Planning for the Worst: Terrorism and Workplace Violence
Several recent manmade events, including the attack at Pulse nightclub in Florida and the Belgium airport terrorist bombing, highlight the vulnerability of the workplace. Workplace violence costs employers over $120 billion a year, according to the National Institute for Occupational Safety and Health (NIOSH). As the chance of an onsite attack rises for employers, the focus on mitigation is increasing.
According to several security experts, most instances of workplace violence are committed by one person acting alone. So-called lone wolf attacks are difficult to predict, since most terrorism models are used to predict larger, bomb attacks, explained Charlene Chia, senior risk consultant with AIR Worldwide, who spoke on terrorism risk during a recent Marsh webinar.
Tarique Nageer, terrorism placement advisory leader for Marsh’s Property Practice, explained that there has been an increase in frequency in attacks against civilian targets, including more lone wolf attacks resulting in more deaths. The potential costs associated with lone wolf attacks include property damage, business interruption, as well as employee injuries and losses.
According to Chris Flatt, leader of Marsh’s Workers’ Compensation Center of Excellence, workplace risk has increased as more attacks occur in less secure locations.
“Terrorism is absolutely a workplace risk. We’ve seen many examples, unfortunately, of terrorist attacks in the last few years happening at or near workplaces, which includes the recent Orlando shooting. The victims there included both employees and customers of the nightclub,” said Flatt. “The San Bernardino shooting last December also occurred in a workplace setting. The Paris attacks in November included several people being shot in or near restaurants or bars in the theater, with employees there being among some of the victims.”
He said there is recognition of a shift in terrorism towards attacks on softer targets.
“Of course, there still remains the risk of large scale attacks in major metropolitan areas, for example with the bombings earlier this year in Brussels, but we’re seeing more of these lone wolf attacks in less secure locations including workplaces unfortunately,” Flatt said.
According to Flatt, the reauthorization of the Terrorism Risk Insurance Program Reauthorization Act in 2015 led to the stabilization of the workers’ comp market. The new bill is effective until Dec 31, 2020. Under its new requirements, the aggregate loss trigger increases from $100 million to $200 million.
Prior to the reauthorization, he said employers shopping for workers’ comp coverage faced a difficult marketplace.
“Workers’ comp insurers were being very selective in the risks that they would accept,” Flatt explained. “In some cases insurers were being overly opportunistic in terms of how they were pricing coverage. Just simply, some were refusing to renew certain accounts.”
Flatt said even state funds, otherwise known as markets of last resort, were concerned that they could be flooded by a large number of employee concentration risks, pushing them beyond what their potential risk appetite is.
The reauthorization restored workers’ comp insurers’ appetite for concentrated risk, he said.
“As a result, once it was reauthorized the appetite from the insurance market to cover terrorism in concentration risks and workers’ comp came back…to levels that we saw before the uncertainty about TRIPRA had cropped up. Even since then we’ve really had a much more viable marketplace for employers,” said Flatt. “The majority of our clients are able to secure rate reductions year over year on the worker’s comp programs which means really that they’re able to obtain worker’s comp terrorism coverage at competitive rates, as well.”
The first step to mitigating risk is to determine the exposures a business faces in the wake a violent attack in the workplace. Chia said AIR’s terrorism models can be used to evaluate workers’ comp exposures.
“Clients can now perform accumulation reanalysis from workers’ compensation exposures in the U.S. Instead of accumulating replacement values or insured value, the accumulation is now based on the number of employees at a given location,” Chia explained. “This can be divided between the day, evening or nightshift. You can also create custom deterministic scenarios or run the probabilistic model to calculate your losses by injury type.”
According to Flatt, a key factor in workers’ comp modeling is large employee concentrations and the associated loss potential. Insurers want to know the number of shifts at a location, whether campus settings exist and the maximum number of employees in a particular building at any given time.
“Insurers really want to understand with precision the risks that individual companies present to them, and from an employer’s perspective it’s not really just a matter of sharing payroll data,” explained Flatt. “Really the bottom line here is that the better the employee and exposure data that you can provide to your insurers, the more credible your modeled output is going to be and ultimately that will be reflected in your pricing and really the markets appetite for your risk,” Flatt said.
Crisis management planning, the next step in mitigating risk, is meant to consider every type of crisis and risk that an organization faces as well as what the senior level response to a situation will be.
“There are different thresholds for activation of the plan,” Flatt said. “Some smaller scale incidents might not trigger the plan, but something like an act of terrorism or a workplace shooting affecting one or more of your locations certainly would. If an event meets this triggering threshold, the plan activates a crisis management team.”
