TRANSEC Compliance Framework

Table of contents

• Introduction
• TRANSEC Mission Statement
• Compliance Objectives
• TRANSEC Definition of and Approach to Compliance
• The Principles of TRANSEC Compliance Activity
• Risk Management
• How TRANSEC Compliance Teams Operate with Industry
• How TRANSEC Compliance Teams Operate with other stakeholders
• Professionalism and consistency
• What we expect from industry
• Stepped Approach to Compliance Monitoring
• Use of Partner Agencies
• Working Collaboratively
• International Dimension
• ANNEX A
• How we seek to ensure compliance by Transport Industries
• The balance between inspections and other type of engagement, e.g. providing advice and guidance
• Annex B
• Types of Inspection Activity
• Pre-audit questionnaires
• Annex C
• The role of covert testing as part of the compliance regime
• Annex D
• Assessing new vulnerabilities within existing security programmes
• Annex E
• How inspection activity will be targeted: Key factors that we will use to decide how often locations are visited
• Annex F
• How other compliance activity (non-inspection) will be targeted
• How we target
• Investigations
• Annex G
• The TRANSEC stepped approach to compliance
• Stepped approach to compliance monitoring

Introduction

1.  This document sets out the objectives of TRANSEC’s compliance programme, the processes, principles and working practices TRANSEC compliance inspectors will follow in carrying out that programme, and the principles of co-operation between TRANSEC and industry.

2.  The document has been drafted so as to be applicable to compliance activity across all the modes of transport that TRANSEC regulates. Accordingly it makes reference to some activities or processes that may, at the time of writing, apply in some modes but not in others (for example Multi Agency Threat and Risk Assessment (MATRA) meetings are not relevant across all modes of transport). TRANSEC’s Heads of Compliance Branches will be pleased to provide clarification, if needed, in respect of compliance activity in specific modes of transport.

TRANSEC Mission Statement

• To protect the travelling public, transport facilities and those employed in the transport industries primarily against acts of terrorism, to retain public confidence in transport security whilst not imposing requirements that impact disproportionately on the travelling public or on the effectiveness and efficiency of industry operations.
• To co-ordinate the Department for Transport's arrangements for responding to serious disruption of national life, actual or threatened, however caused.

Compliance Objectives

3.  The objectives are:

• To organise a proactive and reactive programme of compliance monitoring activity to maintain and, where necessary, enhance standards of security; to take timely action, in line with the stepped approach, where deficiencies are identified.
• To engage with industry at all levels to influence their strategic and tactical thinking so that security forms part of the business planning and decision-making process.
• To encourage industry to take ownership and responsibility for security and adapt their quality assurance activities accordingly.

TRANSEC Definition of and Approach to Compliance

4.  Our definition of compliance is:

“The consistent and effective application of security regimes by industries regulated by TRANSEC.”

5.  TRANSEC regulates the following industries:

• Aviation
• Maritime
• Channel Tunnel
• Heavy Rail
• London Underground
• Light Rail (DLR and Glasgow Subway only)
• Road industry (transportation of dangerous goods only)

6.  TRANSEC seeks to achieve compliance by carrying out the following activities:

• Monitoring the level of compliance by industry through a range of inspection and audit activities.
• Carrying out covert tests of security procedures and overt tests, e.g. through checking the quality of X-ray machine images.
• Assessing whether there are any new vulnerabilities within existing security programmes.
• Where necessary, enforcing the requirements through the agreed stepped approach.
• Engaging with industry at all levels from the Board and senior management to front line security staff. 
• Providing advice and guidance and giving re-assurance where necessary on our security measures.
• Persuading industry to carry out recommended practice.
• Supporting the provision of industry training through e.g. the provision, in partnership with the Security Service, of training for industry security managers and others; the setting of training standards for industry security staff; the provision of training aids; leading sessions on formal industry training courses and other informal gatherings of industry groups at all levels.
• Attending local security committees to promote and clarify security requirements.

