“ You have to be here if you want to be regarded as a key player in the security market. Founder & CEO STROPS TECHNOLOGIES “ 27,658 79% £20.7bn visitors from 116 countries of visitors come to source new products total budget of visitors to IFSEC 2017 Enquire about exhibiting at IFSEC 2018: ifsec.events/international Proud to be supported by: IFSEC 2018 A4 Ad.indd 1 30/10/2017 16:58:36
Counter-Terror what scenario to test in your business: If you are running an exercise, and you choose a terrorism scenario, you want it to be credible. But what? That was the question posed by Richard Bond of the engineering consultancy Arup, speaking to the BCI World conference last month. “Because the last thing you want is someone saying, ‘that isn’t the way it will happen’, or ‘it couldn’t happen’.” As part of the resilience and security risk team at Arup, Richard assesses risk such as terror and crime. He began by asking: why spend time preparing for terrorism-related business interruption; surely it’s better to prepare for power outage or flood, something more likely? It depends, he added, on the nature of your business, and location. A terrorism disruption to your business is maybe less likely, but ‘it’s certainly not inconceivable’, even if indirectly. Reasons He offered some reasons: you may wish to rest resilience of your business against a specific threat you’re vulnerable to; or validate a new policy or procedure; you may be at credible risk of an attack; or may want to re-assess a business continuity plan. As for how sustained an interruption can be, Richard pointed out that Borough Market was shut for 11 days after the London Bridge terror attack; Manchester Arena, 109 days after the May bomb; and Brussels Airport 13 days after its bombing last year. Richard has been monitoring changing terrorism risks to businesses for ten years. There’s a wealth of information out Keeping it real there, he said; in fact, it can quickly lead to ‘information overload’. Given that time is limited, you have to risk-assess. How likely is a risk, and what’s the impact. Machine learning algorithms may be able to categorise and prioritise the risks; or it might be just you and an internet search engine. He suggested that you think of ‘actionable output’; for example, a change in the attractiveness of your target (the next speaker, Chris Moore, head of business continuity at the BBC, admitted the broadcaster was vulnerable, as seen - inaccurately - as an arm of the UK Government). Might terrorists’ preferred weapons or attack locations affect you? Collection Richard showed an intelligence collection plan, ‘very much a live document’, and went into Arup’s own terrorist threat monitoring. How then to use those outputs? Namely, that the most credible terror attack methods in the UK now are vehicles as weapons, in public places, or placed improvised devices (IEDs) or person-borne attacks with edged weapons, IEDs or firearms? One of the best uses, he suggested was to use that to inform exercises, as an ‘evidence-based threat assessment’. “It may be tempting to base a test on worst case scenario, but better to validate plans against a credible threat,” he said. He went into more detail. Inside or outside? What scale? What attacker tactics - an ‘edged weapon’ or car? In an airport, it might be a single person with IED in a terminal check-in counter or ‘meet and greet’ area. A wider-scale attack will require a bigger security cordon. A later speaker, Len Johnson, business resilience lead at The Cooperative Bank, spoke of how police tried to include the main CIS Tower office in Manchester inside the Arena cordon in May; the Co-op was able to talk the police into allowing the front entrance to stay outside the cordon. Likewise Richard suggested testing your ability to continue normal operations after loss of access to a building. As for hotels, Richard recalled after the Nice attack of July 2016 hotels - although not directly affected by the lorry attack - served as triage centres for the injured. If an armed terrorist entered your lobby, how would that affect your evacuation plan? Attackers may make a barricade or take hostages. What if What if your building becomes a crime scene, and staff feel unwilling to return? A table-top exercise should include security, IT and public relations; and the blue light services, to understand how they respond, and what they may require of you. Richard summed up; terrorism risks aren’t static, but can be monitored; it’s valuable to test a scenario, as relevant to you as possible, in developing resilience in case of attack. p Borough Market last month, scene of a June terror attack. Training scenarios should be realistic; but might that only frighten some people? Below: antiram attack bollards at Heathrow Airport Photo by Mark Rowe About a test exercise in brief l Understand the 999 services’ JESIP (Joint Emergency Services Interoperability Programme) terms. Visit jesip.org.uk. l Talk with neighbours (maybe share costs?). l Ensure all staff know it’s an exercise, so they don’t mistake it for real. l Set clear objectives; what are you testing. Crisis comms, leadership, decision making? l Define end and start times; stick to the scenario. l Don’t time the exercise to clash with some vital everyday business. l Agree a codeword or phrase to stop the exercise in case of real emergency. l Hold an immediate de-brief. Write your recommendations and amend processes accordingly. l Consider having an ex-police ‘facilitator’ who at de-brief is better able to criticise senior managers (in a constructive way). www.professionalsecurity.co.uk DECEMBER 2017 PROFESSIONAL SECURITY 41 p41 BC 27-<strong>12</strong>.indd 1 17/11/2017 11:26