Intelligence expert Dan Smith looks at what HR can to do protect its organisation against terror attacks
In the days following the 7 July London bombings, Metropolitan Police Commissioner Sir Ian Blair was widely quoted as saying that there were further suicide bombers prepared to carry out attacks in the UK. During the writing of this article, co-ordinated attacks on London Transport were carried out but failed to cause any casualties.
The current international terrorist threat, exemplified by al-Qaeda and affiliated groups, has clearly stated a desire to achieve its aims through attacks on western economies. The US State Department estimated that international terrorist attacks against business totalled 1,902 from 1996 to 2001. In the same period, there were only 90 attacks against government-related facilities and 48 against military targets.
This has placed businesses on the front line in the war on terror. Recent attacks targeted London Transport (2005), HSBC in Istanbul (2003), and the businesses located in the World Trade Centre in the 9/11 attacks of 2001. The realistic prospect of further attacks against London and other large urban centres targeting businesses cannot be ignored.
It is always important to consider risk analysis and risk reduction in a comprehensive and holistic way. It is vital to look at all the elements of risk as they affect one another, and then address those risks by integrated methods.
Therefore, it would be unwise and unhelpful for HR professionals alone to assume this burden of responsibility. Risk analysis should always be carried out as an integrated project – even when it seems the risks at hand are the domain of other functions.
For instance, an employee suffering from stress (traditionally the domain of HR) may find that their vigilance over personal safety and security lapses (thus entering the preserve of the security department). Risks and threats are then inter-related. Failure to perceive this means an effective mitigation plan cannot be effectively designed or applied.
A frustrating facet of the aftermath of the 7 July attacks has been the lack of clear advice about how companies should mitigate risk to their operations from terrorism in future. While many large companies have risk mitigation and avoidance plans, a high number of smaller and medium-sized enterprises (SMEs) do not.
Although SMEs are unlikely to be a primary target for terrorists, for instance, the effects of collateral damage and business interruption could be disproportionately debilitating. Even when plans exist, they are more often than not unrehearsed and left in a drawer ‘in case of emergency’.
Beyond this, and potentially of greater concern, is the absence in a company structure of spelling out who is responsible for security-related matters. Often this falls between risk managers, health and safety, security and HR. Nearly four years after the attacks of 9/11 and almost a decade since the Provisional IRA attacks on the city of London, this degree of complacency is unacceptable and dangerous.
Because risk is varied and affects all aspects of a business, it cannot be addressed as a separate factor. It requires co-operation and input from all levels.
Yet, in the probable clamour to improve risk mitigation plans that will follow from the London attacks, businesses are likely to miss two crucial elements in an effective and integrated strategy: providing accurate and timely intelligence, and training the company’s most vital assets, its staff.
The start point in designing a risk mitigation system is intelligence. For a mitigation process to be effective, identify specific risks present in any given environment, along with an ‘as accurate as possible’ assessment of a threat and the likelihood of an event happening. This is also important as it will help define the amount of contingency plans necessary, as well as the emergency procedures essential to any operation.
The monitoring of threat levels is also essential to ensure plans and procedures remain valid, and again this is dependent on good intelligence. A properly developed and effective risk mitigation plan will be flexible enough to adapt to any changes in threat or profile.
While some companies perceive security and advanced medical training as an unnecessary expense, there are direct and quantifiable business results to be had from the investment in security awareness training, which far outweigh any cost.
Risks to company assets are reduced – in terms of personnel and facilities – and therefore so are costs. Operations become more effective because personnel who have greater control over their environments are more productive and less distracted by concerns about safety. Employee relations and commitment may also improve.
Finally, employers have an opportunity to fulfil their duty of care by taking account of not only training for the job, but also for a challenging environment. This in turn decreases company liability.
Training should emphasise the principle that individuals remain in control of their own destinies, or retain as much control as possible. It should give employees knowledge of predictable affects, whether human, physical or mechanical. Employees can then make valuable judgements and employ critical mitigation strategies, substantially reducing the risk to both them and colleagues.
The role of HR in diminishing risk is critical. HR’s primary responsibility is to improve staff performance so that productivity increases. An intelligence-led security assessment will be fundamental in determining how an HR department will best carry out this function, because no two companies are the same.
However, it should involve reassuring staff that the company has well-rehearsed mechanisms to minimise exposure to risk. Staff should be trained so they understand their role in this. HR also has an important role in communicating between staff and managers’ policies and procedures.
Risk is a jigsaw puzzle, not a single picture. Addressing risks individually will never be adequate, particularly in light of the recent attacks and potential for further. For this reason, in companies where risk management, health and safety, HR and security are separate departments, an amalgamated, holistic approach should be considered, and, at the very least, mandated and effective co-operation between the departments (most importantly including reporting to a board-level post) should be advocated. HR’s role is critical in this.
Dan Smith is a senior intelligence analyst with AKE Group, an international risk solutions company specialising in all aspects of reducing risk to personnel and companies. He can be contacted via e-mail [email protected]