7.  A note setting out how we seek to ensure compliance by the transport industries is at Annex A.

8.  A note describing our types of inspection activity is at Annex B.

9.  A note about the role of covert testing as part of the compliance regime is at Annex C.

10. A note about assessing new vulnerabilities within existing security programmes is at Annex D.  

The Principles of TRANSEC Compliance Activity

11.  The principles may be summarized as follows:

• Recognition of the importance and value of compliance activity in delivering TRANSEC's mission statement.
• Allocation of sufficient resources to meet the compliance programme set out in the TRANSEC Business Plan and to respond to changes that have to be made during the year, e.g. change of threat levels, major security breach that requires investigation, etc. Commitment on the part of inspectors to contribute to the improved compliance of the organisation being inspected or monitored, providing business specific advice, with a willingness to adopt a pragmatic approach.
• A focus on outcomes.
• An appreciation of the industry perspective.
• Compliance activity proportionate to risk.
• Encouragement of rigorous industry quality assurance based on evidence.

12. In carrying their activities compliance inspectors will:

• Share with industry the criteria on which they are forming judgments.
• Be open about their processes.
• Have regard to value for money in carrying out their work.
• Seek to continually learn from experience.
• Seek management approval before instructing industry to initiate actions that may involve significant financial or operational implications.

Risk Management

13.  Although all organisations are liable to inspection at any time, TRANSEC will adopt a risk based approach to its compliance monitoring programme. Organisations will be inspected according to a risk assessment. The main factors considered will be:

• Threat level
• Size or profile of the location
• Amount of traffic and number of passengers
• Compliance record
• Previous speed of rectification by the Directed or Instructed organisation
• The commitment shown by the organisation to compliance quality assurance and the strength of its own quality control mechanisms.

14.  In addition, TRANSEC is responsible for investigating alleged and real breaches of security, which may be drawn to our attention by the media, members of the public or individuals working within industry.

15.  A note on how inspection activity will be targeted is at Annex E.

16.  A note on how other compliance activity will be targeted is at Annex F.

How TRANSEC Compliance Teams Operate with Industry

17.  Responsibility for implementation of the Department’s requirements rests wholly with industry. TRANSEC aims to have a constructive and professional working relationship with industry. We will work collaboratively and will offer advice and guidance and, where necessary, re-assurance.

18.  However, we will adopt a firm stance if the agreed time has been allowed and compliance or appropriate rectification action has not been achieved. We must always bear in mind that, through the Secretary of State, we represent the public interest. Having taken into account the circumstances behind the failure to comply, judgements on enforcement action rest with TRANSEC.

19.  In view of TRANSEC's responsibilities for monitoring and, where appropriate, enforcing the Department’s security requirements, we are obliged to have regard to the Government’s Better Regulation Initiative. A balance is required between the essential need to protect the public and taking a reasonable line with industry. However, persistent and avoidable breaches of Direction or Instruction and/or continued failure to follow the relevant security programmes will not be accepted.

20.  TRANSEC will involve industry managers in discussions about compliance issues and where possible will reach a mutually agreed position about what needs to be done, and within what timescale, to achieve an acceptable level of compliance. Industry managers are able to approach the appropriate TRANSEC senior manager if they are unhappy with how a particular compliance issue is being handled. If industry has more generic concerns about TRANSEC’s compliance activities then such concerns may be raised formally through the appropriate national security committee or operational sub-committee.

How TRANSEC Compliance Teams Operate with other stakeholders

21.  Where appropriate we will liaise closely with other stakeholders who may be affected by our compliance activities; for example, we will always liaise with the appropriate police force in respect of covert tests. Our most regular form of liaison with stakeholders will be through attendance at local security committee meetings, through attendance at MATRA (Multi Agency Threat and Risk Assessment) meetings where these are held in order to co-ordinate the assessment and response to risks across the whole range of operator and control agency interests, and through other local meetings such as maritime portal partnerships.

Professionalism and consistency

22.  TRANSEC management expects the highest levels of professionalism from its staff, including those employed as compliance inspectors. We seek to adopt a transparent, consistent approach to compliance. This will ensure that industry knows what is expected of it and the consequences of failing to implement measures properly.  No distinction will be drawn between small or large companies, or between British or foreign ones operating in equivalent security sectors.

