Because terrorists’ tactics are constantly evolving, we can anticipate that they will rely on a wide variety of disruptive and deadly acts in the years ahead. Planners must therefore be prepared for all conceivable terror threats.
Recent history suggests that disruptive terrorist events, even at some distance from a company’s facility, may disrupt routine operations or put personnel and business at risk. Business continuity planners must therefore anticipate and prepare for the potentially significant disruption due to a terrorist attack.
The challenge for planners is that the tactics and methods of terrorists are constantly evolving. As the security infrastructure adapts to reduce vulnerability to attack by bombing, we can anticipate that terrorists will turn to alternative and creative methods of terror. If trends around the world are an early warning signal, perhaps terrorists will next resort to executive kidnappings and assassinations, sophisticated cyber-terrorism, and violent attacks against public space targets that would generate the most shock and fear among the general population. Diligent companies must take heed of these new realities and prepare accordingly.
Conducting a Terrorism Impact Analysis (TIA)
One of the first priorities for a planner is to systematically analyze the potential harm, disruption, and costs of acts of terrorism for the organization and its specific industry, locations, and exposure. The goal is the accurate forecasting of the threat risks of terrorism. However, it is challenging to accurately predict the risks of local, regional, and national terrorism attacks. Further, since there are a wide variety of potential forms of terror attacks (i.e., cyber-terrorism, extortion, bomb/explosion, invasion, assassination, kidnapping, hijacking, and chemical/biological agents), it may be helpful to seek external resources, such as security services, consultants, or law enforcement or government agencies to assist in systematically reviewing the company’s unique situation. Resources are available from both private and public sector agencies to assist in a TIA.
In conducting a TIA, it is important to take the process of scanning for risks out of the sensational frame and into more specific logical and well-thought analysis. Some companies, who have long used risk models for natural disaster risk analysis, have begun to adapt those resources to create probabilistic models for terrorism risks. One resource to consider is the insurance provider. Insurance companies were mandated by the Terrorism Risk Insurance Act of 2002 to offer insurance policy coverage that includes acts of terrorism. While the legislation has set coverage cap limits as percentages of the insurers’ total coverage in force, insurance providers nevertheless have been forced to dramatically increase their analysis in order to set premiums for risk coverage. This development has resulted in ever-increasing sophistication of insurance risk analysis to the point where the capabilities to predict terrorism risks are similar to the actuarial tables used for estimating natural disaster risks or even individual heath/life insurance premiums.
The general process of assessing threats begins with a single focal point within the organization (e.g. the potential of specific workplace violence or single armed intruder) and then in a systematic fashion expands the parameters to eventually consider how a national disruption of transportation or utilities systems might impact operations. Every company should consider all potential vulnerabilities. It is important to remember that terrorists will always look for the most vulnerable spots to attack, and they always “think outside the box.” Consider, for example, that employees might be most vulnerable waiting for a traffic signal in a turn lane just outside of the facility’s main entrance gate just before a major work shift begins.
Some basic guidelines to consider while preparing a TIA are:
- Develop a method to assess suspicious events, deter malevolent acts, and mitigate damage.
- Realize that it is difficult to predict how, when, or where a terrorist will strike; therefore, everyone must be prepared.
- Have a crisis plan for all categories of terror events.
- Rapidly institute responsive control measures when terrorism occurs.
- Provide protection for personnel.
- Realize that implementation of planning for terrorism will require close collaboration between the company and local law enforcement, emergency responders, public health agencies, and government officials.
What to Plan For
The breadth of an effective impact analysis is significant in the post 9/11 world. Since September 11, 2001, research has suggested that four threat risks are now considered as substantially higher risks by planners: mass terrorism, acts of war, biological agents, and explosions. The following were rated as higher risks: bomb threats, sabotage, radiation exposure, civil disorder, airport proximity, computer attacks, hazardous waste, work stoppages, chemical spills, kidnapping, assassinations, and vehicle crashes. When considering all the above, it is important to think about the absolute worst-case scenario as well as the most likely risks in a threat analysis. This list should form the foundation of the agenda for planners.
Armed Intrusions and Building Occupations
Attackers using small arms are a growing threat. Even “routine” workplace shootings can prove disastrous for business continuity. A single disgruntled employee with no training, no accomplices, no support, and with little reconnaissance and preparation has been able in the past to penetrate a variety of workplaces, systematically murder workers, and wreak havoc on businesses. One must dare to imagine what coordinated, trained, well-supplied terrorists might be able to accomplish with detailed support and advance planning. The prospect of a business office or campus takeover, a media spectacle hostage crisis, or instances of mass murder can not be ruled out in the coming years of terrorist plots.
