Cory Davie, partner, Control Risks argues while the threat of terrorism is an incredibly small risk for most businesses, risk managers must still have a realistic, but practical, plan to assuage fears and keep the business on the front foot
At a recent talk on the key risks to Sydney, Australia, there was uproar in the audience that terrorism was listed behind such seemingly benign threats as infrastructure collapse and sea level rise. The litany of terrorist attacks, including the recent ones in Barcelona and Finland, make it seem like terrorism is the most pressing threat facing nations and businesses, while the reality is that it is still a rare event. However, where previously it was mostly a threat for emerging markets like Iraq or Libya, we are now seeing attacks in Western countries and at an accelerated rate.
As risk managers, it is our job to properly assess the threat and put it in context for businesses and figure out what is an appropriate response. But how do you assess such an unpredictable and emotive threat?
Is it a real threat?
Terrorism is certainly growing as a threat in Western jurisdictions, though from a very low base. While 2014 was the peak for global terrorism incidents, according to our data, this was due to a large volume of attacks in the Middle East and North Africa related to the conflict in Syria and its impact on neighbouring countries. Now those have somewhat abated (though still the highest globally by far), but in Western countries we have seen an increase in incidents, particularly if you include into the data the attempts and plots that have been disrupted.
The greatest increase has been seen in the US, France, Belgium and Germany, but Australia and the UK show similar rises.
Figure 1: Terrorist threat activity in Western countries
Even with this understanding of the raw numbers, it isn’t enough to say there are more incidents; what kind are they? There is no clear pattern to targets, though a strong emphasis on public space attacks is clear and a generally low number of incidents target commercial premises.
What is clear is the change in tactics. If we look at the past four years, the traditional methods we associate with terror, suicide bombing, vehicle-borne IEDs and missiles, are almost completely missing. Instead, it is vehicle ramming, knife and firearm attacks that now lead the pack. And this supports what we see in the online incitement from IS and al Qaeda, who encourage through their videos and newsletters simple tactics and a focus on soft targets.
So, in short, it is still a remote threat (we’re talking single digits in most cases), though one on an increasing trajectory. But realistically, while employees may be involved in hundreds of road traffic accidents or petty crime incidents in a year, even a tangential involvement in a terrorism incident will be what everyone focuses on.
Is that really a business risk?
Of course, just because something exists as a threat, doesn’t mean it is actually a business risk you need to focus on. In general, these attacks are not specifically targeted at businesses in the way that, say, environmental extremist campaigns may be. So, if you are a well-known brand or closely associated with, say, the US, there isn’t an inherent increase in threat.
What does increase the threat is where your businesses, and employees, are. High profile and symbolic locations, frequented by tourists and difficult to secure, will remain the primary target of such attacks and so, if your office is in such a location, there is a higher threat. The Al-Qaida magazine, Inspire, recently provided guidance on how to target infrastructure, particularly rail infrastructure, so a location near a transport hub also can increase the potential.
What can a business do?
The problem is that it becomes increasingly difficult to proactively provide security and support to your staff and assets when the threat is so diffuse. There is very little a company can actively do when the threat is not in the spaces they control, but the spaces around them. The critical elements to consider are:
1. Understand how specific your threat is– If your offices are all in rural manufacturing locations or suburban office parks, you probably have much less concern than, say, if you are in a central location in the countries highlighted as having increased incidents and returning foreign fighters. Have a clear understanding about where your greatest areas of threat are (recognising it no longer defaults to emerging markets, London may be riskier than, say, Astana for this particular threat). And, of course, consider where people travel to.
2. Have a plan – When the Lindt Café siege happened in Sydney, many of my clients called me, unsure how to respond. They had no mass messaging in place, no ability to locate or account for staff that were not in the office, no clear idea how to lock their office down when they didn’t have control of the base building and no idea where to get information from to separate rumour from fact. Consider how you would manage such an incident, exercise it and make sure the senior leadership are comfortable with that response.
3. Consider training for staff– The reality is that it is highly unlikely you will have any immediate control over the situation; it is much more likely, should such an attack affect your business, it will be that your staff member was having a coffee in a café. The only support you can give then is pre-emptive knowledge. Historically, mainly businesses in the US train staff on active shooter scenarios, which were focused on workplace violence, using the Run-Hide-Fight methodology and we are now seeing variations of this being used for terrorism-related incidents. While not fool proof, we have clear evidence from clients who have survived attacks that having been trained on how to look for cover and react in such a scenario can shave precious seconds off their reaction time.
The reality is that, as I said above, the chance of being caught up in a terrorism incident is still an incredibly small risk for most businesses, even as such incidents seem to dominate the news. However, as risk managers, we have to be realistic that all the numbers and statistics in the world will not control the internal perceptions in our businesses, so having a realistic, but practical, plan can assuage fears and keep the business on the front foot.