Have I Done Enough? Active Shooter Vulnerability Evaluation

This is the first blog in a four-part series focused on the analysis of an active shooter prevention program. This post concentrates on conducting an assessment to provide clarification of the threat and vulnerabilities as well as acting on recommendations.

Driven, in part, by media hype manipulating fear, and the popular pitch of “everyone else is doing it”, the active shooter consultation has become standard practice in the security industry. Don’t mistake my comment to mean we shouldn’t pay attention, but this problem isn’t a new one. It has evolved and changed over time due to a variety of factors, however the basic concept hasn’t differed drastically. All companies can be victims of violence and should take the time to assess whether their vulnerabilities enhance the risk.

Attempting to rationalize that an active shooter incident will never happen to you or your organization, or that your company does not have “those types of employees” are, well, ill-informed conclusions to make given the evolution of active shooting incidents globally. The educated risk manager would do much better understanding how well prepared their organization is for such an event. A proper assessment may provide the clarity that security management needs to prepare a mitigation strategy.

For most, an active shooting incident is considered a low probability, high consequence event, however the evolution of “copycat shooters”, ISIS sympathizers and select mentally ill persons intending to inflict violence, has elevated the likelihood for an event to occur. This is especially true for soft targets such as universities, schools, public events and places of worship.

Following the industry model of risk = threat + vulnerability, we can begin to outline a structure for the assessment of risk. In order to first understand the threat, we have to look at all of the variables that impact the likelihood of such an incident. Using the U.S. Department of Labor’s categories as a starting point, we can better quantify where the risk may come from. These categories are:

  • Type I – no known relationship
  • Type II – legitimate business relationship such as customer, vendor, etc.
  • Type III – employment relationship
  • Type IV – current or former intimate partner of employee

Structuring specific evaluation criteria for each category will shed further light on the potential threat. The first category of Type I violence is likely the easiest. Collecting local crime data and gaining an understanding of the significance of your organization as a target from an outsider perspective can help quantify the value. But when we enter Type II to Type IV data, things get a little fuzzier. What is the likelihood that an employee’s spouse will approach a workplace and commit an act of violence against them or others? How likely is it that a terminated employee will come back to exact revenge? How about the vendor that failed to screen their staff and retained a felon? Things get rather murky now as data on these types of events is not published as frequently. After all, the FBI report on active shooters included findings up to 2013 and while this document provided some fantastic data, these reports are not generated every year, much less every five years. A lot happens in five years. Therefore, other factors must contribute to the assessment to help add clarity. Items such as:

  • Incidents of violence within the specific sector
  • Tolerance of violence and conflict within particular cultures
  • Level of social disruption in the organization’s history as well as projected disturbance

Once all the factors contributing to the likelihood of a threat are gathered, the risk manager can begin the process of evaluating organizational vulnerabilities. They must reach deeper than a site security survey which is no more than a casual walk thru and review of vulnerabilities. They must look at policies and procedures (or lack thereof) that contribute to the susceptibilities of the company. Is there a culture of information segmentation between security and legal? Is the security mindset overly focused on reactionary elements and unaware of proactive steps that can be taken? Is the human resources team aware of the American Society for Industry Security (ASIS)/Society for Human Resource Management (SHRM) standard?

The list of questions goes on, but in the end, the skilled risk manager can provide a map to minimize their risk of violence in the workplace.

About Chuck Tobin

Related Posts