Escort Services: State of the industry or the Industry in a State?

The GTAIB has been involved in various audits and has interviewed various role players within the industry, to determine the role and health of the escort industry, providing assurance to the transport and freight industry regarding the transport of the High Value Goods (HVG).

From a risk management, assurance and compliance point of view, the industry is utilising this resource as a pro-active strategy as part of their Risk Treatment Plan (RTP). But what is the Control Effectiveness (CE) of this preventative strategy and is it necessary and worth the costs.

The GTAIB was very fortunate to be exposed to a number of these service providers and took a critical look at the health of this specific service within the freight and transport industry.

Why is this Preventative Risk Treatment option used?

The answer to this varies from company to company. However, the common denominator for the use of this treatment option (within effective risk management strategy) is to provide assurance. All audited clients were specialists in their own fields, none whose core business is security or to provide specialised security services, such as escort services. A recent GTAIB audit of vendors within this service industry revealed various red flags. The major contributor of the audit findings was regulatory non-compliance. These concerns were:

  • Non-compliance with the industry requirements
  • Service level agreements (SLA) were generic and full of loopholes
  • Standard operating procedures (SOP) were vague and not SMART
  • Vendors were not aligned to the clients' risk management strategy
  • A lack of reporting events, whether incidents, accidents, near misses, close calls, etc.
  • Lack of corporate governance

By analysing the audit and doing some further research, GTAIB identified some key areas of concern.


1.    Non-compliance with industry requirements

In most of the cases, the vendor could not provide validated evidence that they are compliant with PSIRA. They could provide it as an overall structure, but for the resources (staff) they use, no certification for the specific purpose could be provided.

Additionally, it was revealed that off-duty policemen used their official firearms and vehicles to execute the contract. If an incident happens and this practice is exposed, who will be most affected by these rogue services? The answer is simple: the knock-on effect will gravely affect the client.


The risk

This is a great concern, as compliance in this industry is a must and these loopholes could further affect the industry. For businesses, this is indicative of a systemic non-compliance culture, which will eventually cost lives.


The effect

For businesses, this should raise flags, as the services provided are not delivered as per the expectations and SLA. This could have a tremendous knock-on effect on operational risk, financial risk and, when exposed, reputational risk.


2.    Service Level Agreements (SLA) were generic and full of loopholes

Despite requests, the auditor did not receive a contract between the parties involved – not even a draft could be produced. When something was produced, it was of a poor standard and indicative that the vendor provided a standard template contract that favoured the vendor.

Additionally, the Standard Operating Procedure (SOP) was outdated and not applicable to the particular type of freight in question.


The risk

Because the standards of the agreement aren’t confirmed, work is conducted in a vacuum and in “good faith,” where each party involved operates according to their own standards – this is a recipe for disaster.


The effect

This presents both operational and reputational risk to the parties involved. The financial risk needs to be quantified for every non-compliance. This would be a huge saving to the company.


3.    Standard Operating Procedures (SOP) were vague and not SMART

SOPs are the cornerstones of the operational deployment of risk management, as this describes the requirements detailed in the SLA. An SOP is also a legal requirement for any liability claim against the vendor in a contractual issue. The various audits conducted opened a Pandora’s box regarding SOPs. This has a knock-on effect on peace of mind and compliance, and will be reflected in audit findings.


The Risk

SOPs are the extension of the agreed SLA. If the SOP does not describe the risk to be mitigated/treated, then reasons need to be provided as to why not. This then serves as a breach of contract and has a direct effect on the relationship of trust between a company and its vendors.


The Effect

This presents both operational and reputational risk to the client.


4.    The importance of Enterprise Risk Management (ERM) Methodology

Some of the vendors in question had zero knowledge of risk management, what it is, and the importance of ERM for their clients. This creates a gap between the client's corporate responsibility and a vendor with no knowledge of the methodology, strategies or requirements.

Vendors need to align operational risk management with the client's risk management methodology. This results in a common understanding and framework where risk can be managed proactively. Clients should also receive monthly risk management reports.


The risk

No risk-based reporting could be done from the vendor’s perspective, which creates blind spots for both the client and the vendor. This also compromises openness and transparency between the vendor and its client.


The effect

This presents both operational and reputational risk to the client.


5.    The importance of an automated Incident and Investigation Management and Compliance System

Perhaps the most shocking of all the auditor's findings was the fact that vendors do not report their events (incidents, accidents, near misses, etc.). This is usually in breach of the SLA. But is this really followed up?

If a vendor does not have an automated and integrated incident and investigation management or a compliance/auditing system, this is great cause for concern. To record incidents form part of ISO Risk Management, Quality Management, and Health and Safety Management. It is also a requirement stipulated in the Occupational Health and Safety Act (OSHAS).

Without these systems, manipulation of statistics is often an unfortunate result. There is no such thing as an "educated guess," and best informed decisions cannot be made if there is no best available information at one's disposal.

It is imperative that vendors give their clients the assurance that incidents will be logged and that quality investigations are conducted. The client should be able to have access to the systems, draw their own reports, and have access to trend reports, hotspot reports, Business Intelligence, predictive intelligence, and reports over time (date, time, place, per day, per week, per month, per quarter).


The risk

No trend reports, hotspots or centralised management could be done. This is concerning since syndicates are driving the risks in the High Value Goods (HVG) environment, and data mining is impossible with a manual system.


The effect

This holds an operational and a possible financial effect for the client.


6.    The importance of an up-to-date Standard Operating Procedure

The SOP provided was outdated, wrong, and addressed a completely different methodology.


The risk

The lack of corporate governance will lead to misaligned objectives, while the communication gap between the client and its vendors is significant and will affect transfers.


The effect

This poses financial, operational and reputational risks to the client


7.    Lack of corporate governance

Most of the clients the auditor has provided work for are either listed on the JSE or on other similar global structures. This means that they need to report and declare any poor corporate governance - not only internally, but also in their financial reports. With King IV, SOX, and other corporate governance guidelines (Common Law) available to adhere to, it should be asked why corporate governance is in such a poor state.


The risk

This poses financial, operational and reputational risks to the client


The effect

The lack of Corporate Governance will lead to misaligned objectives, while the communication gap between the client and its vendors is significant and will affect transfers.


Recommendations

Raising awareness of these concerns is one thing, but how does one act upon them?

The GTAIB and its strategic partners are experts in this field and, with a simple audit, problems can be identified and solutions recommended. We have the standards, the experience, the validity in the market, and are aligned with the corporate governance institutes, both locally and internationally.


Conclusion

The questions asked were:

  • What is the state of the industry?
  • Is the industry in a state?

With the evidence collected over the past year, the GTAIB can answer these questions: A critical look reveals that the industry is indeed in a state and that clients are operating under a false sense of security - blindly trusting the "specialists" who fail to adhere to the basics of corporate governance, ERM, and industry best practices.


Contact the GTAIB:

For any enquiries on how to address this burning issue, please feel free to contact the GTAIB on: