Nic, you are very active in the healthcare security world. You’re a security manager, a Vice Chair for the National Association for Healthcare Security (NAHS), Head of Security & Safety (Protective Services) for an NHS Trust, covering H&S, Security, risk, governance,  safeguarding and parking. What exactly do you do on a day-to-day basis besides everything?

(note for our non-UK readers: trust in the UK is defined as a way of managing assets)

You know, this and that. My title is Trust Head of Security, Safety and Governance and I loosely cover all of our estates and facilities; so non-clinical related protective services. That means I look after a security portfolio. I look after health and safety for the trust. I look after the regulatory assurance and governance framework for estates and facilities, related compliances, and I manage risk for the estates and facilities directorate. And just because I like to keep busy, I’m also the trust’s Prevent Lead and I’m an internal Freedom to Speak Up Guardian.

Freedom to Speak Up Guardian: that must be like our whistleblower policies over here?

Yes, whistleblowing. It was something that came out of the Mid Staffordshire inquiry into events that happened there for the NHS pre 2010. It’s been badged as the Freedom To Speak Up. It’s a mechanism whereby the organization identifies a number of strong characters who staff can go to if they don’t feel they can use the standard mechanisms,  aren’t being heard or fear recrimination to speak for themselves. They can rely on those individuals to champion the issues that have been raised.

Would you say that your role is 50/50 security and everything else? How did you come to have so many different hats?

They all Interlink to be honest. It would be quite hard to totally separate any one from any other. I’m probably about 35% to 40% security, 35% to 40% health and safety, and the rest probably sits in the remaining time. But because we’re talking about things like the governance of our operations and our regulatory compliance, these elements cross over with security, health and safety, and risk. Most of what I’m doing is looking at compliance with relevant laws, regulations or NHS standards. And then a lot of the work I do is dealing with incidents, threats and the legal ramifications of those prosecutions or litigations if it arises. I am dual hatted, being a qualified and registered professional at H&S as well as security, as there is a lot of synergy between the two sectors and the laws governing them.

Just for an idea of size, when you’re talking about estates, how many buildings and how many employees does that equal?

We’re currently in the ballpark of 6,000 employees. We float a little above and a little below that figure and the organisation fluctuates. We’ve got a dozen sites. The majority of them are fairly small community operations where we are co-located with other services. We operate two hospitals, one of which is a 53-acre site. Our other site is a historically listed building slap-bang in the middle of Bath City itself.

You are heavily involved in RISK management. With that insight, what would you say are the most common incidents faced by healthcare security?

(note: anti-social behaviour is defined in the UK as behaviour that has or could lead to harassment, alarm or distress)

Security teams will most commonly be called to instances of violence and aggression towards predominantly ward or ED staff and they would be called to intervene. They would also be called to instances where patients are, for various reasons, out of control—often medically induced— and posing a danger to themselves, to the staff or to other patients. Aside from that, they deal with quite a lot of low-level anti-social behaviour: skateboarders, bikes, minor acts of vandalism and patients with challenging behaviours or confusion. They will address other anti-social behaviours such as public drunkenness on the site or people under the influence of other substances. They also will deal with missing patients and anyone where there’s a welfare or safeguarding need. They deal with any criminal acts such as threats that occur on the site and any threatening behaviours, thefts, criminal damage or whatever the day throws at them.

Security teams will most commonly be called to instances of violence and aggression towards predominantly ward or ED stanff and they would be called to intervene. (quote)

Your officers have to deal with a large range of incidents. Are your training processes different from other forms of security?

Very different. Healthcare security is a unique sector and exceptional in its challenges and legal framework. I’ve worked across most sectors of private and commercial security in my career path. The way we train healthcare officers is very different. You can’t just transpose a typical and even well qualified security officer to a healthcare roll without a lot of additional training. The fundamentals of patrolling, arresting, and addressing criminal activity are much the same but with healthcare comes all the variables of mental health, deprivation of liberty and the fact that we’re operating a site that is by virtue of our operation, open to the public.

We are the size of a village. We have thousands of people pass through the site every single day and whilst the site is privately managed, the people who are coming to our site do have a right to access the medical services provided by the NHS. They could be someone who is misbehaving or presenting challenging behaviours, but we have to bear in mind that they might be misbehaving because of an illness or condition. So we have to be mindful of their human rights and compliance with safeguarding, dignity, confidentiality and the Mental Health Act.

Healthcare comes all the variables of mental health, deprivation of liberty and the fact that we're operating a site that is by virtue of our operation, open to the public. (Quote)In terms of training, how big is the de-escalation component of the training process?

