Management of Security

Date: 18.10.2018     Last updated: 06.08.2019 at 10.05
This Security Guideline provides the framework of measures by which people and property at the BBC are to be protected against the risk of crime, including management responsibilities, security threat and response levels, security training, risk assessment and incident reporting.

Management Arrangements and Responsibilities

This Guideline defines the arrangements to meet the requirements of the BBC Security Policy. The management responsibilities and minimum protective standards outlined in our Security Guidelines and their associated Codes of Practice (CoP) encompass all BBC operations, premises, staff, contractors, business partners and visitors worldwide. The Heads of Divisions / Departments are to ensure that all who need to be, are made aware of and act on, mandatory security requirements. Adherence to the CoPs will be monitored through standard audit processes.

CoP 1: Security Management Arrangements and Responsibilities (Gateway Link) describes the security responsibilities of the following people/teams:

  • BBC Business Direction Group (BDG)
  • Divisional Chief Executives and Directors
  • Director of Safety, Security & Resilience (SSR)
  • Head of Corporate Security and Investigations (SSR)
  • Broadcast Continuity Disaster Recovery Team (BCDRT)
  • Directors of External Companies who work with us, or for us
  • Building Security Managers.

Safety Responsibilities by Job Role describes the responsibilities for assessing and managing security risks of those in programme-making and other non-property related job-roles.

Those who need to understand, act on or simply be aware of our Security CoPs is described in 'Awareness and Training' (below).

Security Threat and Response Levels

Security threats may arise from civil unrest, local criminality or other unlawful activities e.g. terrorism. The UK government describes the threat from terrorism to the UK population as one of the following:

  • Critical - an attack is highly likely in the near future
  • Severe - an attack is highly likely
  • Substantial - an attack is likely
  • Moderate - an attack is possible, but not likely
  • Low - an attack is highly unlikely.

The Head of Corporate Security uses this, and other information sources, to determine the specific threat to BBC staff and other workers, our premises and other assets, as well as our continued ability to broadcast. This assessment of threat determines a Response Level, with each level imposing a cumulative scale of security measures to help protect the BBC and its’ operations.

All BBC staff and other workers should be aware of the current Response Level and comply with the resultant security measures put in place to protect them. However, if the threat is considered to be directed to a particular premises or specific part of the business, and not the BBC as a whole, local security measures may be imposed which do not tally with the BBC Response Level - such situations will be communicated locally. 

CoP 2: Security Threat and Response Levels (Gateway link) describe the process.

The current BBC Response Level  (Gateway Link).

Security Awareness and Training

All who work at the BBC should be familiar with the security measures local to their place of work or work operation. Everyone has a role to play and each must know what this is for the collective benefit of all. Line Managers must ensure all workers in their team receive appropriate security awareness training: 

  • As part of their induction into the BBC
  • On transfer into a new site
  • Following any major shift in risk (i.e. Response Level change)
  • Following any major site re-structuring.

In addition, those who, due to their public profile or other reason, are considered to be at particular risk of abuse or personal attack must receive instruction and training to help mitigate the security threat.

Those who have specific security-related duties must also be appropriately trained for the role. 

CoP 3: Security and Awareness Training (Gateway Link) gives further details on training requirements.

Safety Training and Competence describes how to get access to the courses / training resources.

Where third parties provide security-related services, the competence requirements for these must be included in contract terms and conditions.

Security Risk Assessment

Managers must ensure that an assessment of risk is carried out wherever a significant security threat is identified - this will include in the following situations:

  • Corporate Security Threat Assessment - for the whole of the BBC
  • Building Security Risk Assessment - for each building occupied by the BBC
  • Programme risk assessment – where a significant threat has been identified to one of the production team (e.g. presenter, contributor), or to valuable assets under their control
  • Construction Project Pre-Assessment - for each new premises to be occupied or modified for the BBC.

CoP 4: Security Risk Assessment (Gateway Link) provides guidance on how these should be done.

Risk Assessment describes the BBC's safety process, which can be used to address security threats on productions.

CoP 38: Construction Project Pre-assessment and Security (Gateway Link) describes the process for new sites and refurbishment projects of existing workplaces.

Security Incident Reporting and Investigation

All organisations face security threats, including indiscriminate attacks on IT systems, but also opportunistic local crime against property or to employees. In addition, our broadcast content can attract hostile reactions in our audience, leading to more targeted threats. Furthermore, those with high public profiles may be at particular risk of receiving unwanted attention which, in some cases, can develop into harrasment, resulting in significant stress and anxiety to the individuals concerned.

Whatever their nature, all security incidents such as these must be:

  • Reported using the appropriate incident reporting system – to BBC Safety (for staff and programme-related incidents), to Corporate Security (for threats / abuse against the person or damage/loss of property), or to Information Security (for data loss, hacking or phishing)
  • Investigated - to establish the scale and nature of the incident and the response requried
  • Reported to the Police – where evidence suggests criminal activity may have occurred.

CoP 5: Security Incident Reporting and Investigation (Gateway Link) describes how these incidents are to be reported and investigated.

 Safety Guides - Quick Links

About this site

This site describes what the BBC does in relation to managing its health, safety and security risks and is intended for those who work directly for the BBC.

It is not intended to provide instruction or guidance on how third parties should manage their risks. The BBC cannot be held liable for how this information is interpreted or used by third parties, nor provide any assurance that adopting it would provide any measure of legal compliance. More information.


Links: Some links on this site are only accessible when connected to the BBC network