23.  All TRANSEC compliance inspectors undergo specific training to ensure they understand the requirements placed on industry, and the standards expected to achieve compliance. Every effort is made to ensure consistency of judgement and response by compliance staff. Industry concerns about lack of professionalism or lack of consistency of judgement should in the first instance be raised with the appropriate senior inspector or the Head of the relevant modal compliance team.

What we expect from industry

24.  We expect and encourage industry to:

• Rectify deficiencies promptly and effectively.
• Be responsive to TRANSEC's advice and guidance.
• Put in place compliance quality assurance programmes. This should be a strategic and systematic approach, probably carried out by an internal audit team.
• Devote resources to monitoring their own performance and standards on the ground, i.e. the day to day monitoring which should be carried out by supervisors and their managers.

Stepped Approach to Compliance Monitoring

25.  Generally, TRANSEC takes a six-stepped approach to rectification and enforcement. We give due warning of the need to rectify failures found by Inspectors. If deficiencies cannot be put right on the spot then, generally, reasonable time is given to sort out any problems. Thereafter, or if there is repeated failure, appropriate enforcement action is taken. In cases of serious or repeated breaches TRANSEC reserves the right to omit some steps in the process.

26.  A note setting out the stepped approach in more detail is at Annex G.

Use of Partner Agencies

27.  Where appropriate, TRANSEC may develop arrangements with other government agencies to conduct security inspections on its behalf.  Currently arrangements exist with MCA (in respect of cargo ships) and VOSA (in respect of the carriage of dangerous goods by road).  The detail and principles of these arrangements will be enshrined in MOUs between DfT/TRANSEC and the relevant agency and will properly reflect TRANSEC's compliance philosophy.

Working Collaboratively

28.  Compliance teams across TRANSEC will share best practice. They will also work closely with programme development colleagues to ensure that our security programmes are proportionate, responsive and practical.

29.  An internal TRANSEC compliance forum, to which all Inspectors will be invited, will meet twice a year to facilitate information sharing, review consistency of approach and provide a sounding board for the Heads of Compliance teams.

International Dimension

30.  Where applicable we will ensure our compliance monitoring regimes and enforcement programmes meet international requirements.

TRANSEC
July 2006

ANNEX A

How we seek to ensure compliance by Transport Industries

The balance between inspections and other type of engagement, e.g. providing advice and guidance

• The amount of time spent on each of the activities described in the Compliance Policy Framework, and in particular the amount of time inspecting compared with providing advice and guidance, will vary according to the mode and the maturity of the security programme.
• The objectives of our programme of inspections are to:
• • ensure that the requirements in the legal directions/instructions served by the Department and recommended practices are being implemented so that the required standards of transport security are maintained; and
  • identify deficiencies in transport security standards and procedures and ensure that they are rectified.
• Inspections will be of sufficient depth for a judgement to be made about the standards achieved and the effectiveness of transport security and associated measures.
  • Inspections of directed organisations may be conducted at any time.  To maximise their effectiveness, inspections are often conducted without giving any warning to the organisation(s) concerned.  TRANSEC Compliance Inspectors will carry appropriate identification at all times they are conducting compliance activity.
• Overt inspections are activities undertaken where the presence of an inspector is declared or should be readily apparent to the regulated party.
• Covert inspections are activities undertaken that are undeclared to the regulated party until completion.
• We actively pursue a policy of close liaison with the industry as part of our objective of obtaining compliance.  This includes discussions with senior managers, including at board level, speaking at training courses/seminars for security staff, taking part in joint audits of security with industry teams, participating in, and contributing at other meetings where we can assist and encourage greater industry responsibility for compliance. This is part of our policy of reducing our reliance on the traditional style of inspection to one that will encourage greater responsibility and ownership on the part of the industry.
• We actively work with industry to ensure that it has robust systems for delivering good security and for monitoring its own performance, e.g. by attending meetings with senior management to discuss internal quality control and audit programmes.
• Longer term, our focus is likely to be more on management and supervisory systems within the industries than on the security activities themselves, although we will continue to obtain first hand assurance that the latter are being carried out to the required standard, through front line inspection activity. The timescale for this will vary between the modes and security programmes.Within this overall strategy it is for the relevant Head of Compliance to decide the precise balance between inspection activity and other types of engagement, taking into account the amount of time the security regime has been in place, the complexity of the measures, and the general levels of compliance in each area.

