Draft27-12
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Counter-Terror<br />
what scenario to test in your business:<br />
If you are running an exercise, and<br />
you choose a terrorism scenario, you<br />
want it to be credible. But what?<br />
That was the question posed<br />
by Richard Bond of the<br />
engineering consultancy Arup,<br />
speaking to the BCI World conference<br />
last month. “Because the last thing<br />
you want is someone saying, ‘that<br />
isn’t the way it will happen’, or ‘it<br />
couldn’t happen’.” As part of the<br />
resilience and security risk team at<br />
Arup, Richard assesses risk such<br />
as terror and crime. He began by<br />
asking: why spend time preparing<br />
for terrorism-related business<br />
interruption; surely it’s better to<br />
prepare for power outage or flood,<br />
something more likely? It depends, he<br />
added, on the nature of your business,<br />
and location. A terrorism disruption<br />
to your business is maybe less likely,<br />
but ‘it’s certainly not inconceivable’,<br />
even if indirectly.<br />
Reasons<br />
He offered some reasons: you<br />
may wish to rest resilience of your<br />
business against a specific threat<br />
you’re vulnerable to; or validate a<br />
new policy or procedure; you may<br />
be at credible risk of an attack; or<br />
may want to re-assess a business<br />
continuity plan. As for how sustained<br />
an interruption can be, Richard<br />
pointed out that Borough Market was<br />
shut for 11 days after the London<br />
Bridge terror attack; Manchester<br />
Arena, 109 days after the May bomb;<br />
and Brussels Airport 13 days after<br />
its bombing last year. Richard has<br />
been monitoring changing terrorism<br />
risks to businesses for ten years.<br />
There’s a wealth of information out<br />
Keeping it real<br />
there, he said; in fact, it can quickly<br />
lead to ‘information overload’. Given<br />
that time is limited, you have to<br />
risk-assess. How likely is a risk, and<br />
what’s the impact. Machine learning<br />
algorithms may be able to categorise<br />
and prioritise the risks; or it might<br />
be just you and an internet search<br />
engine. He suggested that you think<br />
of ‘actionable output’; for example,<br />
a change in the attractiveness of your<br />
target (the next speaker, Chris Moore,<br />
head of business continuity at the<br />
BBC, admitted the broadcaster was<br />
vulnerable, as seen - inaccurately -<br />
as an arm of the UK Government).<br />
Might terrorists’ preferred weapons or<br />
attack locations affect you?<br />
Collection<br />
Richard showed an intelligence<br />
collection plan, ‘very much a live<br />
document’, and went into Arup’s own<br />
terrorist threat monitoring. How then<br />
to use those outputs? Namely, that the<br />
most credible terror attack methods in<br />
the UK now are vehicles as weapons,<br />
in public places, or placed improvised<br />
devices (IEDs) or person-borne<br />
attacks with edged weapons, IEDs<br />
or firearms? One of the best uses, he<br />
suggested was to use that to inform<br />
exercises, as an ‘evidence-based threat<br />
assessment’. “It may be tempting to<br />
base a test on worst case scenario,<br />
but better to validate plans against<br />
a credible threat,” he said. He went<br />
into more detail. Inside or outside?<br />
What scale? What attacker tactics - an<br />
‘edged weapon’ or car? In an airport,<br />
it might be a single person with IED<br />
in a terminal check-in counter or<br />
‘meet and greet’ area. A wider-scale<br />
attack will require a bigger security<br />
cordon. A later speaker, Len Johnson,<br />
business resilience lead at The Cooperative<br />
Bank, spoke of how police<br />
tried to include the main CIS Tower<br />
office in Manchester inside the Arena<br />
cordon in May; the Co-op was able<br />
to talk the police into allowing the<br />
front entrance to stay outside the<br />
cordon. Likewise Richard suggested<br />
testing your ability to continue normal<br />
operations after loss of access to<br />
a building. As for hotels, Richard<br />
recalled after the Nice attack of July<br />
2016 hotels - although not directly<br />
affected by the lorry attack - served<br />
as triage centres for the injured. If an<br />
armed terrorist entered your lobby,<br />
how would that affect your evacuation<br />
plan? Attackers may make a barricade<br />
or take hostages.<br />
What if<br />
What if your building becomes a<br />
crime scene, and staff feel unwilling<br />
to return? A table-top exercise should<br />
include security, IT and public<br />
relations; and the blue light services,<br />
to understand how they respond,<br />
and what they may require of you.<br />
Richard summed up; terrorism risks<br />
aren’t static, but can be monitored; it’s<br />
valuable to test a scenario, as relevant<br />
to you as possible, in developing<br />
resilience in case of attack. p<br />
Borough Market last<br />
month, scene of a June<br />
terror attack. Training<br />
scenarios should be<br />
realistic; but might<br />
that only frighten some<br />
people? Below: antiram<br />
attack bollards at<br />
Heathrow Airport<br />
Photo by Mark Rowe<br />
About a test<br />
exercise in brief<br />
l Understand the 999<br />
services’ JESIP (Joint<br />
Emergency Services Interoperability<br />
Programme)<br />
terms. Visit jesip.org.uk.<br />
l Talk with neighbours<br />
(maybe share costs?).<br />
l Ensure all staff know it’s<br />
an exercise, so they don’t<br />
mistake it for real.<br />
l Set clear objectives;<br />
what are you testing. Crisis<br />
comms, leadership,<br />
decision making?<br />
l Define end and start<br />
times; stick to the scenario.<br />
l Don’t time the exercise<br />
to clash with some vital<br />
everyday business.<br />
l Agree a codeword or<br />
phrase to stop the exercise<br />
in case of real emergency.<br />
l Hold an immediate<br />
de-brief. Write your<br />
recommendations and<br />
amend processes<br />
accordingly.<br />
l Consider having an<br />
ex-police ‘facilitator’ who at<br />
de-brief is better able to<br />
criticise senior managers<br />
(in a constructive way).<br />
www.professionalsecurity.co.uk DECEMBER 2017 PROFESSIONAL SECURITY 41<br />
p41 BC 27-<strong>12</strong>.indd 1 17/11/2017 11:26