David Claridge suggests some practical...

David Claridge suggests some practical strategies for managing the terrorism risk

The terrorist attacks on Western residential compounds in Saudi Arabia on 12 May demonstrated not only that the Al Qaeda terrorist network remains potent, but also that it seeks to attack Western civilians, undermine outward investment and damage the global and local economies. Clear messages underpin these attacks, and follow consistent themes in Al Qaeda's rhetoric and previous patterns of targeting.

  • Western non-Muslims are not welcome in The Land of the Two Holy Places (Saudi Arabia), as their presence is an affront to Islam.

  • Attacks on Western civilians and businesses will be used to undermine investment in local economies, especially in those that are politically fragile (for example, Indonesia, which suffered great economic loss following the Bali bombing of October 2002).

  • Al Qaeda has a desperate need to demonstrate that it remains a potent force, particularly following the war with Iraq. With over 3,000 of its supporters and several of its senior operatives in custody as a direct consequence of the war on terrorism, it had to take steps to prove it could still deliver in the face of American provocation.

    Most analysts agree that Al Qaeda's operational capability has been significantly degraded, and reckon that its attentions have shifted from high prestige targets in the West to countries that offer better opportunities for support networks (essentially countries with large Islamic communities) and have less sophisticated security environments. Since 11 September 2001, the main attacks have been in Pakistan, Tunisia, Yemen, Indonesia, Kenya, Saudi Arabia and Morocco, and have almost exclusively focused on so-called soft targets. Targets have have been privately owned assets such as an oil tanker, an aircraft, hotels, a nightclub, restaurants, residential compounds and religious buildings.

    Be in no doubt that there is a deliberate strategy to attack the private sector, as an alternative to hardened government targets. In a statement broadcast by Al Jazeera television on 25 May, Al Qaeda's deputy leader, Ayman Al-Zawahiri said:

    "The crusaders and the Jews do not understand anything but the language of killing and blood. They do not become convinced unless they see coffins returning to them, their interests being destroyed, their towers being torched, and their economy collapsing. O Muslims, take matters firmly against the embassies of America, England, Australia and Norway and their interests, companies, and employees. Burn the ground under their feet, as they should not enjoy your protection, safety, or security. Expel those criminals out of your countries."

    Experience suggests that when Zawahiri or Bin Laden speak, actions follow. In previous statements Bin Laden has called upon 'the Islamic youth', to take the initiative in undertaking attacks against the US 'economic lifeline'. The Yemen and Bali attacks occurred within days of such a statement. Because the network has been disrupted by the war on terrorism, it will be forced in future to rely more upon disparate 'Islamic youths' to select targets in line with general directions from the centre, rather than on centrally planned operations. The result is likely to be more frequent but less sophisticated attacks against soft targets, such as businesses, especially those operating in the Middle East, South and South East Asia, East Africa and the Caucasus. But Al Qaeda's threat is global, and all businesses must prepare accordingly.

    Low probability/high impact
    Terrorism risk management is a real challenge for businesses to get right, predominantly because of the schism between probability and impact. This introduces a polarity amongst businesses: some taking almost no risk management measures; others acting aggressively.

    With the exception of some obvious conflict-ridden regions, such as Israel, Chechnya, Kashmir or Colombia, terrorism does not occur very often. Data published in April 2003 by the US State Department showed a drop of 44% in the incidence of international terrorism between 2001 and 2002. This represented only 199 attacks over the course of the year. While 199 is too many, it is by far the lowest incidence of international terrorism since records began. On a purely statistical basis then, the probability of a terrorist act outside an immediate conflict zone is insignificantly low.

    But, as we have already seen, businesses are now specifically singled out as targets by Al Qaeda and, perhaps more significantly, we know that the network seeks maximum casualties and is constantly evolving its tactics to achieve them. We know that the network is interested in Chemical, Biological, Radiological and Nuclear (CBRN) weapons. All businesses should be aware that terrorism can strike at any time, anywhere, and that the Bin Laden generation of Islamic terrorists effectively knows no constraints other than operational ones.

    Research conducted by Janusian and RAND Europe in March 2003 revealed that the business community is gloomy about the prospects for the future. Of 50 major corporations surveyed, 63% reported that they believed terrorism to be a significant threat to their organisation, and 72% believed that the threat to them would increase over the next 12 to 24 months. An interesting aspect of the survey was that it revealed that 60% of respondents believed that terrorists would not deliberately target their companies. This perhaps reflects a degree of denial on the part of the risk managers who responded, but also demonstrates an acknowledgement of the indiscriminate nature of the threat.

