2. Define responsibilities to monitor contractual requirements (design effectiveness) Overall rating:Moderate
Impact: Medium Likelihood: Likely
Observation:While reviewing the relevant third party risks with respect to contracts with outsourced security service provider, we noted the following:
  1. The contract with the current security service provider was not signed until 56 days subsequent to the commencement of services. The service date was also changed from what was in the original RFP (Aug 26, 2019 to Oct 1, 2019).
  2. Site specific emergency management (including drills by HR) training were not provided consistently across all facilities to security service provider’s staff.
  3. Service level performance measures are not clearly documented in the contract nor are designated roles for monitoring service levels clearly defined.
  4. Post orders were not ready for release to security service provider’s staff prior to their allotment (as of the date of fieldwork). It is also not clear whether the security provider staff signed the post order acknowledgement form prior to commencement of duty.
  5. A third party security consulting firm has been retained to document the Security Master Plan via conducting security threat/vulnerability/risk assessments (TRVA) of five (5) selected sites as per the RFP. It was noted:
    • a standard template for conducting assessments has not been shared with the City as of our fieldwork; and
    • meetings with the consultant regarding discussion and updates are not documented/tracked.
  6. Mobile patrolling units are primarily used for alarm response, and occasionally for fire watch. These units are equipped with GPS however, the City does not have direct access to the GPS data. Mobile patrol usage by the contractor is not tracked.

Please also refer to consideration for improvement #2 related to vendor performance evaluation.
Implication:Inappropriate response or service impacting City brand and/or financial obligations. The security master planning process may be delayed.
Recommendation:Management should:
  1. Consider updating the existing contract to add a service hold clause with respect to the time gap of going through the process from RFP to entering into formal contractual agreement with future vendors (including incumbent).
  2. Facilitate site specific emergency management (including drills by HR) to be provided consistently across all facilities to security service provider’s staff.
  3. Designate roles for monitoring service levels should be defined accordingly and consider updating the existing contract to add service level measures with respect to prevention and/or mitigation of security events, including:
    • Regulations Management,
    • Quality Management Systems & Continuous Improvement,
    • Cost Management and Non-conformance Reporting,
    • Performance/Schedule/Timeline,
    • Management and Allocation of Resources, and
    • Communication.
  4. Provide post orders to any new security service provider’s staff prior to their allotment at respective posts. For future practice, prepare and release security service provider post orders prior to post allotment. Post order acknowledgement form should be signed off by the respective security staff prior to commencement of duty.
  5. Obtain standard template from the third party security consulting with respect to security assessment to independently conduct similar future security assessments, document and track progress of service received and also maintain agenda items and/or minutes for meetings held.
  6. Have arrangements with the contractor to have access to the source GPS data from regularly deployed mobile patrolling units. Formalize tracking of mobile patrol usage.