Business contingency planning for a truly ‘effective’ lockdown security regime is a complex and challenging issue, especially within Australian workplaces, where building design has historically not been predicated upon security concerns. Perhaps because of this, and despite the heightened threat of terrorism within the community, many organisations have done little in preparation for a serious security incident, such as one involving an active shooter.

The reasons for this may vary widely; limitations caused by infrastructure, and a requirement for a high degree of public access are two key factors that can hamper emergency planning. Gaining explicit management support to practice realistic drills may also be difficult, and adequate resourcing may not be available to address the most critical security needs.

However, even those that have implemented good threat response and lockdown arrangements would invariably agree that there is no security solution that approaches anywhere close to perfect. Even when infrastructure and funding prove favourable and forthcoming, the nuances of any given scenario would invariably expose security vulnerabilities in established processes and systems. A disgruntled insider also has the potential to render any capability that is effective, largely redundant, as various recent events have shown.

Those that have seen an example of what might be regarded as a best-practice lockdown regime are in the minority. Indeed, many businesses are still in the early process of considering how to adjust their ‘AS 3745-2010 Planning for emergencies in facilities’ style contingency plans to account for such a regime in a procedural sense. This is exacerbated by volunteer-staffed Emergency Control Organisations (ECOs), the potential for key person/coordinator absence, and an unwillingness for management to address the nature of the security threat directly with staff.

The ANZCTC ‘Active Armed Offender Guidelines for Crowded Places’ [1] offer a helpful, albeit limited ‘Escape, Hide, Tell’ approach to personal protection, and other international jurisdictions also offer approaches based loosely on the ‘run, hide, fight’ concept. Much expertise will have gone into developing this simplistic approach, and it carries a lot of merit; a simple message is key in a confused situation.

The onus must then fall to those that operate facilities to take this to the next logical degree, rather than assuming an ‘everyone for themselves’ threat response doctrine, should the worst occur. People should be entitled to expect to have places/routes to escape to/through, or have been instructed on locations to hide, prior to such an event occurring. It is after all a reasonably foreseeable, if not a frequently realised, security risk.

The absence of advanced risk planning may be somewhat explained by dismissiveness within segments of the Australian community for the potential for an active shooter incident to occur (due to the lack of a significant history of such events here). It can thus be a difficult task to directly engage and educate workers on the subject.

This is not the case in some other countries. In Israel, as an obvious example, and “…because of nearly universal military training and the prevalence of firearms, many if not most terrorist attacks are stopped by civilians [2].” This is sadly assumed to reflect Israeli culture in the current day world, one which is underpinned by a shared history of violent acts within its communities.

Even here in Australia, people within the Jewish community are instructed to be cognisant of potential threats consequent to their faith, and global businesses are strongly advised on how to mitigate against the risk of such a violent act. The US also does the same through its Overseas Security Advisory Council (OSAC).

Frustratingly, few organisations in Australia appear to address the way in which an ECO could or should respond, when the opportunity to exercise a degree of command and control arises. It’s considered an indicator of the unconscious importance that management places upon the function. If an unfolding security incident is detected early for example, in a separate part of an occupied space/precinct, should the default initial option for the ECO be to escape, or to direct/assist others to escape via routes that they are intimately familiar with through their training?

Having said this, even when such security arrangements have been defined, things cannot be expected to go smoothly. In the US for example, and following a State District Court’s opinion, a company employing two (unarmed) security guards stationed at the entrance to a client site was fined more than $USD46.5M [3] after the guards failed to alert staff to the presence of an active shooter.

After more than several minutes of “…panic and confusion”, both guards called 911, but failed to notify those within the plant via a designated alert system. Three employees were subsequently killed, and one seriously wounded, before police arrived and took the offender into custody.

Clearly one of the lessons in this is the need for realistic drills, to ensure that those charged with carrying out specific functions during serious security incidents are programmed do so without pause. In Australia, and despite touching on the subject in security officer training curriculums, such training within the workplace context is very rare, and does not necessarily correlate with specific details about lockdown arrangements. More can be done.

LOCKDOWN CONSIDERATIONS

So, what should be considered in implementing an effective lockdown regime? Each context/site and organisation is different, but there are a range of principles and considerations that can be factored into planning. Some of the key ones include:

• Some organisations risk an impasse in trying to design an ideal solution – anything that can be done to improve the ability to save lives should be embraced.
• What are the most likely scenarios (i.e. how could they play out) that you are planning for, and have these been subjected to a risk assessment?
• Strongly consider dividing areas into zones, with safe-havens clearly identified (and hardened), and lockdown protocols defined for those spaces.
• Communications arrangements should be tested and assured. Consideration should be given to protocols and the need to communicate internally (among the ECO and to the wider employee/visitor base), and externally to Emergency Services, while not placing individuals in unnecessary danger. That is to say, the utility of mimic EWIS panels in the foyer will be next to useless in an active shooter situation.
• CCTV and its potential use in tracking an armed attacker and informing stakeholders accordingly.
• Modifying/designing infrastructure to support emergency planning, including access controls.
• Where one has been engaged, is it best to appoint a contracted guard force to the ECO role to ensure that wardens are always onsite? Or is it inappropriate to ‘outsource’ this function?
• More broadly, what role does the ECO play, and are expectations of its individual, and collective abilities realistic?
• Designated safe-havens should be adequately resourced – a lockdown may last for an extended period.
• If the opportunity exists, engage with local Police to familiarise them with your facility.
• Specialist and general employee awareness training is critical in underpinning all aspects of a lockdown regime. It should be tailored to account for workplace variables, and make clear the roles and responsibilities, and convey very clearly recourses available in different situations. This includes expectations of those taking shelter.

It is not the intent of this article to suggest that a good security lockdown regime is simple to achieve. Indeed, some of the issues, risks and threats identified cannot truly be overcome in many organisations, leaving a degree of residual risk that should be carefully considered and managed.

The very least that organisations can do however, is to understand what is available to them right now. Making sure that all employees are aware of the Government’s advice on Escape/Hide/Tell would be a very good start. Considering and communicating options on places to run, hide and who to tell would be just as beneficial.

Yours in security risk and resilience,

Konrad Buczynski

Industry Risk

Industry Risk is Australia’s shining light in solutions for Protective Security and Business Resilience. We welcome opportunities to assist entities in getting to a security baseline, then helping guide them in more advanced endeavours.