    Practical management
    Every business is different, presenting a unique profile in terms of its nationality, its geographic exposure, its size and revenue, its internal risk management structures, its publicity and brand exposure, its need for open doors, the makeup of its workforce and its appetite for risk. Although these variations will determine specific risk management needs, it is possible to provide general advice concerning the framework under which the threat from terrorism is addressed.

    Actively managing the risk means having access to two critical categories of information:

  • What are we trying to protect: people, assets, processes, relationships, reputations? All could potentially be undermined by terrorism. It is important to have a coherent understanding of the nature of the business and how it might be affected.

  • What is the threat to us? Answering this means regularly gathering information on current terrorist threat levels, using information provided by governments or more actively sourced intelligence. Analysis of intelligence needs to consider whether the business may be a specific target of terrorists, or whether it falls into more general categories of potential target (for example, relating to nationality or sector). Assessments of terrorists' operational capabilities must also be taken into account.

    This intelligence cycle can be used to establish an alert state system, on a simple scale from Low to Extreme, that translates assessed threats into pre-determined states of readiness covering issues such as physical security levels, access controls, restrictions on movement of people or vehicles and so on.

    Terrorists are essentially exploitative, seeking vulnerabilities that will allow them easy access to their targets. Reducing the opportunities for terrorists to get close to targets will have a proportionate impact upon the frequency of successful attacks, or will at least push terrorists away to less well-protected locations. Consequently, corporate risk managers must make a priority of pushing terrorism away from their doors. Equally importantly, they must make preparations to embed emergency response, disaster recovery and business continuity plans to provide the business with resilience to attack.

    Protective measures to consider are usually no more than typical security processes:

  • physical security: businesses have varying tolerances for locks, fences, alarm systems, barriers and gates. Retail premises, by their nature, need to be open, but even here it is prudent to establish maximum acceptable levels of physical security to avoid having to specify and install potentially inadequate equipment at short notice.

  • guarding levels and management: security guards are often the weakest link in any security management system. Businesses need to ensure their guard forces are properly trained, remunerated and managed to get the best from them

  • cctv and alarm systems: although perceived as a passive tool, properly applied CCTV can be a significant weapon in undermining terrorism. Almost all terrorist activity, especially that of Al Qaeda, is preceded by surveillance. CCTV can be used to identify it to provide early warning.

  • staff training and awareness: for the same reasons, increased awareness on the part of staff can be vital in identifying suspicious behaviour, but staff need to be instructed in what to look for.

    If preventative measures fail, emergency response plans will come into play. Terrorist attacks are less predictable than other emergencies, and evacuation is not always the best option. Depending on building layout, 'invacuation' may be preferable, moving people to a strengthened area inside.

    In terms of continuity and recovery planning, preparation should reflect the worst case: complete loss of buildings, perhaps even loss of use of sites if a CBRN weapon has been used, and the loss of large numbers of staff. Alternative sites must be in locations that are distant from existing sites, and should be more than skeletons; they may need to form the backbone of the business for a prolonged period.

    At every level of the contingency plan, the central concerns must be to ensure that roles are allocated appropriately and with clarity, that the company has the resources to back up its plans, and that key staff have been trained in the execution of their roles, and preferably have participated in at least one simulated exercise. It is important that businesses seek to embed the knowledge that is available into their business processes now, to allow time for plans to settle in, for simulations to be run, and to identify weaknesses.

    Risk managers in many large corporations have shifted the balance of their activities towards crisis management and continuity planning, in the belief that catastrophic terrorism will always find a way through preventative security. But we must be aware that terrorists are deterred by security, that terrorist planning also contains vulnerabilities and that businesses of all sizes can play a part in undermining terrorist planning through increasing their vigilance.

    Dr David Claridge is managing director, Janusian Security Risk Management Ltd, E-mail: claridge@janusian.com

    Some companies remain unprepared
    The Janusian and RAND Europe research published earlier this year showed that one in four companies expects to be targeted by terrorists within the next two years, and one in ten businesses believes it is 'extremely likely' it will face at least one instance of terrorism. However, the survey also reveals that some companies are lagging behind in introducing appropriate security measures.

  • one in seven companies gives no security awareness training to staff, one in six has no travel security programmes or systems, and almost one in five does not screen employees before hiring

  • only 54% of companies have some form of close protection for their senior managers

  • one in seven companies has undertaken no form of security survey, audit or penetration testing.

    The study polled the views of 50 security and risk management professionals at major corporations, largely with international operations. Forty-six of the companies have a turnover of £500m or more; 37 have a turnover of £1bn or more.