That team should include representatives from different functional areas of an organization, Flatt said.
“The primary purpose of the team is to coordinate the organization’s response to the event. That includes communicating with and assisting employees and their families in the wake of the incident, working with law enforcement and many other actions,” Flatt said.
He emphasized the importance of having a plan in place pre-attack.
“The reality is once you’re in the middle of a crisis nothing’s going to feel like normal day to day operations,” said Flatt. “In other words, when you get to the point that you’re dealing with an actual crisis that shouldn’t be the first time you’ve thought about how you’re going to respond to it.”
The plan should encompass different scenarios and procedures to address different forms of violence, including active shooter incidents or other types of terrorist attacks, Flatt said.
“Employees should complete awareness training on what to do when faced with these types of incidents,” Flatt said.
According to Jim McGinty, vice president of Training and Safety at Covenant Security Services, Ltd. and a consultant with the Department of Homeland Security (DHS), it’s important to recognize the type of situation that is occurring.
During a 2011 Active Shooter Awareness Virtual Roundtable held in Washington, D.C., McGinty explained that there are two types of situations. A dynamic situation is rapidly evolving and includes shooting and moving; a static situation is one where there is no movement, such as when a person is barricaded in a room.
At the roundtable, Samuel Mayhugh, Ph.D., a consultant with the DHS, described three general types of shooters:
Jonathan Bernstein, a former U.S. Army Intelligence officer and owner of Bernstein Crisis Management, explained that published research suggests close to 95 percent of employers are either completely unprepared or seriously under-prepared for a crisis of any kind.
“It’s not usually until they’ve had at least once significant crisis that they start getting better prepared,” Bernstein said.
The crisis management specialist routinely conducts vulnerability audits, which he described as broader than an insurance risk assessment, looking for red flags that indicate something might go wrong.
“Most of the time, there are huge gaps in preparedness for workplace violence,” he said. “Until the wheel squeaks hard enough and it applies to them very personally, they don’t even want to open the door to crisis preparedness because they see it as additional workload on top of their already busy workload. They see it as an expense versus seeing it as an investment, because you can’t just have a policy. You have to have training to go along with it, refresher training on an ongoing basis and sanctions for not following the policy.”
Bernstein explained that there are four categories of professionals that can assist employers in becoming better prepared for the possibility of a terrorist or workplace attack:
As a strategist, Bernstein reviews vulnerabilities in manufacturing, marketing and public relations.
“We’re looking at physical threats and reputational threats,” explained Bernstein.
Once a plan is in place, he recommended table top drills be repeated yearly once full training is accomplished. All employees sit in the same room during a tabletop exercise, Bernstein said.
“The scenario’s introduced. The team by then already has a plan, because you don’t do those unless you’ve already got a plan created because the idea is to demonstrate you know how to use the plan for this situation,” he said. “The different members of the crisis team tell the trainer, ‘Okay we’re going to do this. We’re going to do that. We’re going to call John. We’re going to call Mary.’ The trainer might say, ‘Okay, you can’t reach Mary. What do you do now?’ or ‘You’ve just gotten word that John and Mary were both killed over in the next building so now what do you do?’ Variables are thrown in either randomly or at set times and we watch how the team reacts,” said Bernstein.
The exercise ends with a critique of their actions, he said. While these exercises are helpful, they aren’t adequate in and of themselves.
“A tabletop exercise alone is woefully inadequate in dealing with workplace violence because nothing short of physical practice really gets people prepared. One of the most extreme acts of workplace violence in its own way was 9/11,” Bernstein said. “The fact was that people who knew how to get out of that building no matter the smoke and fire and who were still alive are people who had practiced it before and had…physical drills regularly, since the first bombs in the World Trade Center some years before.”
In terms of a disaster exercise, Bernstein chooses scenarios based on what’s most probable for a particular client. That can differ based on the product or services a business offers.
“It may take two or three different types of practices if you think you’re vulnerable to multiple different types of attack. There should be at least once-annual drills,” Bernstein said. “Spokespersons should get some refresher media training twice a year, at least. Whoever is responsible for maintaining a contact list …is responsible at least twice a year again to update contact lists that might be associated with their plan.”
No matter how much work a crisis management plan may seem to entail, in the long run it will save lives and protect property from damage, Bernstein said, noting that if a business remains unprepared, the cost of the civil lawsuits resulting from an incident could close it down.