Annex B

Types of Inspection Activity

• The following types of inspection activity are or may be undertaken by TRANSEC. In carrying out on-site activity Inspectors will also be expected to consider and identify significant vulnerabilities not addressed by existing measures.
   
  Standard Audit
  An in depth compliance assessment of every significant aspect of security provided at a location within the relevant TRANSEC security programme, or selected aspects of security provided at a location within the relevant TRANSEC security programme. An Audit may take several days and involve a number of compliance staff.
   
  Programmed Inspections
  An examination of one or more aspects of the security regime, normally carried out within a day or part of a day. (This may include re-inspection to follow up previously identified deficiencies).
   
  Thematic audit
  An in depth assessment of a particular function or aspect of security at a particular location.
   
  Thematic inspection
  An assessment of a particular function or aspect of security at a broad number of locations within a given period of time to give a snap shot “state of the nation” of industry compliance.
   
  Mini Audit  
  Generally undertaken at smaller locations and will not always include all functions and aspects, but will cover enough to be more than a thematic audit. 
   
  Desk top assessment/audit 
  Information will be requested from the regulated organisation and an assessment of compliance made, based on that information (see below). This will be used to inform subsequent audit activity. 
   
  In some instances it is possible that a site visit does not actually need to take place if we have sufficient confidence in the information provided. A judgement will need to be made on a case by case basis.
   
• All of these activities have a part to play in monitoring compliance and achieving rectification where deficiencies are identified.
• It may be that a programmed inspection will result in a thematic audit or thematic inspection. Audits may lead to programmed inspections or thematic inspections.
• A short report or letter will be prepared and sent to the regulated organisation in all cases following an audit, mini audit and desk top assessment/audit.  Increasingly the expectation will be for letters to be sent following thematic audits and thematic inspections as well as programmed inspections.
• Where deficiencies are identified a deadline will be given for a written response setting out the proposed rectification action, along with a timetable where appropriate. A decision will then be taken on whether a visit is needed to monitor rectification or whether we can rely on the written response.

Pre-audit questionnaires

• Pre-audit questionnaires may be issued. These might cover one function or a number of functions.

Annex C

The role of covert testing as part of the compliance regime

• Inspection activity can establish whether security measures are being implemented, but may not necessarily confirm either the quality of implementation or the adequacy of the measure itself
• Effectiveness of implementation and adequacy of the measure can be objectively established only by realistic covert tests of transport security.  We are also required by international obligations to have in place a testing regime.
• Covert testing will therefore play a part in the compliance monitoring regime for each mode and robust protocols will be in place to govern the operation of the test programme.
• The objectives of TRANSEC's test programme are to:
• • Test the compliance of the security procedures of industry.
  • Test the effectiveness of the modal security programmes.
  • Improve transport security standards.
  • Help motivate security staff.
  • Contribute to the policy making process.
• TRANSEC will carry out joint testing, where appropriate, with industry and encourage industry to put in place self-testing programmes and share the results with us. We will quality assure these programmes against our own test protocols and recommend that industry puts in place a formal protocol.

