As both crime and terrorist threats increase, the world is awash with security theories and expertise on how to prevent these and in some cases, how to tactically deal with the bad guys. One much neglected area of security however is that of managing an incident as it unfolds. This is relevant for all and any protective service within the security space.
The vast majority of security implementations do not include sufficient preventive measures and even less importance and effort is given to incident management, should an incident occur. In effect, this leads to a culture within the security industry of “once an attack happens, we’ve lost and our job is done” whereas in reality it is when an attack starts that security has most influence and must do its utmost to limit the damage caused.
Regardless of how much money, equipment, construction, training or manpower an organization spends on security, once a determined and equipped attacker is at the target site, there will be some damage caused. This damage may be caused by the attacker or caused by security in order to stop the attacker, but the overwhelming odds are that someone will be injured, be it security, employees, guests or the attacker.
As a reminder, a very basic summary of the chronology of recent typical terrorist attacks:
- Planning and pre-attack reconnaissance
- Attack initiation
- Systematic and ruthless killing of victims
- Hostage taking and progressing to secondary and tertiary targets
- Systematic killing of victims
- Interdiction by official security forces
- Escape, suicide or killed in action
- Investigation, arrests and follow up actions
Most often, terrorists cannot be stopped at the front door and very robust incident management strategies and procedures to mitigate the damage caused once an incident starts must be devised, implemented and maintained.
Let’s take a step back to basics and explore what effective security actually means. When protecting lives, security’s first and foremost task is exactly that: to protect life. Within the vast umbrella we term security, there are 4 interdependent fundamental pillars which enable effective security, these are:
All four pillars are interdependent as they all serve each other and each pillar has two functions, “Routine” and “Emergency”. “Routine” pertains to the day to day activities of the protected place, person or event, designed to prevent a hostile act without hindering those activities at all. “Emergency” pertains to reacting to an imminent or occurring threat in order to limit the damage caused and in most cases will affect the day to day activities of the environment.
It is of primary importance to note that correct “routine (preventative)” procedures form the foundation for effective emergency procedures.
Now that the fundamentals have been presented, albeit at a very basic level, let’s examine the importance of correct emergency incident management.
The key processes to managing an emergency situation is as follows:
- Identify that there is an emergency
- Declare an emergency
- Transition all systems to emergency status
- Limit the damage and bring the emergency to an end
- Recognizing end of emergency
- Declaring end of emergency
- Return to routine
The private security sector has grossly neglected points 3 and 4.
Most security personnel simply do not have any pre-defined routine or emergency procedures and this is hugely detrimental to the security effort. “Call my supervisor/manager” is not an emergency procedure when every second equates lives lost. I have assessed facilities which have basic preventative security procedures, such as sign in procedures, turnstiles and sometimes magnometers but there are no robust procedures for when a suspicious person enters, jumps the turnstile or weapons are detected at the magnometer or baggage scan; in fact, one strategic facility I trained security behavioral specialists procedure when identifying a potential bomber was “call the police”. Folks, that will not work in reality. The bad guys do not play by our rules, they will not follow the arrows and will not abide by our rules.
As such, it will greatly contribute to the duty of care by security organizations when they realize that security is a serious business and not a check in the box business. Effective security is not “wait until something happens and we’ll play it by ear”. Understand your gaps, include the four pillars in your RTVA, and prepare for the worst, not just hope for the best.
My next article will describe the key processes when managing an emergency from a management perspective and thereafter from a tactical, ground level perspective.