Making the case for including terrorism incidents in your business continuity plan
- Published: Friday, 20 July 2018 10:57
While many business continuity plans focus on the effects of an incident rather than the cause, Richard Duncan explains why terrorism response may be a special case requiring a different and more proactive approach.
Here in the UK we have seen our fair share of terror events, that have had a serious impact on all aspects of our lives, including companies that have found themselves directly affected, or found themselves within the wider emergency response cordon, or indeed had their business activity seriously curtailed during the investigative process that follows. The latter can place restrictions on the use of areas of the business until those investigations are concluded.
All this external activity needs a response and yet organizations, in my experience, generally do not consider within the business continuity plans how they will respond. For example: who will liaise with the emergency responders? What role will the organization be expected to play in the response and recovery phases? Has the crisis management team (CMT) received training in business continuity considerations when the business has been affected by a terrorist incident?
I believe that the first step in the process as a 'baseline' should be to consider how the organization plans for its response to each of the five UK terror threat levels, in terms of asset and personnel security and secondly, how to provide the CMT with immediate guidance on what needs to be done from a strategic, tactical and operational perspective, if the business is unfortunate enough to be caught up in an attack. That guidance should be task orientated and needs to consider all aspects from the customer facing staff right up to the strategic management of the organization.
Previously, the UK Government had not made public the way in which the threat assessment system works or the national threat level that emerges from it. Following a review, a decision was taken to inform the public about the process and the national threat level, which applies to the UK as a whole.
The Government guidance states that “Threat levels are designed to give a broad indication of the likelihood of a terrorist attack. They are based on the assessment of a range of factors including current intelligence, recent events and what is known about terrorist intentions and capabilities. This information may well be incomplete and decisions about the appropriate security response are made with this in mind”.
The UK Government’s counter terrorism strategy aims to reduce the risk from international terrorism, so that people can go about their business freely and with confidence. While the current terrorist threat presents many challenges, public safety is the absolute priority. The Government can never guarantee that attacks will not happen in the future, but its security effort is dedicated to reducing the risk as much as possible.
Assessments of the level and nature of the threat from international terrorism are made by the Joint Terrorism Analysis Centre (JTAC), while the threat from Irish and other domestic terrorism is assessed by the Security Service (MI5). These include a threat level, which is a shorthand description of the overall threat, either for the UK or for several specific sectors, such as the Government estate or military facilities.
The UK five Threat Levels are;
- Critical - An attack is expected imminently
- Severe - An attack is highly likely
- Substantial - An attack is a strong possibility
- Moderate - An attack is possible but not likely
- Low - An attack is unlikely.
To be clear, threat levels in themselves do not require specific responses from the public or business. They are primarily a tool for security practitioners working across different sectors of what is known as the Critical National Infrastructure (CNI) and the police to use in determining what protective security response may be required. Having said that, I believe this does not mean that organizations cannot make use of the assessment of risk the threat levels provide, to determine levels of vigilance required by the organization and the protective security measures that should be applied at any particular moment. These should involve managers and staff taking sensible precautions in response to the changing threat level and ensuring that the organization’s preparation measures are proportionate to the prevailing risks.
Any measures taken by the organization should be cumulative and increasingly tight so that, as an example, the measures listed for SEVERE are in addition to those listed for SUBSTANIAL which are already assumed to be in place.
So, what does all of this mean for the organization that wishes to consider a terrorism related event within their organizational risk register (ORR), business impact assessment or business continuity plan?
Unfortunately, I cannot answer that for every organization, but what I can do is provide some considerations based on my own experiences during my Fire and Rescue career.
The first task you may face will be to get your corporate management to accept that the risk does exist for your organization and is worthy of inclusion within the ORR et al. No matter what business you are in, the attack methodologies now being employed by terrorists, such as knives, guns or the use of everyday vehicles, as we have witnessed in the UK, and elsewhere around the world, can impact on shopping malls, transport hubs, entertainment venues, Christmas markets, even walking down the street; in fact anywhere where large crowds gather.
Your next task should involve the levels of organizational response required to react to each of the five threat levels, in relation to the protection of assets and personnel, not forgetting your customers, clients or members of the public resorting within your premises. By doing so, this will enable your organization to identify the vulnerabilities associated with each risk and take positive steps to reduce that risk, as I for one, have accepted that you will never eradicate the risk of a terrorist incident affecting your business; as has been said before by many, the security services need to be lucky all the time, the terrorists only need to be lucky once!
Most, if not all, organizations will have protective security considered within their business continuity plan, therefore considering adding further guidance on responses to changes in the country’s threat levels, should not be onerous in terms of time or money. And as I said previously, the measures taken by the organization should be cumulative and increasingly tight.
