Working Together: Risk Management and Value Engineering

Steve Martin

Steve Martin

Steve Martin examines the similarities between risk management and value engineering, and assesses how the two disciplines might work together in the real world with a view to enhancing security regimes for today’s organisations.

Upon an initial glance, risk management and value engineering may seem like two disciplines so different that they must surely contradict each other, not least because one may increase costs in the interests of efficiency while the other could seek to decrease them. As a result, it’s fair to suggest that these disciplines cannot co-exist in helping a business to function more effectively.

Actually, that’s not the case. If correctly applied, both risk management and value engineering can help a business to run more efficiently and, if brought to bear on the commissioning of security technology, may help ensure the host concern selects the appropriate solutions for meeting its defined needs.

How so, then? Well, that depends on how value engineering is actually applied in the real world. If applied in its purest form, it will complement the discipline of risk management and help end users make informed choices when it comes to the selection of specific security systems.

However, the problem starts when the discipline of value engineering is either diluted or warped by a desire to cut costs.

In its purest form, value engineering is employed to solve problems and identify and eliminate unwanted costs while always maintaining function and quality. The major issue when it comes to construction and construction projects, though, is that it’s more commonly used to cut costs. This is symptomatic of the construction market, where margins are low, tenders competitive and projects veer towards running over budget (not to mention close to the delivery timescales).

This is at odds with the true idea of value engineering which places an equal emphasis on function and cost. The crucial question it asks is whether the most cost-effective solution will deliver the project’s objectives. While cutting back on initial costs may deliver savings, when it comes to security such an approach will often have longer term consequences for the business, its bottom line and, in some cases, its reputation in the wider world.

Greater risk for end users

If this approach were applied in its purest form to commissioning security technology, it would duly result in a more expensive system being replaced with one that delivers identical levels of functionality.

That said, if cost rather than value was the deciding factor, the underpinning software within this technology that facilitates expansion, updates and firewalls may be less intelligent over time. That results in a greater risk for the end user of the software becoming obsolete more quickly, an increased risk of false alarms, inoperability with other components of the building management system and parallel ‘soak in’ problems which increase labour costs. There will also be longer term costs for the end user.

As a result, the key question to ask in this scenario becomes: “What will it cost us if the security system doesn’t deliver?” rather than: “How much will it cost us now?”

What are the security goals?

Given that better quality security systems are usually more expensive, the key driver in deciding which system to install usually depends on the client’s goals and desires for their building’s security. Typically, these will vary depending on the building and its users.

For instance, hospitals may require little in the way of intruder alarms and preventative security devices, but may need to invest money in CCTV and access systems for their entire estate – and not just the buildings – as well as more high-end alarm and monitoring systems to protect those secure or otherwise sensitive areas where patient records are kept.

Similarly, the sensitivity of medical data may require high-performing cyber security support to protect it from hackers, particularly so as hospitals move closer towards a less paper-based way of keeping records.

In contrast, while a bank may have similar cyber security needs to a hospital, it might also require top-of-the-range monitoring, intruder alarm and hold-up systems due to the large amount of cash kept on the premises and the number of people using it on a daily basis.

What’s clear from these two examples is that value engineering must remain true to its original purposes and not be used as a means of cutting costs. The repercussions of cutting costs on security systems in the two instances outlined above are serious. Imagine the damage done to a bank or hospital’s reputation if its data files were hacked, or if acts of fraud were committed and there was no way of identifying the perpetrators.

How does this fit with the principles of risk management, though? It can be argued that risk management could be used to ensure that value engineering is employed in its purest form, not as a means of cost-cutting.

For instance, the idea that everyone is part of the delivery team and that recruiting specialists help where necessary would allow for security professionals to be brought in at the design stage of a new facility or when it’s time to examine the redevelopment of an existing one. This would ensure that the decision-makers could make an informed choice on their security systems having consulted with the experts and understood that the functionality of a system may be compromised if it’s replaced by a cheaper model – resulting in a greater security risk for the business.

Value is subjective

One key issue is that defining value in terms of security technology is very subjective and pretty much depends on the building’s function, but this is where risk management can help reach a decision that’s best for the business.

The notion that security is part of every technology decision and should not be seen as ‘an expensive add-on’ is entirely in tune with value engineering’s idea that every pound spent should deliver the greatest return. In the event of a security threat, this informed approach to risk management would enable the decisions made to stand up to scrutiny if the systems were able to repel that danger.

Equally true is that the decision to go with a cheaper system could be learned from and resolved quickly as there would be a record of the decision made and the rationale behind it.

Element within the supply chain

One problem with the construction project process is the fact that specialist contractors – in this case security installers – are very often not in direct contact with the client, but rather part of a supply chain. As a result, when value engineering is carried out the focus is more often than not on cost reduction.

Just as importantly, the perceived value of the systems is evaluated by the main contractor and client – or, in some cases, the designer – with little regard for the impact this will have on functionality. This may result in lower costs, but it may well not provide value for money in the long term if the cheaper system doesn’t deliver the kind of solution ultimately demanded by the host business.

The solution is to bring specialist contractors into the project team earlier and allow them to work directly with the client during the fledgling stages of the project. This means that the contractor who will ultimately be installing, commissioning and maintaining the system can provide its insight and expertise around what system best suits the client’s business needs.

For their part, the end user customer can then make an informed choice about what security systems they want in their building.

The approach outlined would mean the risks to a business have been mitigated due to advice having been offered by specialists and duly taken on board by the client, and that system functionalities have been the priority as opposed to the overall cost.

In a sense, this highlights how the disciplines of risk management and value engineering can work together for the overall benefit of the building’s operation and its end users.

Sadly, it’s a lesson many of today’s businesses end up learning the hard way.

Steve Martin is Head of the Fire and Security Association

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts