You need a security assessment done at one of your organization's sites and you’re about to price out vendors. Before you start to solicit proposals from contractors, however, take a moment to think the process through. Many organizations are so focused on getting a quote, they don’t think about what else they want from the RFP (Request For Proposals).
Your RFP or RFQ (Request for Quotations) gives you the opportunity to optimize your purchasing process as well as the risk assessment itself. All you need to do is put in some thought at the beginning of the process.
Do your homework before you issue an RFP or RFQ
Prework is critical when you’re putting together a request. You need to know what you want before you ask a company to provide it. Define exactly what you want the outcome to be, and engineer the scope of work (SOW) around that.
Specificity is key when you’re writing an RFP. For example, don’t ask for a general, all-hazards, or all-encompassing assessment. All of those are words you want to avoid because they are so vague; a company responding to the request can define a general assessment however they want. Their definition of “general” may not match up with your needs.
Be specific when writing your RFP
Your RFP should communicate exactly the items you want assessed. If you want the risk assessor to look at cameras, access control, and lighting in specific areas, communicate that.
You should also be specific about the items you do not want assessed. This is important for a few reasons: you might not want certain proprietary information revealed or there may be some special circumstances the assessor might not understand.
Take the example of an assessment I once did at a site. The company wanted us to look at cameras, access control, and policies and procedures. They were vague, however, and told us to mention any other possible risks we saw in our report. The site was under construction. During the assessment, we came across a group of chemicals that should not be stored together shoved under a stairwell. The contractor didn’t have space in the facility, so he left his things there, causing a hazard. Because we did not have a defined scope for our assessment, we could not ignore it. While it was right to report this hazard, the site manager was not pleased, and neither was the contractor. However, executive management was appreciative and asked us to assess their locations across the country.
What should your RFP or RFQ include?
Your request should include the following:
The big picture: What are your desired outcomes for this assessment?
Task-level responsibilities: What is expected of the assessors? How many assessors are you expecting, and what tools do you expect them to have? Do you expect them to use digital tools to create an interactive report?
Workflow expectations: When will the assessors be on site? What do they need to do to be allowed on site? Will they need access to certain individuals from your organization during the assessment? This is to ensure relevant people are present and available during the assessment.
Key standards and practices: What standards does each site that is being assessed adhere to? In the absence of standards does your organization adhere to company-wide best practices? If not, have you considered using the ASIS Physical Asset Protection Standard (PAP)?
There are administrative considerations that should be included in the request as well:
Specify an amount of post-assessment time with your subject matter experts for presentations of findings, recommendations, and consultations.
Require additional charges be subject to your pre-approval. For example, if an assessor gets halfway through your assessment and decides they need other tools or more time, require they submit justification so you can approve or deny it.
Clearly state that failure to obtain pre-approval will be at the assessor's cost.
Tell the vendors how you want them to communicate with you, through a dedicated portal or platform, for example.
It’s wise to go beyond simply issuing an RFP or RFQ. Consider setting up a pre-qualification process that includes an interview, evaluation and sample deliverables. I’ve found that doing this eliminates unqualified bidders quickly.
Be specific about how you want assessment data delivered
Require that the successful bidder commit to providing their data in the form of a spreadsheet or a digital platform, so that you have your assessment data almost as soon as the assessor leaves the site.
You can still request a narrative backup report, but spreadsheet creation can cost your team anywhere from two weeks to two months to go from awareness of a problem to remediation of that problem.
As the client you have the ability to request the tools you want used in your assessment. For example, assessors charge for “writing time.” This means you are paying for time you can’t measure and it also means you’re not getting your data in a timely fashion. In many cases it takes about two weeks or more for the report to be written.
To control this, require that the costing be limited to the assessor’s time on your site. They should know how to adjust their rates given that constraint, and if they are using a digital platform to complete the assessment, they won’t need writing time.
Circadian Risk’s platform offers this functionality. Using our solution, assessors are able to evaluate your site on a tablet as they walk your facility, taking pictures and notes synced to your site’s floorplan or map. All of that data is available to you as soon as the assessor is finished with their visit. That information can then be turned into a checklist for remediation.
To learn more about how Circadian Risk can transform your risk assessments, contact us to speak to a security expert.