Speaker
Description
UK Experiences of Implementing Outcome Focused Security Regulation
Historical Context
In 2003, the UK enacted the Nuclear Industries Security Regulations 2003 and the Office for Civil Nuclear Security (OCNS) was established under the Department of Trade and Industry as the enforcing regulatory body. Whilst these regulations are not inherently prescriptive in nature, the dominant culture of the time combined with a lack of capability and capacity within the regulator and regulated bodies led them to be implemented in a prescriptive fashion.
In 2007, OCNS was transferred to the Nuclear Installations Inspectorate, part of the Health and Safety Executive responsible for nuclear safety. It is now a fully integrated part of the Office for Nuclear Regulation, which was itself created by The Energy Act 2013. As part of this integration and to support a reinvigorated nuclear industry, ONR embarked on a transformation programme to move security regulation to a goal-setting approach.
Publication of National Objectives, Requirements and Model Standards
This paper will provide a brief overview of the history, but focusing on the timeline from the first stage of this transformation. This was the publication of the National Objectives, Requirements and Model Standards document in 2012 which placed an emphasis on meeting objectives and providing justification that arrangements were adequate rather than applying strict adherence to standards. However, the implementation review identified that a lack of stakeholder engagement during the development process, coupled with presence of directive language and specific security solutions meant that it was not fully successful in driving cultural changes required to support adoption of a goal setting approach.
Publication of Security Assessment Principles
ONR published the Security Assessment Principles (SyAPs) in 2017. In particular, it encouraged ownership, innovation and continuous improvement. Stakeholder engagement was fundamental to the development of this document. This ensured that the document’s intent and utility was fully understood by licensees, securing their support and allowing preparations to be made in anticipation of its publication.
SyAPs marked the end of the regulator publishing a suite of technical requirements for licensees to implement and instead provided a framework to assist in the assessment of arrangements based on the demonstration of meeting graded outcomes. It is tiered in structure and was developed with the intent of allowing dutyholders to adopt aligned, complimentary arrangements that would satisfy the expectations of both security and safety regulation concurrently. In removing any model standards, a key aim of SyAPs was to transfer risk and ownership for security to licenses and other dutyholder organizations, ensuring they are the controlling mind whilst encouraging innovation and efficiency through ONR’s adoption of an enabling approach to regulation.
In addition to the removal of technical standards, SyAPs significantly expanded regulatory expectations into strategic areas such as governance, leadership, competence management and supply chain assurance. It was also authored to allow publication in the interests of openness and transparency, assisting communication through widening the audience of people that would typically have access to security documentation.
Implementation
The journey towards implementing outcome focused regulation has been and continues to be extremely challenging. ONR has significantly upskilled its workforce to accommodate the new approach and a similar professionalisation of security is being witnessed within the industry, where increased ownership has also resulted in positive changes to culture.
This paper will expand on this operational experience, setting out the successes, learning points, short term gains and expected long term benefits.
| State | United Kingdom |
|---|---|
| Gender | Male |
