|
By Robert C. Chandler, Ph.D.
Because terrorists' tactics are constantly evolving, we
can anticipate that they will rely on a wide variety of disruptive and
deadly acts in the years ahead. Planners must therefore be prepared for
all conceivable terror threats.
Recent history suggests that disruptive terrorist events,
even at some distance from a company's facility, may disrupt routine operations
or put personnel and business at risk. Business continuity planners must
therefore anticipate and prepare for the potentially significant disruption
due to a terrorist attack.
The challenge for planners is that the tactics and methods
of terrorists are constantly evolving. As the security infrastructure
adapts to reduce vulnerability to attack by bombing, we can anticipate
that terrorists will turn to alternative and creative methods of terror.
If trends around the world are an early warning signal, perhaps terrorists
will next resort to executive kidnappings and assassinations, sophisticated
cyber-terrorism, and violent attacks against public space targets that
would generate the most shock and fear among the general population. Diligent
companies must take heed of these new realities and prepare accordingly.
Conducting a Terrorism Impact Analysis
(TIA)
One of the first priorities for a planner is to systematically analyze
the potential harm, disruption, and costs of acts of terrorism for the
organization and its specific industry, locations, and exposure. The goal
is the accurate forecasting of the threat risks of terrorism. However,
it is challenging to accurately predict the risks of local, regional,
and national terrorism attacks. Further, since there are a wide variety
of potential forms of terror attacks (i.e., cyber-terrorism, extortion,
bomb/explosion, invasion, assassination, kidnapping, hijacking, and chemical/biological
agents), it may be helpful to seek external resources, such as security
services, consultants, or law enforcement or government agencies to assist
in systematically reviewing the company's unique situation. Resources
are available from both private and public sector agencies to assist in
a TIA.
In conducting a TIA, it is important to take the process
of scanning for risks out of the sensational frame and into more specific
logical and well-thought analysis. Some companies, who have long used
risk models for natural disaster risk analysis, have begun to adapt those
resources to create probabilistic models for terrorism risks. One resource
to consider is the insurance provider. Insurance companies were mandated
by the Terrorism Risk Insurance Act of 2002 to offer insurance policy
coverage that includes acts of terrorism. While the legislation has set
coverage cap limits as percentages of the insurers' total coverage in
force, insurance providers nevertheless have been forced to dramatically
increase their analysis in order to set premiums for risk coverage. This
development has resulted in ever-increasing sophistication of insurance
risk analysis to the point where the capabilities to predict terrorism
risks are similar to the actuarial tables used for estimating natural
disaster risks or even individual heath/life insurance premiums.
The general process of assessing threats begins with a single
focal point within the organization (e.g. the potential of specific workplace
violence or single armed intruder) and then in a systematic fashion expands
the parameters to eventually consider how a national disruption of transportation
or utilities systems might impact operations. Every company should consider
all potential vulnerabilities. It is important to remember that terrorists
will always look for the most vulnerable spots to attack, and they always
"think outside the box." Consider, for example, that employees might be
most vulnerable waiting for a traffic signal in a turn lane just outside
of the facility's main entrance gate just before a major work shift begins.
Some basic guidelines to consider while preparing a TIA
are:
- Develop a method to assess suspicious events, deter malevolent acts,
and mitigate damage.
- Realize that it is difficult to predict how, when, or where a terrorist
will strike; therefore, everyone must be prepared.
- Have a crisis plan for all categories of terror events.
- Rapidly institute responsive control measures when terrorism occurs.
- Provide protection for personnel.
- Realize that implementation of planning for terrorism will require
close collaboration between the company and local law enforcement, emergency
responders, public health agencies, and government officials.
What to Plan For
The breadth of an effective impact analysis is significant in the post
9/11 world. Since September 11, 2001, research has suggested that four
threat risks are now considered as substantially higher risks by
planners: mass terrorism, acts of war, biological agents, and explosions.
The following were rated as higher risks: bomb threats, sabotage,
radiation exposure, civil disorder, airport proximity, computer attacks,
hazardous waste, work stoppages, chemical spills, kidnapping, assassinations,
and vehicle crashes. When considering all the above, it is important to
think about the absolute worst-case scenario as well as the most likely
risks in a threat analysis. This list should form the foundation of the
agenda for planners.
Armed Intrusions and Building Occupations
Attackers using small arms are a growing threat. Even "routine" workplace
shootings can prove disastrous for business continuity. A single disgruntled
employee with no training, no accomplices, no support, and with little
reconnaissance and preparation has been able in the past to penetrate
a variety of workplaces, systematically murder workers, and wreak havoc
on businesses. One must dare to imagine what coordinated, trained, well-supplied
terrorists might be able to accomplish with detailed support and advance
planning. The prospect of a business office or campus takeover, a media
spectacle hostage crisis, or instances of mass murder can not be ruled
out in the coming years of terrorist plots.
Kidnapping and Assassinations
One terror technique used in other parts of the world that could arrive
in North America is the attack against a prominent or symbolic individual.
