Hotels Will Always be Soft Targets - How do we assess their Levels of Security?
Following on from the blog that was released last week and the requests for information about how I would assess the levels of security at a hotel I have written this follow up blog.
Firstly for those who don't know my history a large proportion of the last 14 years has been spent travelling the world on behalf of a British government organisation as well as within senior corporate positions. (My thoughts and comments are based on those from a customer viewpoint and as the head of security that owned hotels.) During these travels I conducted security risk evaluations on hundreds of hotels from internationally recognised brands to small private hotels/guest houses. The process that I have used has remained the same throughout; although the results, as you can expect have differed.
Establishing the Context
When I'm evaluating the security of a hotel the first stage I adopt is to establish the context and understand the threats and risks that exist. This is necessary because security planning should be risk based and not generalistic in nature. (It allows the targeted use of resources and finance instead of trying to create a one hat that fits all.) I believe that this is necessary for both operators and external third parties conducting reviews.
I also believe that this is the most critical stage of the review process and if this is wrong it impacts everything else that is done. Once the threats are established then the risks they bring can be identified and measured (formally or informally). Again putting things into context there may be a greater number of threats against an international VVIP than against a local staying for one night but the risk from an armed assault would be similar.
When looking at threats it is predominantly the adversarial threats and the risks they bring that receive the most attention although I always consider climatic and utility failures. For the threat evaluation I prefer not to over complicate things and assess based on the HIC (History, Intention and Capability) principles; and tend to assess based on realistic threats as opposed to 'all threat' scenarios. Once the threats are identified then an assessment of the risks can be undertaken to indicate how much of an effect each threat brings and the level of risks that exist/need to be managed.
I would normally carry out this part of the process before visiting the site. In doing so I am already aware of what threat and risks exist and therefore when looking at the vulnerabilities I am able to measure it against informed data as opposed to a generalist overview.
Announced or unannounced. I would always want to conduct an unannounced 'cold eyed' review before I let members of the management know that I was assessing their premises. Where possible I would stay at a different hotel and enter as a visitor in order to see the facilities, staff and management and how they function in a normal daily situation. Where there are no other hotels I would still try and maintain a low profile in order to operate as a normal customer. (Sometimes this is not possible.)
When evaluating a hotel’s vulnerabilities the first areas that I always assess are those surrounding the hotel. I'm looking to see whether there are signs of urban decay, graffiti, damage or a lack of facilities. Is there a police presence? How do they appear to conduct themselves? What do locals think of the hotel and its guests? Is there evidence of anti-social behaviour, drug abuse, prostitution or organised crime? It may be that I will continue this process during the whole assessment and include meetings with other security personnel, police and officials. At this stage information is the commodity that I want and need to support and assist in the assessment.
I always work from outside - in. I would look at the perimeter and grounds. Where there is an assessed threat from VBIED (or other means of attacking) is there stand-off, physical barriers and vehicle mitigation devices? Are they correctly positioned and fitted? This is where the value of establishing the context pays dividends as you are measuring the security features that exist again a pre-determined threat and risk. I would evaluate the physical and technical security measures that exist from perimeter to the guest room and public areas, looking at each are in turn to identify what works well or where there are vulnerabilities. I view each guest room as a safe haven and so my expectations are that they will have secure doors and other security furniture such as safes etc.. I will always walk the emergency evacuation route!
As well as the physical and technical security measures that exist I also assess the staff; not just the security personnel but the general staff as well. Are they alert, do they follow procedures, is there evidence of strong management? Where management know an assessment is taking place it is vital to speak with them to get their view on the situation, training levels, morale and to point out that you are not the enemy. It is equally as important to speak with waitresses, bar staff, cleaners and security personnel. The level of information that can be received with a friendly smile and an ability to listen will always beat that obtained by people who are towing a party line or are under a degree of emotional duress.
Another group whom I would always seek to speak with are the travel reps. They have a responsibility to support and assist their customers. Sometimes they are highly trained and motivated and know their responsibilities (and responses). At other times I have seen reps drunker than guests and lack training and knowledge to support guests during normal activities let alone major incidents.
When I assess hotels I am looking for a balanced approach between the security measures and the hotel functionality, beach, culture, business etc. It is only by doing these things and assessing them again the threats and risk can a proper assessment of the security vulnerabilities or effectiveness be made.
Reporting Findings and Making Recommendations
It is often forgotten that hotels provide a service for people, families and businesses. The management and staff are often competing again a multitude of conflicting interests and they are not security experts. If lucky a hotel may have a competent head of security or they may have not security at all.
If appropriate I will always let the hotel manager and security responsible person know; in general, what my observations are. Where there have been members of staff who are really good I would highlight that finding and I would always thank them. Sometimes it is not possible or appropriate due to the nature or the client tasking the review but where possible I would seek to work with the team and not against them.
Depending on who the client is will depend on the nature of the report. If a client is wanting an evaluation carried out pre-travel the report would indicate suitability or not. It might also indicate what additional operational requirements a client may need with regards to service and support (if no other suitable hotel is available). It is only where the risks become unmanageable would I recommend against its use; this has only happened twice.
Where the client is the hotel themselves then a complete report outlining the context, findings, vulnerabilities, solutions and recommendations would be provided.
When making recommendations I am brave enough to make recommendations based on realistic threats and risks as opposed to an 'all risk' basis (unless that is what the client want). I say this because some consultants try to cover every single threat in order to address any potential liability issues; doesn't really work, if you are professional you bring your judgement to the table and be prepared to stand by your recommendations. I would always seek to make the options and recommendations pragmatic, sensible and cost effective and I would spend time with the client going through the options in order to reach an agreed solution.
I have tried to briefing outline a process that I adopt when assessing the suitability of an hotel for third parties, or when working on behalf of hotels themselves. There will be other processes (formal and informal) that people will use to assess hotels but by establishing the context an informed evaluation can take place against the threats and risks that exist; this works for me.
The solutions will normally consist of one of the four main security measures (physical, technical, operational and educational). The weighting that is placed to obtained a balanced approach will be for hotels and management to make. Increased physical barriers may not be appropriate nor might the expenditure of technical security equipment but there is always the need for hotels to have appropriate operational procedures and adequate levels of training for their staff to play an active part in managing and reducing the security risks.
Hopefully this has helped answer some of the questions that I have received from the readers of my previous blog and I am more than happy to answer others that this one raises.
Please contact Trident Manor (firstname.lastname@example.org) for specialist support in assessing travel safety risks, premises security levels or bespoke training within the hospitality industry.
Please click here to return to the main blog page.