It’s a major part. We don’t want to end up with a hands-on situation. We want to de-escalate the situation. So, the security officers undertake de-escalation training which we call Conflict Resolution.

They do undertake specific control and restraint training that is of a type suitable for use on patients with various conditions and syndromes, but there are also lots of techniques in between the extremes, including Mental Health and softer approaches to engage with people with specific conditions or syndromes. They’re trained in dementia, and then they’re also trained in approaches and methods to use with people under the influence of drugs or alcohol.

They’re trained to look out for people who might be subject to a number safeguarding concerns, such as modern slavery, or under the control or coercion of others.

Ultimately, they can and will go hands-on if they need to but will do so in respect of the legal process and continuum of force and proportionality. They will use force, they will restrain someone but if you end up restraining someone you are, under our law, depriving them of their liberty and ultimately could be construed as making an arrest or risking injury to themselves, the individual or others.

We have to apply the minimum proportionate and reasonable level of force to the circumstance and we would always try to de-escalate the circumstance rather than rely on using force. We’re looking for a win-win outcome. We have to think of everybody’s safety, including that of the Security Officers.

We have to apply the minimum proportionate and reasonable level of force to the circumstance and we would always try to de-escalate the circumstance rather than rely on using force. (Quote)What are some common mistakes healthcare security operations make when approaching an incident?

Hopefully, we’ve learned from a lot of them, but making assumptions is probably the biggest and most common mistake. I’ve outlined in part of my previous answer that the situation you are approaching might not be as it seems at face value and if you’re responding to an escalated incident that’s come over the radio, you’ve probably been given somebody else’s perception of the scenario and possibly someone who’s adrenalized and involved. So you have to adjust your approach and make your own assessment of what is happening and respond accordingly and impartially. What we’re looking to do is address the actual causes rather than react to the symptoms which again feeds into that whole de-escalation cycle.

How about mistakes at a strategic level?

A mistake I’ve come close to making myself is being too reliant on technology. Technology is fantastic and great things can be achieved with it but you need to focus your investment in getting the fundamentals right, attaining a high level of security awareness, understanding your threats and encouraging a security culture. As I’ve said, we have thousands of people on our site including staff. They are both our biggest weakness, but potentially our biggest asset if we make them security aware and bring them on board to the concepts to keep everyone safe.

A thousand CCTV cameras won’t guarantee you a secure facility. The right technology used in the right place will help however, and be an asset or invaluable tool. You’ve got to identify your true underlying root causes and then address them with a focused response using appropriately selected and well specified technology with the right training and compatible with your other hard and soft systems.

Do you use incident data to make your work environment safer? If so, in what ways do you utilize it?

Yes, absolutely. We use both post-incident data and we use intelligence. We will review any information available to us. We conduct analytics on it to look at things like hot spots or for any trends, patterns or triggers. We’re trying to identify cause and effect to get to the actual root causes of security problems and address those. We then look at what the ancillary cause and symptoms are or deflectors, and review what we can address and remove from the risks to provide a safe working environment.

And when we’ve responded to an incident, or over a period of time, a series of incidents, we will then look at how we responded. We ask ourselves what worked well, what didn’t do well and try and extract the actual lessons to learn. It’s a cycle of continuous improvement.

Predominantly we utilise an incident-reporting and analysing database driven management system, which we will then do trend analysis on and generate analytics. We’re looking at hot spots and common recurring themes or anything that stands out as a trend or a commonality – both good and bad.

We're trying to identify cause and effect to get to the actual root causes fo security problems and address those. (Quote)Do you use your analytics in your meetings with higher-ups to demonstrate the value of your security operations? Is that helpful?

Yes, security is often a very undervalued or unappreciated service. And by virtue of its success it negates observable benefits. So a key part of a role like mine is to raise the profile and added value to the organization. We’re constantly trying to develop and look at different metrics for this – both quantitative and qualitative, to present the tangible and intangible benefits and deliverables to the organisation. We can provide intrinsically an overview of what security actually does and what they face. Right now we’re trying to measure when we’re successful; so trying to measure what “didn’t happen” in other words. That’s a very hard, almost intangible facet to measure.

You can look at, compare and contrast to previous years and like-for-like organisations, and then take into account new initiatives or new processes you’ve implemented and see if any reduction in impact and ultimately cost experienced are directly attributable to what you’ve done. You can also benchmark against alternate trusts and organizations.

We also go through some of the security associations like the Security Institute, ASIS and of course NAHS, to get statistics from them and contrast different operating arenas for security to look at what is effective. We are continually promoting professional development and best practices. This is why professional bodies such as these are invaluable in our industry.