For example, in terms of building security, the company may require employee’s, visitors or contractors to wear some form of identification, now if the threat level is ‘LOW- An attack is unlikely’, this practice may not be rigidly enforced. The question needs to be asked, what if over several weeks or months the threat level, gradually increases to ‘Severe - An attack is highly likely’ does the organization have a system in place that examines the protective security practices and reinforces the need for vigilance considering those changes in the threat level? For example, when the threat level changes are staff tasked with ensuring that individuals who are not recognised and/or not wearing identification/visitors badges be challenged by all staff or is that still viewed as a job for security personnel only? Where vehicle access barriers are not controlled by security personnel, are staff tasked to ensure that no tailgating occurs by non-access fob holders or visitors, allowing them uncontrolled access into company car parks or to more sensitive areas?
These may seem like simple actions that should be undertaken in any case, as a business as usual activity to ensure organizational security is maintained. Unfortunately, my experience has shown me that complacency does occur, which could have profound consequences, and therefore having an organizational culture, which includes specific response guidance to staff when the threat level changes, could be the additional checks and balances required to address that complacency, and could prevent a successful attack that has a direct impact on your organization, particularly when the threat level is at its highest point.
Therefore, I believe that organizations should review their business continuity plan and underpinning policies and procedures, to include appropriate responses in preparation for changes in the country’s threat levels.
Following on from that ‘baseline’ in terms of the organization’s planned response to changes in the threat levels, a further element that preparation should consider is how the organization will respond, if it is unfortunate enough to be caught up in an attack.
During the ‘emergency response’ phase of any attack, the organization’s CMT will have a wide range of tasks to consider and action and, in most cases, will never have found themselves in that situation. So, a number of initial questions would need to be addressed within the business continuity plan: for example, which elements of your organization’s response will be managed by the CMT and what elements can be discharged to staff not involved in the immediate CMT response? Who is responsible for the management of the business as usual activities not directly affected by the incident? What information are you going to request and provide to the emergency responders, and who will be responsible for liaising with them?
These are just a few issues and, from personal experience, there will be a lot more that will have to be managed by the CMT during the emergency phase. Therefore, the organization must ensure that the business continuity plan provides clear guidance on the required initial actions by the CMT, right through to the recovery, investigative and return to normality phases.
In the aftermath of an attack where an organization has been directly affected, it may find that the business continues to be involved many months after the event, requiring resources to be allocated, that could still impact on the business in terms of management time etc. By way of an example, the emergency services that were involved may conduct reviews of their response and request to be provided with a range of information from your organization; public enquiries into the circumstances may be called; fatal accident enquiries and inquests could be scheduled. Compensation litigation may have been served, and of course shareholders’ expectations require to be managed. All these issues and more will have to be considered and it is important that the business continuity plan addresses and recognises that these issues may be out of the normal scope of the organization’s response to any pre-planned ‘internal’ business continuity critical event.
Thankfully, in my experience, there is a lot of support that business can call on to help them improve their business continuity planning in response to a terrorist attack. Your local Police Force will have specially trained officers to assist the business community, known as Counter Terrorism Security Advisors (CTSAs), who can advise on a wide range of protective security arrangements in support of the company business continuity plan. There are numerous business resilience forums throughout the country that can provide guidance on best practice on how to proceed. From a multi-agency perspective, your Local Resilience Partnership, in whatever geographical/political form that may take can assist with the integrated emergency response (IEM) arrangements to such incidents and more!
Most of the issues I have discussed may already be incorporated into the company business continuity plan in some format or another, and BC managers may take the view that the ‘cause’ of the critical incident does not matter, it is the ‘effect’ that needs to be planned for and therefore no further action is required. I believe that the key difference is that when a terrorist act is involved it is highly likely that the CMT and all staff will have never been faced before with responding to the unique set of circumstances that a terror incident presents or may never have had the opportunity to train for such an event.
In the absence of such experiential learning or training, the business continuity plan will be key in ensuring that the organizational response to a terror incident that affects the company directly or indirectly has been sufficiently risk assessed and the appropriate response strategies are in place to support the organizational response at an operational, tactical and strategic level.
Richard Duncan, Dip NEBOSH, Tech IOSH, Dip Mgt(Open)
Richard currently runs his own business continuity and risk management consultancy firm, Richard Duncan Consultancy. He previously served for 27 years with Strathclyde Fire and Rescue and latterly with the Scottish Fire and Rescue Service (SFRS), gaining five promotions, retiring at the rank of Group Commander (Personnel, Training and Contingency Planning) in the role of Deputy Area Commander for East Renfrewshire, Renfrewshire and Inverclyde local council areas.
Richard has extensive experience in all aspects of business continuity and health and safety management.
Contact Richard at firstname.lastname@example.org