Kidnapping and Assassinations
One terror technique used in other parts of the world that could arrive in North America is the attack against a prominent or symbolic individual. Executive kidnapping and assassination threats should be taken very seriously and incorporated into the planning process. Senior management and potentially all employees who “symbolically” represent a company or nation are increasingly at risk. Travel policies, executive security, protection during commutes, and even home security are key steps in mitigating this threat.
Bombs and Explosions
Planners should instruct employees on how to respond to bomb threats, how to record such threats when they are delivered, telephoned, or e-mailed into the company, and how to evaluate the credibility of threats. Two federal agencies, the ATF and FBI, offer resources, training, and model plans for responding to bomb threats.
Explosions can be categorized by the delivery method and potential location. Terrorists around the world have effectively used automobiles and trucks to deliver substantial and deadly explosions in public areas or against specific targets. Smaller explosions delivered as packages, “pipe bombs,” or other improvised explosive devices (IED) have been secretly placed in trash cans, among shrubbery, in abandoned packages, along pathways, and camouflaged so as to be unnoticed prior to their detonation. The emergence of the walking “suicide-murderer” bomber who can create fatal explosions in a business lobby, an eatery, or within or near public transportation poses another realistic threat.
Chemical and Biological Weapons (CBW)
Deadly toxic chemicals, viruses and germs, neurotoxins, diseases, deadly gasses, and radioactive materials can all potentially become a terrorist weapon. These weapons are likely to have the greatest impact if used in places where there are large numbers of people, where structural confinement concentrates the exposure, where the delivery of the agent can be accomplished without drawing attention, and in many cases where repeated exposures of the same individuals can be assumed. This makes places of work one of the more tempting targets for a terrorist seeking a sensational act of destruction and mayhem.
CBW agents can be delivered in a variety of ways: dispersed via a facility’s heating/ventilation/air condition (HVAC) systems, placed into food or water supplies, sprinkled on the ground in front of entry or exit portals, included with or on floral arrangements, inserted into air fresheners or room deodorizers, included within explosive devices, or mixed into cleaning supplies.
Mailroom Vulnerabilities
The U.S. Postal Service has created an informational campaign to educate office workers about suspicious mail and packages and how to handle them. In addition, the FBI has produced some good materials for training mailroom personnel and office workers for handling mail in the wake of the anthrax attacks in 2001.
Some planners might consider restructuring their mail or receiving operations so that mail can be opened off site at a smaller location, or outsourcing mailroom operations altogether. In such a case, if a bomb, chemical, or biological threat is received by mail, exposure would be limited to the off-site location and perhaps more easily contained, putting fewer people at risk.
Hazardous Materials Contamination
A deliberate hazardous materials release can create dangers comparable to any other type of terror weapon. From a small spill on a walkway leading into a plant to a large-scale release of materials from a tanker truck on a major highway near a company site, there are serious risks that must be considered. Such deliberate acts may also occur within the facility; some of these materials are easily transported into the workplace. All companies therefore should be prepared for the potential of deliberate hazardous materials release or contamination.
Utilities Loss or Disruption
The U.S. Office of Homeland Security has identified major utilities and the national electric power grid as potential targets for terrorists. Businesses in close proximity to generation or transmission stations are inadvertent targets in attacks against such installations. In addition, everyone is at risk for disruptions to utility services. If terrorists manage to disrupt electrical supplies, water or gas service, telephone transmissions, or other essential utilities, it could be a major impact to all affected businesses. Consider, for example, how a long-term loss of electricity, water, or gas would affect most operations, or how a terrorist disruption to the regional or national power grid would impact business.
Summary
The threat risks considered above by no means form an exhaustive analysis. Cyber-terrorism, car-jacking, and poisons are among the long list of threats not discussed here. Nonetheless, one conclusion is clear: there are many risks that face businesses and companies today, and all business continuity and disaster recovery planners must be prepared for a wide variety of threats. Many of the most common threats involve small-scale, readily available technology including small-arms weaponry. Each risk threat should be considered, and methods of mitigating the dangers should be discussed. Prudent companies will carefully consider all reasonable precautions to deter, prevent, mitigate, and respond to attacks such as the ones imagined by malevolent actors.
Leave A Comment
You must be logged in to post a comment.