Draft27-12

Counter-Terror
what scenario to test in your business:
If you are running an exercise, and
you choose a terrorism scenario, you
want it to be credible. But what?
That was the question posed
by Richard Bond of the
engineering consultancy Arup,
speaking to the BCI World conference
last month. “Because the last thing
you want is someone saying, ‘that
isn’t the way it will happen’, or ‘it
couldn’t happen’.” As part of the
resilience and security risk team at
Arup, Richard assesses risk such
as terror and crime. He began by
asking: why spend time preparing
for terrorism-related business
interruption; surely it’s better to
prepare for power outage or flood,
something more likely? It depends, he
added, on the nature of your business,
and location. A terrorism disruption
to your business is maybe less likely,
but ‘it’s certainly not inconceivable’,
even if indirectly.
Reasons
He offered some reasons: you
may wish to rest resilience of your
business against a specific threat
you’re vulnerable to; or validate a
new policy or procedure; you may
be at credible risk of an attack; or
may want to re-assess a business
continuity plan. As for how sustained
an interruption can be, Richard
pointed out that Borough Market was
shut for 11 days after the London
Bridge terror attack; Manchester
Arena, 109 days after the May bomb;
and Brussels Airport 13 days after
its bombing last year. Richard has
been monitoring changing terrorism
risks to businesses for ten years.
There’s a wealth of information out
Keeping it real
there, he said; in fact, it can quickly
lead to ‘information overload’. Given
that time is limited, you have to
risk-assess. How likely is a risk, and
what’s the impact. Machine learning
algorithms may be able to categorise
and prioritise the risks; or it might
be just you and an internet search
engine. He suggested that you think
of ‘actionable output’; for example,
a change in the attractiveness of your
target (the next speaker, Chris Moore,
head of business continuity at the
BBC, admitted the broadcaster was
vulnerable, as seen - inaccurately -
as an arm of the UK Government).
Might terrorists’ preferred weapons or
attack locations affect you?
Collection
Richard showed an intelligence
collection plan, ‘very much a live
document’, and went into Arup’s own
terrorist threat monitoring. How then
to use those outputs? Namely, that the
most credible terror attack methods in
the UK now are vehicles as weapons,
in public places, or placed improvised
devices (IEDs) or person-borne
attacks with edged weapons, IEDs
or firearms? One of the best uses, he
suggested was to use that to inform
exercises, as an ‘evidence-based threat
assessment’. “It may be tempting to
base a test on worst case scenario,
but better to validate plans against
a credible threat,” he said. He went
into more detail. Inside or outside?
What scale? What attacker tactics - an
‘edged weapon’ or car? In an airport,
it might be a single person with IED
in a terminal check-in counter or
‘meet and greet’ area. A wider-scale
attack will require a bigger security
cordon. A later speaker, Len Johnson,
business resilience lead at The Cooperative
Bank, spoke of how police
tried to include the main CIS Tower
office in Manchester inside the Arena
cordon in May; the Co-op was able
to talk the police into allowing the
front entrance to stay outside the
cordon. Likewise Richard suggested
testing your ability to continue normal
operations after loss of access to
a building. As for hotels, Richard
recalled after the Nice attack of July
2016 hotels - although not directly
affected by the lorry attack - served
as triage centres for the injured. If an
armed terrorist entered your lobby,
how would that affect your evacuation
plan? Attackers may make a barricade
or take hostages.
What if
What if your building becomes a
crime scene, and staff feel unwilling
to return? A table-top exercise should
include security, IT and public
relations; and the blue light services,
to understand how they respond,
and what they may require of you.
Richard summed up; terrorism risks
aren’t static, but can be monitored; it’s
valuable to test a scenario, as relevant
to you as possible, in developing
resilience in case of attack. p
Borough Market last
month, scene of a June
terror attack. Training
scenarios should be
realistic; but might
that only frighten some
people? Below: antiram
attack bollards at
Heathrow Airport
Photo by Mark Rowe
About a test
exercise in brief
l Understand the 999
services’ JESIP (Joint
Emergency Services Interoperability
Programme)
terms. Visit jesip.org.uk.
l Talk with neighbours
(maybe share costs?).
l Ensure all staff know it’s
an exercise, so they don’t
mistake it for real.
l Set clear objectives;
what are you testing. Crisis
comms, leadership,
decision making?
l Define end and start
times; stick to the scenario.
l Don’t time the exercise
to clash with some vital
everyday business.
l Agree a codeword or
phrase to stop the exercise
in case of real emergency.
l Hold an immediate
de-brief. Write your
recommendations and
amend processes
accordingly.
l Consider having an
ex-police ‘facilitator’ who at
de-brief is better able to
criticise senior managers
(in a constructive way).
www.professionalsecurity.co.uk DECEMBER 2017 PROFESSIONAL SECURITY 41
p41 BC 27-12.indd 1 17/11/2017 11:26