Why simulating a terrorist incident is one of the toughest challenges in crisis management
The dynamic, unpredictable nature of terrorist incidents should be mimicked in companies’ simulation exercises to strengthen their resilience.
Many large organisations carry out crisis simulation exercises once or twice a year, often allocating a short amount of time to carry out the exercise.
Information flow is very good, because the aim is to get the crisis team to the decision-making phase as quickly as possible.
However, the terrorism incidents that occurred earlier this year unfolded in seconds and minutes and were very dynamic. At the same time, information was scarce and there was a lot of confusion.
As a consequence, realistically simulating such an event is a challenge for businesses. Justin Priestley, executive director of crisis management at Arthur J Gallagher, says: “Companies have to make these scenarios more realistic and plausible, where information is very scarce, it’s very dynamic, they’re being pressurised by various internal and external stakeholders, the media are asking for a statement to be made, and so on.”
Companies’ crisis management response needs to be very agile, adds Lyn Webb, director of corporate security at Regester Larkin by Deloitte. “The crisis management plan needs to be clear and concise – and the more adaptable that plan the better, as it will enable companies to be really quick and slick with their response,” she says.
Many companies have made it a priority to understand how good their crisis management plan is, says Webb. “You can’t plan for every single scenario, but you can go a long way through rehearsal to make yourself very resilient.”
According to a recent study by Gallagher, many large corporates anticipate and understand the risks they face, but they are less certain about their crisis management response if such a risk were to materialise.
Paul Bassett, managing director of Gallagher’s crisis management practice, says this is because many departments are working in silos. “Good crisis management requires internal co-ordination, which is much more challenging for bigger companies due to the larger number of people and different departments involved, which might not necessarily co-ordinate together.
“Without that internal collaboration and communication, you can’t be successful in becoming more resilient. But that co-ordination is challenging. It’s tough and it takes time and effort to make it work and make the company more resilient,” he adds.
According to Bassett, carrying out crisis simulations on a regular basis will help companies prepare for a real crisis situation and help avoid common mistakes – such as demanding too much information, which results in decision paralysis.
“Companies that have not prepared for these types of situations demand more and more information. They don’t stop, take stock of the information, make a decision and go to the next phase,” he says.
“They get stuck in demanding more and more information and in that demand for information, they make no decisions and end up in decision paralysis. And if you haven’t prepared for that or haven’t rehearsed in that environment, it’s quite a difficult situation to get out of.”
Working with the authorities
When managing a crisis related to terrorism, other important considerations include the actions of other agencies and organisations. “If you’ve got a crisis that is disrupting your business, then you as a business are usually leading that crisis response,” says Webb.
“But if it is something outside of your business, even if it is on your premises, and it is a crime such as terrorism, you need to understand what the authorities will be doing in that situation. It’s about realising that you are supporting rather than leading the crisis. Developing relationships with the local police, for example, is therefore really important.”
Terrorist attacks tend to focus on soft targets nowadays, so the impact on businesses is often limited to being caught up in a security cordon or related to the duty of care to their employees.
During March’s attack on London’s Westminster Bridge, for instance, an employee of one of Gallagher’s clients administered first aid. They needed some posttraumatic stress counselling afterwards, Priestley says, adding that these are the sort of costs for which many businesses don’t have insurance cover.
Given the spate of terrorism attacks across Europe in the past few years, terrorism is now more tangible for an increased number of people.
As a result, employees are driving organisations to think about their crisis management plans in relation to terrorism risk.
Priestley says: “Employees are more situationally aware, savvier and increasingly questioning their organisations. ‘If we were to suffer an attack, how are we going to be able to deal with that? What if a bomb threat comes into our building? If there would be a police evacuation, where are we going to evacuate to? What level of reassurance can you give me?’”
More people and businesses are being affected by attacks by homegrown terrorists, who are in and amongst our society, he says. “If you look at the incidents in Manchester and London, there is a tail to those incidents where the police were conducting investigations in other parts of the UK and lifting people out. Those people that are lifted out will have relatives, they’ll be working somewhere, they’ll have hired a car from somewhere, they’ll buy their food from somewhere.”
The crisis can therefore not always be predicted, says Bassett. “One of our clients once got a call from a journalist: ‘You employed one of the attackers in one of the recent terrorist attacks. What checks did you do about that person?’ So, this business is in no way near the terrorist incident geographically, but they may have employed one of the attackers at some point in the last ten years. That’s something you can’t really plan for. How do you deal with that?”