In the wake of the recent terror attacks in London, Australian businesses need to consider the risks to their own operations. Dan Smith looks at the pertinent lessons for organisations here and examines HR’s role in the process
In the wake of the recent terror attacks in London, Australian businesses need to consider the risks to their own operations. Dan Smith looks at the pertinent lessons for organisations here and examines HR’s role in the process
The London bombings of 7 July and the attempted attacks of 21 July have once again highlighted the vulnerability of the civilian population to al-Qaeda inspired Islamist terrorists. The attacks, similar to those of 11 March 2004 in Madrid, targeted commuters heading to work. They were a clear attempt to disrupt business activity in the UK’s capital and underline the avowed aim of certain Islamist networks to destroy the economies of Western states.
While the 7 and 21 July attacks targeted London specifically, the implications of these incidents are more wide reaching.
The threat to business was evident before 7 July. The US State Department estimated that international terrorist attacks worldwide against business totalled 1,902 from 1996 to 2001. In the same period, there were only 90 attacks against government-related facilities and 48 against military targets. Future attacks cannot be ruled out.
In the past, Australia has been largely immune from terrorist activity, mainly as a result of its relative geographical isolation, and non-activist foreign policy on the global stage. Both these factors have altered in the past few years and have contributed – although not created – a worsening security outlook for the country. It is now a prudent time for Australian businesses to consider the risks to their own operations and draw pertinent lessons from the London bombings. The role of HR professionals in this is critical.
Barriers to effective risk management
Firstly it is relevant to consider some of the responses by a number of companies since the bombings. Disturbing comments made to various media by business and political leaders include “we are already prepared”. Further statements imply that security now is only a concern for SMEs, the implication being that larger companies are protected, or that business does not need to think too hard about the matter because the police and other authorities will deal with any terrorist problems as and when they arise. Indeed, one international private security company representative has even suggested that companies had been thinking about security for a long enough period of time “and have taken all the steps you could reasonably expect them to take”. Beyond the obvious impact such a statement will have on his company’s bottom line, it reveals a worrying unwillingness to continually assess and review security procedures.
Security is often perceived as an unnecessary cost for companies, even when the risks are evident. This is not only unfortunate but short-sighted because there are direct and quantifiable business results to be had from the investment in security, which even go beyond simply better securing the company and far outweigh any cost. Risks to company assets are reduced – in terms of personnel and facilities – and therefore so are costs. Operations become more effective because personnel who have greater control over their environments are more productive and less distracted by concerns about safety. Employee relations and commitment may also improve. Finally, employers have an opportunity to fulfil their duty of care, which in turn decreases company liability.
Risks such as those posed by terrorism also have a transitory impact. While the bombings are unlikely to be forgotten, the business community will soon move on to another issue of importance. While this is only natural, it should be avoided. The lack of forethought and planning before a crisis does not necessarily expose the company to any greater degree to a particular risk, but it does ensure that the company’s response will be flawed.
Company structure
Perhaps the greatest barrier to effective risk management is the very structure of many companies. Risks companies might be exposed to are varied and therefore it is always important to consider risk analysis and risk reduction in a comprehensive and holistic way. It is vital to look at all the elements of risk as they affect one another, and then address those risks by integrated methods. Yet in companies where there are a number of individuals or departments with some input into security, responsibility becomes blurred. For instance, an employee suffering from stress (traditionally the domain of HR) may find that their vigilance over personal safety and security lapses (thus entering the preserve of the security department). Risks and threats are then inter-related. Failure to perceive this means an effective mitigation plan cannot be effectively designed or applied.
Often responsibility falls between risk managers, health and safety, security and HR. Nearly four years after the attacks of 9/11 this degree of complacency is unacceptable and dangerous. Unfortunately, there is often a complete absence of responsibility and accountability in a company structure regarding who is in charge of security-related matters.
It is vital that an effective structure is established to deal with risk and coordinate the response to identified dangers and vulnerabilities. This structure must be robust, with in-built redundancy – implementation of business continuity planning must not fall apart because one member of staff is on annual leave, although this redundancy must not blur lines of authority.
Ideally, the person or persons charged with protecting the company’s assets should have senior level representation so that issues can be raised at the highest level within the company and solutions be reported down (or vice versa).
Ineffective response
In the likely clamour to improve risk mitigation plans that will follow from the London attacks, businesses, if they do choose to improve their security, will do so in an ineffective manner. Most probably, companies will seek to improve their physical protection and look to potentially costly remedies such as CCTV and other technological solutions. While these might prove to be the best solution to your particular company’s needs, it is important to think about the risks and your vulnerabilities in a comprehensive fashion.
The start point in designing a risk mitigation system is intelligence. For a mitigation process to be effective, identify specific risks present in any given environment, along with an ‘as accurate as possible’assessment of a threat and the likelihood of an event happening. This is also important since it will help define the amount of contingency planning necessary, as well as the emergency procedures essential to any operation.
The monitoring of threat levels is also essential to ensure plans and procedures remain valid, and again this is dependent on good intelligence. A properly developed and effective risk mitigation plan will be flexible enough to adapt to any changes in threat or profile.
The role of HR in security management
The role of HR in reducing the risks companies and staff are exposed to is critical. HR’s function within the company is to enhance the performance of the workforce and in so doing improve the performance of the company. It has an input into every function of the company that requires personnel, effectively ensuring HR has a company wide presence. It is therefore natural to look towards HR as a facilitator of an effective risk management strategy. However, companies are exposed to various risks, and solutions must therefore be holistic. In a varied risk environment it would be unwise and unhelpful for HR professionals alone to assume the burden of responsibility.
The need for improved communication has proven to be a clear lesson from the London bombings, when within minutes of the attacks cellular phone networks and landline services collapsed under the volume of calls. Employees were unable to report into offices and office managers were unable to communicate with staff informing them of the latest developments.
Effective employee communication is essential in everyday operations let alone in times of crisis. While it is important that during a crisis HR performs a key communication role – explaining to staff what is occurring and if necessary providing counselling during and after an incident – it is essential the communication begins before this. A key problem in effective risk management is that security procedures, including business continuity plans, are drawn up and then left to gather dust. It is now well accepted that fire drills should be rehearsed frequently. Security drills should now be considered in the same manner. Staff communication should carefully and concisely explain what the company will do in a particular emergency and what is expected of each member of staff. It should also be noted that effective communication should not be unidirectional. It is important that staff concerns over security and other risks be raised via an appropriate channel.
One of HR’s major functions is to ensure personnel are adequately trained to fulfil their roles within the company. This has been extended to also ensure that personnel are trained in key life skills such as first aid. With regards to security awareness, training should emphasise the principle that individuals remain in control of their own destinies, or retain as much control as possible. It should give employees knowledge of predictable effects, whether human, physical or mechanical. Employees can then make valuable judgements and employ critical mitigation strategies, substantially reducing the risk to both them and colleagues.
Risk is a jigsaw puzzle, not a single picture. Addressing risks individually will never be adequate, particularly in light of the recent attacks and the potential for further. For this reason, in companies where risk management, health and safety, HR and security are separate departments, an amalgamated, holistic approach should be considered, and, at the very least, mandated and effective co-operation between the departments (most importantly including reporting to a board-level post) should be advocated. HR’s role is critical in this.
Dan Smith is a senior intelligence analyst with international risk solutions firm AKE Group. He can be contacted at [email protected]