Executive kidnapping and assassination threats should be taken very seriously
and incorporated into the planning process. Senior management and potentially
all employees who "symbolically" represent a company or nation are increasingly
at risk. Travel policies, executive security, protection during commutes,
and even home security are key steps in mitigating this threat.
Bombs and Explosions
Planners should instruct employees on how to respond to bomb threats,
how to record such threats when they are delivered, telephoned, or e-mailed
into the company, and how to evaluate the credibility of threats. Two
federal agencies, the ATF and FBI, offer resources, training, and model
plans for responding to bomb threats.
Explosions can be categorized by the delivery method and
potential location. Terrorists around the world have effectively used
automobiles and trucks to deliver substantial and deadly explosions in
public areas or against specific targets. Smaller explosions delivered
as packages, "pipe bombs," or other improvised explosive devices (IED)
have been secretly placed in trash cans, among shrubbery, in abandoned
packages, along pathways, and camouflaged so as to be unnoticed prior
to their detonation. The emergence of the walking "suicide-murderer" bomber
who can create fatal explosions in a business lobby, an eatery, or within
or near public transportation poses another realistic threat.
Chemical and Biological Weapons
(CBW)
Deadly toxic chemicals, viruses and germs, neurotoxins, diseases, deadly
gasses, and radioactive materials can all potentially become a terrorist
weapon. These weapons are likely to have the greatest impact if used in
places where there are large numbers of people, where structural confinement
concentrates the exposure, where the delivery of the agent can be accomplished
without drawing attention, and in many cases where repeated exposures
of the same individuals can be assumed. This makes places of work one
of the more tempting targets for a terrorist seeking a sensational act
of destruction and mayhem.
CBW agents can be delivered in a variety of ways: dispersed
via a facility's heating/ventilation/air condition (HVAC) systems, placed
into food or water supplies, sprinkled on the ground in front of entry
or exit portals, included with or on floral arrangements, inserted into
air fresheners or room deodorizers, included within explosive devices,
or mixed into cleaning supplies.
Mailroom Vulnerabilities
The U.S. Postal Service has created an informational campaign to educate
office workers about suspicious mail and packages and how to handle them.
In addition, the FBI has produced some good materials for training mailroom
personnel and office workers for handling mail in the wake of the anthrax
attacks in 2001.
Some planners might consider restructuring their mail or
receiving operations so that mail can be opened off site at a smaller
location, or outsourcing mailroom operations altogether. In such a case,
if a bomb, chemical, or biological threat is received by mail, exposure
would be limited to the off-site location and perhaps more easily contained,
putting fewer people at risk.
Hazardous Materials Contamination
A deliberate hazardous materials release can create dangers comparable
to any other type of terror weapon. From a small spill on a walkway leading
into a plant to a large-scale release of materials from a tanker truck
on a major highway near a company site, there are serious risks that must
be considered. Such deliberate acts may also occur within the facility;
some of these materials are easily transported into the workplace. All
companies therefore should be prepared for the potential of deliberate
hazardous materials release or contamination.
Utilities Loss or Disruption
The U.S. Office of Homeland Security has identified major utilities and
the national electric power grid as potential targets for terrorists.
Businesses in close proximity to generation or transmission stations are
inadvertent targets in attacks against such installations. In addition,
everyone is at risk for disruptions to utility services. If terrorists
manage to disrupt electrical supplies, water or gas service, telephone
transmissions, or other essential utilities, it could be a major impact
to all affected businesses. Consider, for example, how a long-term loss
of electricity, water, or gas would affect most operations, or how a terrorist
disruption to the regional or national power grid would impact business.
Summary
The threat risks considered above by no means form an exhaustive analysis.
Cyber-terrorism, car-jacking, and poisons are among the long list of threats
not discussed here. Nonetheless, one conclusion is clear: there are many
risks that face businesses and companies today, and all business continuity
and disaster recovery planners must be prepared for a wide variety of
threats. Many of the most common threats involve small-scale, readily
available technology including small-arms weaponry. Each risk threat should
be considered, and methods of mitigating the dangers should be discussed.
Prudent companies will carefully consider all reasonable precautions to
deter, prevent, mitigate, and respond to attacks such as the ones imagined
by malevolent actors.
About the Author
Dr. Robert C. Chandler is the Chair and Blanche E.
Seaver Professor of Communication in the Center for Communication and
Business at Pepperdine University in Malibu, California. Dr. Chandler
discusses initiating continuity planning for terrorism threats in his
2004 book, "Terrorism - How Can Business Continuity Cope?" He
also has written numerous articles, is a nationally recognized researcher,
frequent workshop and seminar leader and presenter, and a highly regarded
speaker to business, industry, and government audiences who specializes
in human factor and communication processes during crises, assessment
and training, behavior analysis, and the continuity planning processes.
He can be contacted via e-mail at robert.chandler@pepperdine.edu
or by telephone at (310) 506-4211.
|
