This is the second blog in a four-part series focused on the analysis of an active shooter prevention program. This post concentrates on planning and preparation once your organization has established that an active shooter risk could transpire.
So now what? Your security team has suggested that an active shooter risk is a reasonable danger to your organization and you should start planning and preparing your program. Does this mean that you and your colleagues should immediately go out and take the first high-speed, low-drag tactical class you can find and acquire as much gear as possible? No, this means that you need to identify all the missing facets of a comprehensive active shooter program and begin plugging the holes to help ensure each employee within the company is aware and empowered to mitigate the risk of violence.
Too often I encounter programs that overly focus on the “reactive” elements of an active shooter agenda. But if we actually take a close look at what is needed, we begin to realize that little has changed in what we should be doing. Perhaps the assessment noted that the risk of a well-orchestrated attack conducted using carbines and/or explosives is more likely than the lone gunman style of attack. However, in the big scheme of planning and preparation for most companies, the style of attack changes very little when considering the reality of all the contributing elements to a comprehensive program. A well-rounded plan should mitigate any unwanted act of violence, whether it comes from a knife wielding customer or more dangerous former employee with knowledge of your building and a carbine. An inclusive strategy may include:
- Policies with C-suite buy in
- Partnership between program stakeholders such as legal, communications, human resources and security
- Training designed to develop your employee base into good collectors of information and communicators for signs of violence
- Instruction for your supervisors to better spot unwanted behavior and mitigate the risk that may contribute to conflict
- Engagement with supporting resources, including employee assistance program (EAP), crisis counseling, emergency response teams, law enforcement, specialized security providers, expert legal services, forensic psychologists and threat assessment professionals
- Training for your threat management team incorporating periodic tabletop exercises
- Appropriate layering of security
- Integration of intelligence programs such as your insider threat and protective intelligence programs, to improve the likelihood of early threat identification
One gap I regularly find when interviewing stakeholders is their perspective on the human resources and security partnership. Human resources typically indicate they work together with security (i.e. they call security right before a situation escalates). The unfortunate news is, this isn’t collaboration, this is trading one risk for another. Failure to consult early with your security partners leaves those employees at the same danger that your human resources personnel faced. Perhaps the security team can handle the crisis a little better, but why put them in that position? The company should want to make the best use of every tool they have. If the security team is not trusted to do more than stand at the door, then perhaps you have the wrong security team.
Careful analysis based on my own observations and review of active shooter incident reports, will quickly bring to light that your scrutiny of the program must start beyond the front door of the building. By the time a committed assailant has entered your front door, the body count has already started rising. Take a lesson from the shooting at Charlie Hebdo’s offices in Paris, Francewhere the attackers first entered the wrong building before entering the right office, yet they still had time to bypass security and commit a horrific event. Consider ways to better recognize an attacker before they are inside the first layer of security. Many companies deploy surveillance teams to monitor persons of concern or establish surveillance detection programs to facilitate early recognition of planning. What can you do to help ensure your security team is vigilant? Do you ever test them with red team exercises when purposeful penetrations are committed by third-parties? Keeping the security team on their toes naturally reinforces their observation skills. Once exposed, the group starts to investigate suspicious activities much more carefully, they begin to talk with each other about questionable persons and become proactive reporters.
Creating a comprehensive active shooter program is not for the light hearted and in some cases I have seen these plans take years to develop. Waiting ensures one thing, you won’t be prepared should an incident occur.