Annex D

Assessing new vulnerabilities within existing security programmes

• Compliance teams will ensure that policy/programme development takes full account of the practicalities of compliance monitoring and inspection, industry self-audit and quality assurance, and any other relevant operational realities.
• There will be regular communication (including formal meetings) between modal compliance and policy/programme development teams.
• There is no such thing as a perfect security regime and there will always be potential for vulnerabilities to arise which are not covered by any of TRANSEC’s existing guidelines or regulations.
• As well as monitoring compliance against existing measures or requirements, inspectors will seek to identify any significant programme weaknesses or vulnerabilities. If an inspector becomes aware of a vulnerability which falls outside the scope of TRANSEC’s existing requirements or recommendations they will inform their immediate line manager and the relevant Head of Compliance. The Head of Compliance will then decide if and when to advise policy/programme development colleagues.
• In addition, specific vulnerability assessments may be organised, in consultation with policy/programme development teams and/or other stakeholders as appropriate (for example the Security Service). Where appropriate the findings of such assessments will be taken forward in the context of MATRA.
• In carrying out vulnerability assessments, compliance teams will take the following into account:
• • The threat to transport systems from terrorists is a measure of the probability of an attack being attempted against those systems within a specified time frame.
  • Vulnerability is defined as those characteristics of transport which could be exploited during an attack.
  • Risk is a measure of the probability that terrorists will attempt an attack against transport and succeed in exploiting transport systems’ vulnerabilities.

Annex E

How inspection activity will be targeted: Key factors that we will use to decide how often locations are visited

• Resources will be directed at the place where they can do most good. The best way for this to happen is through a robust, open and tested system of risk assessment, which takes all relevant information into account. This enables inspection resources to be concentrated on the most at-risk organisations within the transport industries.
• The frequency of visits to particular locations and the frequency of inspections of particular functions will depend on a number of factors. These include:
• • Threat level.
  • Size or profile of the location
  • Amount of traffic and number of passengers, including the amount of international traffic.
  • Number of "at risk" or high profile carriers, e.g. airlines.
  • Amount of cargo or freight handled by that location.
  • Compliance record, i.e. previously identified deficiencies, including the number, type and nature. 
  • Previous speed of rectification by the Directed or Instructed organisation.
  • The commitment shown by the organisation to self auditing and the strength of their own quality control mechanisms.
  • Local, high profile, events that may increase the attractiveness of the location as a target.
• The precise details and weight given to each of these factors may vary from mode to mode. It will be for the relevant Head of Compliance to draw up a model for assessing compliance priorities.

Annex F

How other compliance activity (non-inspection) will be targeted

• The following (non-inspection) activities also contribute to effective compliance:
• • Taking part in MATRA meetings.
  • Attending other meetings with industry.
  • General liaison and networking with industry managers.
  • Providing advice, guidance and where necessary re-assurance.
  • Talking and presenting on industry training courses, both those organised by TRANSEC and those organised by industry.
  • Reviewing security programmes and other security related documents.
  • Carrying out joint inspections and assessments with industry, the police and others.

How we target

• Some of these activities will be reactive, e.g. attending a meeting arranged by industry or responding to a document submitted by industry.
• Others will be proactive, e.g. Inspector activity where the Inspector can take the initiative in setting up meetings and networking opportunities to encourage and persuade the organisation about the importance of compliance and the need for them to “own” issues and to put in place good levels of management and supervision.

Investigations

• Investigations will generally be carried out following an incident, e.g. a real or alleged breach of security; as a result of industry submitting an incident report; as a result of information passed to us from a member of the public or from within industry; following a media story alleging poor or non compliant security regimes; or as the result of specific intelligence relating to an organisation we regulate.

Annex G

The TRANSEC stepped approach to compliance

The principle of the Stepped Approach is applicable to all modes. 

A generic stepped approach is set out below. Deficiency Notices and Enforcement Notices may not be appropriate for all modes/sectors, but this will be kept under review.  It is recognised that industry has the ability to challenge the findings of TRANSEC compliance staff through the normal processes of communication and dialogue that exist between industry and TRANSEC.  It is also recognised that Enforcement Notices provide industry with formal rights of appeal.    

Stepped approach to compliance monitoring

Generally, TRANSEC takes a stepped approach to compliance monitoring and enforcement. 

