Modern Britain has been subjected to high levels of terrorist activity for many decades, with a wide range of militant groups targeting businesses and organisations. The number and diversity of perpetrators is vast, ranging from the high profile terror groups such as the many factions formed within the IRA, down to lone-wolf type attackers, some of whom have never had their goals discovered. This high level of activity is something of a double-edged sword. On one hand, it does mean that the UK’s anti-terror infrastructure is well established. Intelligence gathering is arguably amongst the most efficient in the world, and the many lessons that have been learned over the years stand the various authorities and departments tasked with counter terror roles in good stead. However, on the other hand, after many years of high profile attacks and threats, it does make today’s terror landscape look less volatile. This can give rise to a reduced emphasis being placed on countering the threats associated with attacks. The signs of complacency are increasingly evident in a wide range of environments, and despite the global risk accelerating, UK businesses and organisations are arguably less prepared to deal with incidents than they were a decade ago. That terror-based threats are difficult to legislate against was dramatically underlined in 2001 when the attacks on the World Trade Centre and the Pentagon shocked the world. Following the attacks, almost every business, organisation and authority quickly adopted a heightened level of awareness of the risks and threats that terrorism created. Probably one of the more significant factors relating to the awareness created was that it highlighted that there were very few businesses that were not vulnerable to some type of attack. Additionally, the events of September 11 2001 showed that terrorism was not something that an organisation could insulate itself from. The sheer audacity of the attacks showed that terrorists were prepared to go to unimaginable lengths to strike at a target. This made it very clear that preventing all terror-related incidents was never going to be possible. This meant that efforts to counter the threats had to be made on two fronts. Intelligence and actions against terror-based organisations, and the prevention of attacks, was a priority. However, it was also imperative that businesses and organisations were equipped with the policies, procedures and infrastructure to recover if an attack should occur. Evidence has shown that without both elements in place, the impact of terror-related incidents can be significantly more damaging. It is reported that when the 1996 bombing of the Arndale Centre in Manchester took place, more than 400 businesses within half a mile of the blast were affected. Within six months of the incident, 40 per cent of those had gone out of business. Terror-related attacks not only cause death, injury, damage to property and psychological scarring. They also can cause widespread disruption to services, transportation, critical infrastructure, etc.. Even where a business or organisation survives an attack, the longevity of the disruption that follows can sometimes cause more damage than the actual incident. A widespread threat To better understand the risk landscape related to terrorism, it is worth considering the aims of terror groups. The concept” in as far as a ‘terror’ campaign is designed to attain a goal” is to gain recognition, publicity or advantage over a perceived enemy by way of a regime of fear, threat or violence against persons, premises or property. More often than not, the final goal will be to influence opinion, either politically or culturally. To understand the often seemingly random and varied targets of terrorism, you only need look at how attacks in recent years have optimised their impact” both with regards to publicity and the creation of terror” whilst minimising the risks to those who perpetrate the attacks. Whilst what may initially be considered as high risk targets include military establishments, government buildings and prominent members of national and international political organisations, such targets do not actually make up the majority of sites or individuals at risk. Attacks are commonly targeted at businesses, public transport, car parks, pubs, clubs, shopping centres, schools, residential areas, etc.. These are softer targets than the perceived high risk establishments, but additionally have more scope to spread fear. It is the creation of terror that is seen as a pivotal element in the exertion of influence, as the goal is often to generate a public outcry and reaction. During times of high alert, many of the so-called ‘soft’ targets increase their overall security and levels of business continuity. As a collective action, this creates an atmosphere in which the execution of terror attacks becomes higher risk for the perpetrators. However, as the threats are perceived to diminish, so the ‘it won’t happen to me’ mentality increases, and both security and business continuity become less fastidious. Softer targets are also attractive as failure to fully execute an attack denies the terrorists the publicity and the recognition that they are trying to achieve. If anything, a failed attack could work against their aims, increasing public determination and resolve against the attackers’ cause. It can also be viewed as a humiliation for the terror group concerned. Terrorism is not limited to international, or even national, causes. Defining the perpetrator of terror-related acts illustrates just how diverse the attackers can be, which also highlights how varied targets can also be. When considering terrorism, many people automatically think about dissident groups fighting for political or religious causes. Whilst it is true that this does seem to be the situation in the majority