Don’t just expect the unexpected. Expect the unthinkable, says Jim Batty, Head of Risk Audit, Group 4 Securicor.
The appalling acts of terrorism witnessed in recent years have created a new era in corporate risk management. The Government’s commitment to raising awareness of the scope of the threat was clear to see in the recent Queen’s speech. Media attention has also left organisations in no doubt that the terrorist threat must be addressed.
The cost of not addressing the risks created by terrorism could be counted in lost lives, businesses, buildings and infrastructure. Terrorist attacks are highly visible, high in impact, and indiscriminate, frequently designed to hit multiple targets with the aim of incurring mass casualties. Facing this kind of threat, today’s risk planners must not so much ‘expect the unexpected’, but ‘expect the unthinkable’. Suicide bombing attacks, for example, though not a new weapon in the terrorist arsenal, provide one of the greatest challenges in mitigating the terrorist threat.
To date, this tactic has not been deployed in the UK, but there is no doubt that worldwide, its use is on the increase. According to a recent study by Cranfield University, there were approximately 150 suicide attacks in 2002. Prior to that, there had been an estimated 300 between 1976 and 2001. The Cranfield study alludes to three types of suicide attack, which pose the greatest risk to the UK: on public transport (as seen in Israel), a hostage barricade (such as the Moscow theatre attack), and the vehicle-borne attack (similar to the British Consulate and HSBC in Turkey in 2003).
The suicide bomber is an ‘ideal’ weapon for the purpose of terrorism as the bomber can choose the precise moment and location of detonation, and does not require an escape route. This poses particular problems in mitigating the risk from such attack. However, there are some practical ways to reduce the successful outcome and impact of such an attack, and a risk auditor can help to advise on these. Measures might include creating ‘vacuumed’ areas leading to lobbies, with features such as toughened glass, electronic access control, reinforced concrete and blast escape vents. It is also worthy of note that the greatest number of casualties in an explosion is generally caused by secondary debris following the initial explosive shock wave, so investing in anti-blast film on windows can make a huge difference.
A more controversial measure, but one which is becoming commonplace in airport security, is suspect profiling, where trained searchers and security staff may identify certain individuals and traits, which may point to a security risk. In order to ensure that the approach and resources are appropriate, an organisation’s risk mitigation practice must continually keep abreast of changing terrorist methodologies. Intelligence relating to potential terrorist threats, and their capabilities, along with the modus operandi of terrorist groups are essential. Inter-agency cooperation to share resources and information to mitigate risk can help. A good example is Project Griffin, where the City of London Police, some financial institutions and private security firms exchange ideas, information and plan responses to major incidents.
As part of Project Griffin, the City of London Police delivers counter-terrorism awareness training to private security companies and city banks. The training equips private security guards with the knowledge and skills they need to become the eyes and ears of the police on the ground. Group 4 Securicor is already acting as part of the wider police family in this way. Informed and detailed planning and practical preparation is absolutely fundamental to tackling risk and limiting the impact of any security breach. Failure to prepare and rehearse will increase the likelihood of a security failure by offering a "soft target" to the terrorists. Should an organisation present a more difficult target by having robust security in place, this may make terrorist reconnaissance and operations more difficult, or displace the attack elsewhere, to what is a more accessible target in the terrorists’ eyes.
Invariably, in any major incident, the management of the early stages of the incident will be crucial to the organisation’s survival and will need to be handled by the organisation’s own people. The selection, training and validation of staff, particularly those in key appointments, or with vital functions is critical. These individuals may ultimately be responsible for the survival of human lives as well as fixed assets. The core response to any major incident, particularly in a life-threatening scenario, will rest with the emergency services and local authority, who will have a significant part to play in any recovery. Businesses should proactively interface with related agencies to establish priorities, relationships and liaison channels. In tandem with this businesses should be ready to initiate their own emergency response plans. Recovery procedures must be an immediate response, with the invocation of disaster recovery and business continuity plans if required.
It is critical that the recovery teams deal with the operational, logistical, human and environmental needs of the business, which may encompass anything from the restoration of essential services, through to welfare, medical support, counselling and finding alternative business locations. Any preparation of recovery plans should consider worst-case scenarios, although experience has proven that not all contingencies can be prepared for. However a flexible and robust approach, with a high level decision making strategy, backed by the necessary financial and material resources will limit the impact and aid a return to normality as soon as circumstances allow.
