bid and highlight particular aspects of the proposal that should be examined closely.

* What services will be rendered? Be it assessment, design, project management or security management services.

* How services will be rendered? Methodology and measureable deliverables.

* Who specifically will perform the services? The engagement team of consultants should be named with their qualifications and experience listed.

* Where/when will the services be rendered and what will the duration be?

* Company profile/background. The consulting company’s historic background, philosophy, ethics, vendor/product neutrality and approach to the services requested should be explained.

* Engagement considerations. Items that may be included under this section include SMC and customer’s responsibilities, service/project timeline, limitations, exclusions, changes in project scope, fees, expenses and confidentiality.

Measuring ROI

In many cases customers know better what it requires from an independent SMC or consulting firm. It is certainly prudent to explore the customer’s service needs thoroughly during the initial and further client meetings. Once the SMC’s code of ethics with respect to a fixed fee structure for a fixed term has been dealt with, both parties may focus on understanding and defining service requirements to the customer’s satisfaction.

Confidentiality agreement. The SMC is likely to be privy to sensitive proprietary information and would have detail of the customer’s security vulnerabilities, which makes it important to have a confidentiality agreement signed.

Service agreement. The SMC’s agreement should be a performance agreement directly linked to the services to be performed, deliverables with cost and time constraints clearly defined.

Project charter. The project charter also referred to as the 'Terms of Reference' document is drawn up once the customer has approved the service proposal and both parties have signed the confidentiality and service agreements. It constitutes the benchmark against which the SMC should be measured with respect to service delivery. The customer representative managing the SMC’s service delivery should approve the project charter and it serves as primary terms of reference at all progress meetings. Items to be included in the project charter include but are not limited to the following:

* Service/project description. This section should include a full description of the services required with relevant background and clear references in the case of tenders.

* Service/project objectives. This describes the essence of the SMC’s service deliveries expressed as customer outcome requirements.

* Constraints. It may include time and/or budget constraints or any other constraints imposed by the customer.

* Assumptions. The SMC shall define assumptions such as information that needs to be provided by the customer, assumed expenses, delays caused by the customer, payment of other service providers associated with the service/project, etc.

* Reporting structure. Who will the SMC report to for service deliverables and who shall approve payment of service invoices?

* Deliverables. A comprehensive list of each service deliverable in measureable terms.

* Service activity time chart. To indicate when the various deliverables shall be performed within the agreed timeline.

* Fees and expenses.

* Acknowledgement of SMC commitment to project charter.

* Customer approval.

Measuring performance is critical

Performance should be measured against a comprehensive project charter that clearly defines the service objectives and outcomes.

At Physical Risk, we align performance measurement not only with the service requirements but also with the customer’s security risk profile. Our service delivery only adds value to the customer if it reduces the risk profile in a cost-effective and sustainable manner. Corrective, preventative and procedural improvements can be measured through the integration of security performance measurement metrics that are directly linked to the customer’s prevailing security risk profile.

Physical security as an organisational function should add intrinsic value to the customer’s business/organisation value chain. Security’s value should be measured against the reduction of risks through loss event prevention, protection and recovery of customer assets. The SMC’s services should be measured in similar terms once mutually agreed.

Share this article:

Further reading: