Co-ordinated bomb attacks in Madrid in March and a shooting attack against expatriates in Yanbu (Saudi Arabia) in early May were a reminder of the unpredictable nature and devastating consequences of terrorism.
It is impossible to forecast with any certainty where and how a terrorist attack will take place, or what its impact on a business might be, but this does not mean that companies cannot take action to minimise the risk to their employees and assets.
Before anything can happen, a company must have board-level recognition of the threat and the need to address it. The wake-up call to business came with the 11 September attacks in the US and the subsequent war on terrorism. The board must be shown that terrorism needs to be treated as a real operational risk to its business, and that this could have serious consequences for a company that fails to implement formal risk management, contingency plans and security measures.
Information is key
The first step is gathering knowledge. It is essential that those responsible for reviewing the operational risks to a business understand what those risks might be. Therefore, managers must ensure that they have sufficient sources to provide them with objective, useful and timely information.
However, information alone is next to useless if not assessed correctly and used within the framework of a formal risk assessment methodology.
Companies can expend vast sums of money and waste a great deal of time in protecting themselves against an unrealistic threat, or by deploying measures that are of little practical value.
So, it is the ability to take information and use it correctly that is critical to the formulation of the security policy. When an attack takes place somewhere in the world, those charged with company security must look at the event from the point of view of their own company.
How does this work? Let us look at how analysis of two recent attacks attributed to al-Qaida could be used to improve security of staff and physical assets of a fictional company, ABC plc, that has offices throughout the Middle East.
First, consider the suicide bombings in Istanbul in November 2003. A suicide bomber parked a vehicle outside the HSBC building in central Istanbul and detonated the explosives. The resulting damage killed three people and injured more than 100 others. Minutes later, suicide bombers forced their way to the gates of the British consulate and detonated a truck bomb. This second attack claimed the lives of 21 people. By looking at these incidents, the purpose is not to forecast future attacks, but to hypothesise about how such attacks could affect our company and assess them in terms of planning preventative measures to protect staff.
As ABC plc, we have to ask ourselves some questions:
- What is our profile in the Middle East: are we seen as a symbol of the West - and thus as a potential target for future terrorist attacks?
- What is there within 400 meters of our offices that may be a target?
Are we in jeopardy because of our neighbours?
- Can someone park a vehicle near our building, and if they can, will they be challenged?
- Are terrorists able to drive, at speed, directly at our building?
- Are we in a position to be able to implement counter-measures to this type of attack?
- If we cannot influence or control the traffic outside our building, do we know what the possible damage may be to our building?
- Once we know the potential damage to our building, what can we do to improve the security and safety of our staff?
Next, let us look at the terrible attacks of 11 March in Madrid and use them as a flexible template to examine the implications for ABC plc.
As a corporate entity, we are not in a position to prevent such an attack, but we can still manage the impact on our operations. In our hypothetical case study, attacks are carried out on four commuter trains due to arrive at London Bridge station, near ABC plc's head office. Following explosions on all four trains within two minutes of each other, they are brought to a standstill outside the station. At 08.34, London Bridge station is closed by the emergency services. What arises from this scenario?
- First, is our office located within or outside a security cordon for this type of incident?
- What other transport systems will be affected by the closure of London Bridge station?
- How many of our employees use that rail line?
- How many of our staff may have been injured?
- How many of our staff in follow-on trains will do their utmost to get into work?
- How many of our employees, quite naturally, will choose to return home to their families?
These types of simple exercises allow a company to start to sensibly review what should be done to ensure that it is in a position to respond to the threat of terrorism.
Review security
Once they have gathered information and applied it to their operations, what else can companies do to be confident that they are as well prepared as possible? Having developed the database of how the company could be affected by terrorism, the risk management team, in conjunction with the security department, should carry out a review to understand where the gaps are in the overall security plan. Areas that should be explored are:
- PERSONAL SECURITY POLICY. What do we as a company have to do from a 'duty of care' point of view; what should we be doing from a moral point of view? and what do we expect of our employees?
- PHYSICAL SECURITY MEASURES. Do we have effective preventative measures in place at the company's at-risk locations? Are employees aware of why these measures are in place? Are we sure that these measures are not being circumvented or failing because of lack of maintenance?
- AWARENESS. Are employees aware of the company's policies on security?
Do staff at all levels know how to react should an incident occur? Are members of the crisis management organisation confident in their roles?
- TRAINING. How often does the organisation carry out some form of training? Does the company carry out desktop exercises based on potential incidents? Is there scope for semi-live play simulations?
- EXTERNAL AGENCIES. How often does the security department meet the emergency services?
Depending on the answers to these questions (and the list is by no means exhaustive), develop a programme of work and roll it out to the organisation, prioritising those elements deemed most at risk.
In conclusion, company boards must understand that global terrorism has the potential to affect the operations of a company. Risk management, and the subsequent policies and contingency plans, should not be seen as a cost, but as a critical element of their overall insurance portfolio.
It is the adoption of this culture that will permit them to operate in challenging marketplaces, knowing that they have taken the correct precautions and adopted effective counter-measures.
MI5 ONLINE
This year, MI5 relaunched its website, to include threat assessments and expert advice to help businesses protect themselves against security threats. The security advice has been compiled by the Security Service's National Security Advice Centre (NSAC), which works to protect key government assets and businesses vital to the UK's critical national infrastructure, such as transport, power and water.
In its current threat picture MI5 has produced a brief summary of the current threat to the UK and to British interests overseas. It says that the main terrorist danger comes from Al Qaida and associated groups. "These groups seek to attack Western interests worldwide, as well as targeting Muslim nations they consider to be hostile. Despite successful operations to stop terrorist activity and damage their capability to conduct such attacks, the groups retain the will and the means to mount terrorist operations worldwide."
TOP 10 GUIDELINES FOR GOOD SECURITY PRACTICE
1 Take time to carry out a risk assessment. What kind of threats might you be facing? What is the likelihood of these happening? Where are your vulnerable points? Seek counter terrorist advice through the Counter Terrorist Security Advisor (CTSA) at your local police force.
2 If you are building or acquiring new premises, try to plan your security measures from the outset. This is likely to be more efficient (in both time and expense) than adding on security measures at a later date.
3 Make security awareness part of your organisation's culture. Put someone at board level in charge. Arrange regular briefings for staff on what they should be looking out for, and keep notices up- to-date. Take your staff seriously if they identify potential threats. Train staff in emergency and evacuation procedures, and rehearse them regularly. Give more specific training to anyone you think might have to handle a bomb threat.
4 Ensure good housekeeping in and around your buildings: keep public areas tidy and well-lit, remove any unnecessary furniture, keep garden areas free from dense shrubbery.
5 Keep access points to your premises to a minimum. Consider introducing passes for staff and procedures for booking in visitors. Searching of bags may also be desirable but, as with other measures, should be proportionate to the threat and also carefully explained to staff. Look at vehicle access and parking arrangements. Consider introducing a barrier system, and arranging your car park so that unauthorised vehicles cannot get close to your building.
6 Consider a range of physical measures - locks on windows and doors, CCTV, alarms, lighting - and install them according to your circumstances. Arrange regular checks.
7 Look at your mail-handling procedures. Consider setting up a mail room away from your main premises, and train staff in emergency procedures.
8 When recruiting staff or hiring contractors, ensure that they are who they say they are by checking documentation. Follow up references. Follow good employment practice and in particular ensure that staff have the opportunity to voice grievances and concerns.
9 Look at how you might protect your information. Ensure that those who supply, operate and maintain your IT systems are reputable and reliable.
Possible security measures range from enhanced IT security to disposing carefully of any confidential waste.
10 Plan now for business continuity - how you will continue to function if something happens which means your premises or IT systems are out of action.
www.mi5.gov.uk/