A crisis management programme provides a framework for an organisation to protect the safety and security of its personnel as well as its assets and information. An integral part of this programme is terrorism management which typically includes a set of strategies, policies, and procedures aimed at preventing, detecting, and responding to terrorist threats.
The cyclical crisis management process starts with a risk assessment to identify potential threats and vulnerabilities to an organisation’s personnel, customers, physical assets and information. Risks can be prioritised by analysing for likelihood and impact. Risks can range from threats to electronic data that focus on the economic assets of an organisation through to marauding weapons or bomb attacks which focus on the human assets of an organisation. In many organisations based in the United Kingdom, a risk assessment may well rate the likelihood of terrorist actions to be low as it would be perceived to be a rare occurrence, but the impact can be extremely high as shown by the Manchester Arena bombing which killed 23 people and injured over 1000. In addition to bombs, terrorist actions can be physical attacks, such as the stabbing of MP David Amess in 2021. Cyber-attacks may still be part of a terrorist strategy either to fund terrorism through ransom demands or to directly disrupt the dealing of an organisation.
Non-physical threats, such as cyber-attacks are seen as much more likely with 43% of organisational leaders expecting a cyber-attacks within the next 2 years according to the 2023 Global Cybersecurity Outlook report
– World Economic Forum. (2023). Global Cybersecurity Outlook
Given the array of terrorist threats they should be assessed and mitigated against in the same way as any other danger and, thus, are an integral part of any security and risk management programme. A key difference in threats from terrorist actors is that the likelihood may vary considerably depending on the threat level at any one time. A declining threat from one terrorist group may be countered by a rising threat from another. For example, Home Office data shows a rise in the numbers of arrests in the UK for terrorist offences from those with an extreme right wing ideology rising from approximately 3% in 2014 to 26% by 2022 whilst the threat from Islamist terrorists was declining.[1] The risk assessment can then be used to develop the policies and procedures that outline the organization’s security requirements, protocols, and response plans that incorporate terrorism prevention and response measures.
The threat level to the UK from terrorism is set by the Joint Terrorism Analysis Centre which is based within MI5 and comprises representatives from 16 government departments and agencies. It sets threat levels and issues warnings relating to terrorism both in the UK and overseas. The current threat levels are published on the MI5 website and are currently showing as “Substantial” to England, Scotland and Wales with the threat to Northern Ireland from Northern Ireland related terrorism recently raised to “Severe”. For organisations operating in an international context, the Foreign and Commonwealth Office provides information on terrorist threats abroad in its country-specific travel advice. All risk assessments must, therefore, utilise this external information in order to properly quantify the likelihood of particular types of risk occurring at a given point in time. If these sources of risk-assessment data are sufficiently acknowledged then other stakeholders involved in the process will have better situational awareness and will ascertain risk levels more accurately.
ProtectUK is a resource provided by the National Counter Terrorism Security Office that acts as an information hub for counter terrorism and security advice. It provides guidance on risk and response including relevant legislation that organisations need to be aware of and also includes an e-learning programme providing easily accessible resources for counter terrorism planning. It also has an App which provides easy access to up to date information and action cards relating to a variety of threats and situations.
Changes in legislation relating to terrorism will impact the governance of an organisation to ensure compliance. For example, the forthcoming Martyn’s Law in the UK will impose mandatory security obligations on certain organisations to protect from terrorist threats. This legislation was enacted after the Manchester Arena bombing with a view to better protecting public gatherings which may be targeted by terrorists. It is important, therefore, that the executive board of an organisation are aware and compliant with legislation such as this.
Policies and plans are an important part of managing a crisis, but the ability of people to properly implement these will make or break a response. Ongoing training and awareness programmes for personnel needs to include the terrorist threat, its impact on the organisation and the mitigation measures required to combat this. This needs to be complemented with regular drills and exercises that simulate a terrorist attack and rehearse the response of an organisation.
The most successful training and exercising programmes are those with a strong commitment from senior leadership. Involvement of senior leadership not only sets the tone of the importance of this issue to the organisation, but it allows them to observe the performance of their team against such a threat and gives them greater insight as to whatever improvements to policy and practice are required.
Embedding terrorism management into the operating culture of an organisation is part of the process of having a culture of security that prioritises the prevention of terrorism and other security threats. An example of this security culture is the British Transport Police “See it. Say it. Sorted” campaign which encourages members of the public to report any items or activity which they feel doesn’t feel right in order that the authorities will decide if it is important. This aim of normalising awareness of threats is embedding it in the everyday practice of those travelling on the railways.
A good example of how an organisation had correctly embedded terrorism management into its security practices is that of Morgan Stanley in the World Trade Center. Its security chief, Rick Rescorla, correctly identified the threat that terrorism posed to that building. Before the 9/11 attack the building had been subjected to a vehicle-based bomb attack and Rescorla correctly assessed this as a continuing risk and had regularly conducted evacuation exercises. This cultural awareness of the terrorist risk within Morgan Stanley combined with sound prior planning and rehearsal meant that over 4700 lives were saved.
As the risk landscape continually evolves, so the process of managing the terrorist threat is constantly evolving requiring a cyclical process of assessment, planning, training and exercising to ensure that an adequate and effective response is always in place.
_________________________________________________________________________________________________________
[1] Home Office. (2023). Statistics on the Operation of Police Powers under the Terrorism Act 2000. Home Office.