of high profile incidents, it is worth remembering that there are many lower profile incidents which occur that should be termed as ‘terrorism’. This is because they involve an individual or group seeking to gain recognition, publicity or advantage over others by way of creating fear, a threat or violence against persons, premises or property. Indeed, often those who carry out such attacks may be encouraged to do so following higher profile events occurring around the world. Such copycat attacks or attempts to gain notoriety off the back of other incidents typically look for the weakest of targets. Experience shows that carrying out an act of terror does not require an advanced knowledge of weapons, an international network of supporters or a high level of finances. Campaigns have been waged by disgruntled ex-employees, opponents to schemes or businesses (even on a very local level), small (and often seemingly disorganised) factions supporting political or cultural groups, etc.. As with potential targets, there is no catch-all definition for those that businesses and organisations should be protecting themselves against. The right solution When considering the risks and threats, it becomes very clear that there is no hard and fast solution to either the problem of terrorism, or to the disruption that terror-related events (and hoaxes) can create. Acts against a business, organisation or authority can take a wide variety of forms, and come from a varied cross-section of potential attackers. Therefore, as has been proven all too often, in many circumstances there are few patterns to spot which may indicate where the next attack or threat will come from. Additionally, because many terrorist attacks occur in easily accessible public areas, a balance must be achieved between total protection and ease of business operations. By way of an example, any site which is perceived to be under threat has a duty to employees and visitors to the area to take reasonable precautions against attack. However, where there is a reliance on ease of access and interoperation in order for a business to flourish” such as with a shopping centre” any increase in security and continuity protection which either affects ease of access, or which creates a level of unease, will only have a detrimental effect. Admittedly, managing risk mitigation is somewhat easier for the traditionally higher risk sites such as power stations, governmental departments and military establishments. On such sites, a heightened level of security is not only usual, but is also expected, both from those who are authorised to be there and from visitors. Indeed, it is the heightened security at such sites that often leads to attacks either being carried out on weaker targets, or being executed in ways which are very difficult to predict or prevent. A mix of security and vigilance is called for at all sites. However, when planning for any terror-related incidents, it must be accepted that the security in place, coupled with the vigilance of all who are on site, still might not be sufficient to thwart all attacks. Therefore, robust and resilient continuity planning must be in place. Often, such planning will not only be required to address any damage to the property which the business or organisation utilises, but also for external infrastructure on which the business relies. This can include telephony, networks and data communications, power, water and other critical utilities. Additionally, consideration must be given to other aspects of the following investigations and clean-up. Transport infrastructure can be subject to significant delays, roads are closed, and reconstruction work can affect traffic flow for long periods of time. It is not just businesses in the location of an attack that can be affected. Disruptions to the supply chain can occur, if significant suppliers or customers are affected by a terror-related attack. This further increases the complexity of any business continuity planning, and makes such incidents difficult to manage. In summary Terrorism is, without doubt, a crime against society in general, and as such all aspects of society will be vulnerable to the impact of these incidents. Whilst this is not to say that action against terror attacks is futile” indeed there is much that businesses and organisations could do to enhance their levels of protection” it is important to realise that the area to be protected extends beyond the physical structure of a premises. The protection of people and property is a significant concern. However, continuity planning should not be ignored. In a significant number of cases, it is the period after an incident” and the problems faced as a long-term result of the consequences” that can critically affect the performance of an organisation. The threats of terror-related incidents are not always immediately obvious. Typically, they do not conform to a rigid and predictable set of actions or deeds. This makes them more fluid, resulting in a requirement for a complex risk management approach. For example, in order to prevent theft-related crimes, many businesses simply need to prevent intrusion at their premises. This can often be achieved with the use of electronic security systems, physical measures, security officers and control of who is able to access specific parts of a site. However, mitigating risk from terror-related incidents requires a more holistic approach. There are many positive steps which can be taken to lessen the potential impact of terror-related incidents. Such attacks should be high on the agenda for many businesses and organisations, and risks must be managed to ensure a level of stability and sanity in modern life. Policies and procedures must be implemented to protect people and property, and to ensure continuity in the days, weeks, months and even years after an incident.