• We give due notice of the need to rectify failures found by Inspectors. If deficiencies cannot be put right on the spot, then generally reasonable time is given to sort out any problems.  Thereafter, or if there is repeated failure, appropriate enforcement action may be taken. In cases of serious or persistent breaches TRANSEC reserves the right to omit some steps in the process.
• When an Inspector identifies a deficiency in meeting the requirements of a Direction or Instruction, they should, if possible, get the organisation to rectify it immediately.  Whether the outcome of this action is permanent, temporary or renewed non-compliance, it will still form one of the steps in the six-stage process outlined below.
• Inspectors should bear in mind that, at the time of their inspection, one or more of the steps may already have been completed with regard to a particular deficiency. This underlines the need for effective preparation before a visit, and especially the need to liaise with colleagues who have also dealt with the location or organisation in question. The briefing provided before an inspection will generally highlight previous deficiencies.

Step 1: Advise

• The first step to be taken on identifying a deficiency should be to explain in a helpful and informative manner precisely how the organisation is failing to meet the Department’s requirements.  The Inspector may indicate possible solutions based on experience and common sense, but the fundamental responsibility for addressing the deficiency will rest with the organisation in question.
• This first step allows the organisation to take the initiative in meeting these responsibilities and acting in this way should help to maintain TRANSEC’s effective working relationship with the industry.  TRANSEC will take all reasonable steps to ensure that the advice given by the Inspector is consistent with that given to other comparable organisations (or indeed the same organization) by any member of TRANSEC.

Step 2: Persuade

• In many cases, where the initial approach has failed to achieve the desired rectification action, it may be appropriate for Inspectors to take a stronger line whilst still stopping short of formal enforcement action.  In these circumstances Inspectors should offer persuasive arguments outlining the organisation’s responsibilities towards the safety of their passengers and highlighting the vulnerabilities which might arise if they fail to take the appropriate action.
• At this stage (if not done at stage 1) the Inspector will need to confirm their advice in writing and should consult their line manager if necessary.

Step 3: Deficiency Notification (DN)/Formal letter advising of Deficiency

• Where neither of the first two steps has worked, or where the deficiency is considered too serious to be dealt with by informal action alone, a DN, or formal  (senior management) letter identifying any apparent breaches of Directions or Instructions, may be given to an appropriate representative of the company concerned at the time of the inspection or shortly afterwards. 
• The Deficiency Notice is an official notice outlining the precise area in which an organisation’s security arrangements are deficient and reminding the organisation in question of their obligations to rectify the identified shortcoming.
• The strength of the DN or formal (senior management) letter lies in the fact that it is only to be used in cases of serious, repeated or prolonged deficiency and that wherever it is used, TRANSEC will take robust follow-up action if timely compliance is not forthcoming.  In the vast majority of cases this will ensure that the industry takes the necessary steps in order to avoid legal action by the Department.

Step 4: Formal interview

• Following two or more DNs for a particular deficiency, or a string of DNs for a range of deficiencies, the Head of Compliance for the relevant mode or TRANSEC senior management can request senior management of the organisation concerned to come to the Department to discuss the matter.  The purpose will be to advise them of their responsibilities, to stress the importance of compliance and prompt, effective, rectification, and to point out the likely consequences of continued non-compliance, such as the serving of an Enforcement Notice.

Step 5: Enforcement Notice

• TRANSEC and its authorised officers (Inspectors) are empowered by legislation to issue Enforcement Notices against industry bodies which fail to comply with a "general" requirement of a Direction or Instruction.  In practice such a step is likely to be taken only in an extreme case where the initial actions taken by the Department have been ignored.
• The Head of Compliance for the relevant mode and TRANSEC senior management will be consulted before this line of action is pursued. Given the legal implications of an Enforcement Notice, it is usual for these to be drafted in consultation with TRANSEC’s legal advisor.
• Once the Notice has been formally served, the role of the Inspector will be to continue inspecting the operation in question and to assess whether permanent compliance with the EN has been effected. 

Step 6: Prosecution

• TRANSEC may bring a prosecution against a directed or instructed organisation when there is evidence that they have failed to comply with an Enforcement Notice.  Once this evidence has been collected, the decision on whether or not to prosecute will fall to the Director of TRANSEC. It is also possible to prosecute for non-compliance with a Direction/Instruction without first issuing an Enforcement Notice, but this is not the convention followed by TRANSEC and is likely to be appropriate only in exceptional cases.

TRANSEC
July 2006