When it comes to planning, the translation of thoughts into realities is normally far more involved than simply writing them down and asking someone to make them happen. Of course, our own human judgements influence how things will be done. Phillip Wood examines the role of variables in risk management.
The challenge involved with any type of planning is significant. Anyone who has ever been required to plan anything in detail will be aware that – certainly in the early stages when the problem is presented to them – even thinking about planning is difficult. It can often be tricky to maintain focus on the important aims and overriding objectives.
In attempting to make informed judgements, the perceived effectiveness of response and protective measures has traditionally been based on a combination of anticipation, information and intelligence assessment as well as a suitable selection of mitigation measures.
There may also be an element of chance and luck involved in detecting and deterring any type of malicious activity, in turn adding to the range of variables which complicate an attempt to manage risk.
Without variables, and in an ideal world, application of the risk management fundamentals of assessing the probability and impact of an event should allow the potential ‘target’ to mitigate risk effectively. It could well be argued that, if potential targets manage to make what they consider to be an accurate risk assessment, and then duly act upon it, they’ve responded effectively by managing the risk to some degree.
Potential targets may be able to prevent impact upon themselves, then, but successful action may contribute towards helping adversaries make their next targeting decision, shifting them towards another type of target or otherwise forcing them to select a different modus operandi.
Variables in terrorism
Let’s look at variables in terrorism. We begin from a premise that we know what ‘terrorism’ means. Generally, we don’t. Terrorism has multiple definitions, but a terrorist can employ explosives, bladed weapons, handguns, suicide attacks, automatic weapons, surface-to-air missiles, land vehicles, aircraft and ‘hazardous’ substances. The list goes on.
All are variables, and that’s before we even begin to consider the motivations, ideologies and level of determination to see an attack through to its conclusion. We cannot really plan to protect against terrorism itself. Rather, we must plan to mitigate the effects of any combinations – or types – of attack.
The issue is a complex one and requires concerted efforts in order to provide any chance of countering the threat(s). However, this isn’t to say that planning and preparation cannot be effective in managing terrorism risk.
Fundamental to any successful planning and implementation of response and mitigation measures is the need for the potential target to ensure that activities are based upon the correct assessment. If unpredictability is taken as read – and difficulties faced in implementing responses due to the complications and variables discussed above are also understood – then the secret of success must lie in addressing all factors wherever possible.
Where this is impossible, some attempt has to be made to mitigate risks, either by manipulating the threat – which is unlikely – or by configuring the organisation to respond – or otherwise protect itself – in order to survive.
That’s good in ‘planning world’, but in the ‘real world’ the imposition of multiple layers of protection may place an intolerable hindrance upon the organisation’s ability to operate on an effective footing. No operational activity will be served by restrictive security measures, with the risk that these measures, although necessary for security, will not be accepted by the organisation.
Unless based upon compelling and accurate risk analysis, terrorism risk may be unable to attract funding when the more immediate concerns of the organisation might be operational or financial in terms of prime focus.
Given that the nature of an attack may not be easy to accurately assess, there could be value attached to putting in place a contingency management programme which will allow for response and recovery in the event of terrorist attack. Fundamentally, the mitigation effect is in fact one of damage limitation. In the event of an organisation suffering the impact of an attack on neighbouring organisations or Critical National Infrastructure, such a plan may be the only viable option for survival.
In this sense, the risk management process will have taken a turn from the imposition of situational measures towards the provision of response architecture that allows continuity.
Paul Wilkinson follows this very argument in ‘Terrorism versus Democracy’*, but considers the use of previous examples to be a viable method for influencing the organisation. “In relatively quiet times, it may be hard to keep up with the crisis management and emergency planning activity. They [senior management] need to be reminded of the appalling potential costs of failure to cope if a crisis strikes.”
Of course, we all know of the: ‘It cannot happen here’ attitude, with the associated resistance to efforts. However, the value of assessing the impacts upon people, property and information and illustrating the after-effects through providing examples of ‘dollar loss’ may be our greatest ally.
By way of thorough analysis of all possible impacts, the potential targets could reap the greatest available benefits from the risk assessment process. Management by response may be the best that they can hope for, particularly so when the lion’s share of organisational funding is directed elsewhere.
However, if we do have resource, and when there’s a corporate will to protect the business, we can distance the attacker from the target. When correctly implemented, the ‘layering’ of physical and technical security combines building and infrastructure design and location of assets and access points, access control, alarm systems and CCTV.
Cohesive systems of physical and logical controls will allow an organisation to continue its legitimate operations while its people are properly protected. Ideal arrangements will also involve a balance between a physical presence and the use of technology.
Cause and effect
In terms of resilience rather than pure security protection, it can be distracting to think too much about cause rather than effect. The motivation and rationale for adversary activity is for criminologists to determine, while resilience isn’t about criminology any more than it’s about purely business continuity.
The threat environment is characterised by a wide range of risks and adversaries who aim to target individuals, groups and organisations. There’s an almost infinite number of threats, risks, vulnerabilities and motivations which may converge, happen in isolation or even simply be accidental. Regardless of the cause, the consequences are the problem.
It’s clear that – both in terms of risk to people themselves and the business and reputational risks facing management who have a responsibility in their functions to protect them – the problems can be real, long-term and prejudicial to the future effectiveness of an organisation. For many businesses, behavioural issues (ie ‘the way things are done’) can render potential problems even more difficult. You may have non-specialists (or specialists who are not very special) running your resilience management function. Perhaps they’re neither trained nor experienced in risks, impacts and realities. Maybe the resilience effort is convenience-led, wherein the priority seems to be set for the benefit of your management processes rather than to provide the security and safety that ought to be in place.
It’s mainly a question of unity of thought and purpose while understanding principles and risks. When facing, for example, terrorism and its ability to cause immense destruction, prudent potential targets are compelled to plan and prepare. Managing the potential for acts of terrorism to take place is in effect out of the hands of the potential victim.
However, potential targets should not consider that all elements of risk are impossible to manage. Targeted and directed planning of response and recovery based on the predictable aspects of the threat scenario (ie what resources and recovery capabilities can be effectively activated) will limit the chances of the inevitable – and ultimately predictable – destruction extending and worsening, and therefore afford the organisation a fighting chance of survival.
The increasing resilience challenges we face in the 21st Century will, it’s fair to suggest, continue to arise, metamorphose and occupy organisations and individuals as time goes on. Technology brings immense benefits and commensurately immense challenges. The opportunities that our expanding knowledge and capabilities offer can also engender equally expanding difficulties and issues.
Phillip Wood MBE MSc is Head of the School for Management and Professional Studies and Head of Department for Security and Resilience at Buckinghamshire New University
*Wilkinson P (2006), ‘Terrorism versus Democracy’, London: Routledge