Crisis Management

Plan to Survive

Employers are still slow to take the necessary steps to ensure that their organizations are prepared for violence.
By: | January 25, 2016 • 11 min read

You’re at your desk, engrossed in a report. From somewhere on the other side of the building, you hear a loud muffled noise. Furniture-moving mishap? Backfiring car? It barely registers in your mind until you hear it again.

Advertisement




Then you hear screams. The icy grip of fear tightens your chest. There’s a shooter in the building.

Your vision blurs for a moment as you try to decide in that split second what to do next. Fifteen minutes from now, you will either be a survivor, or you will be a statistic.

Armed killing sprees have long been a troubling fact of life in the U.S. and elsewhere. As far back as August 1966, Charles Whitman opened fire from the clock tower of the University of Texas at Austin, killing 16 people and wounding 31.

The massacre shocked and horrified the world in 1966. But in 2016, our capacity for shock has been dulled by the increasing frequency of the type of violence we now commonly refer to as active shooter incidents.

In 2015, there were 330 incidents in the U.S. in which four or more people were shot or killed using firearms, resulting in 367 deaths and 1,317 injuries. Incidents at schools, universities and public spaces took up most of the media attention until December, when an employee of the Inland Regional Center in San Bernardino, Calif., left work and returned with his wife and a small arsenal of firearms. Fourteen people were killed, and 22 were wounded. Suddenly employers that gave workplace violence only a passing thought began asking “What if it had happened here?”

The question is long overdue. The FBI reports that 45 percent of active shooter incidents occur at places of business, making them the most common target for these attacks.

Be Proactive

There are multiple categories of active shooter or other workplace violence situations. The San Bernardino shooters are alleged to have had ties to terrorist factions, but acts of political terrorism in the workplace are rare. Acts perpetrated by unstable individuals are far more common, as are domestic violence incidents.

active shooter chartWithout question, there are situations where a target is chosen at random, and there is absolutely no way an employer could have seen it coming. But more often there are signs or signals along the way — red flags, both subtle and obvious, that were brushed off or even deliberately ignored out of a reluctance to create conflict. That is a mindset that desperately needs to change, say experts.

“Many of the incidents that we see could have been avoided because there were clear precursors,” said Sean Ahrens, Aon Global Risk Consulting’s Security Consulting practice leader. He adds that “incidents where there’s a straw that broke the camel’s back are happening more and more.”

The culture of silence happens for a variety of reasons. Coworkers don’t speak up for fear they’ll be branded as troublemakers. Employers worry they will be accused of defamation or discrimination if they take a hasty action against an employee.

In the well-intentioned quest to create a solid, documented case for taking action, sometimes employers wait too long. The results can be tragic.

Advertisement




Experts agreed that risk managers must work to cultivate a “see something, say something” culture. To increase the chance of being able to identify a burgeoning threat, experts strongly advise employers to have a means in place for employees to report concerns anonymously.

Sean Ahrens, security consulting practice leader, Aon Global Risk Consulting

Sean Ahrens, security consulting practice leader, Aon Global Risk Consulting

“Employers should afford as many ways as possible to communicate this information,” said Ahrens. That could an online email form, an anonymous hotline, a third-party hotline, or whatever methods make the most sense for the organization.

From there, an internal threat assessment team can gather further intelligence and decide how to proceed or attempt to de-escalate the situation. Simply terminating an at-risk employee isn’t necessarily the smart play, and could actually make things worse. Crisis management experts can be a useful resource for employers working to avoid a misstep.

The Survival Plan

The bottom line for risk management is that there is no iron-clad means to eliminate the risk that your workplace will experience an active shooter event. Even the best preventative measures have to be backed up by a solid emergency plan paired with response protocols spelling out what needs to happen during an event.

Communication is the first line of defense. A clear warning can give everyone out of the line of fire a better chance of evacuating safely. The simplest method is using overhead audio such as a P.A. system.

“Don’t use codes, just plain English,” said Ahrens. Be straightforward: “There’s an aggressor in the building near the Northwest stairwell. We’ll provide updates when available. Evacuate now if you can, or shelter in place.” Then provide continuous updates, he said.

Other environments may require additional measures. A noisy manufacturing floor or warehouse, for example, may need to use a strobe light to alert workers to turn off machines so that they can hear the emergency message.

What happens after the warning is broadcast will likely make the difference between life or death, which is why failure to train employees is not a valid option.

Michelle Colosimo, director, Black Swan Solutions

Michelle Colosimo, director, Black Swan Solutions

“Yes, you have to call 911,” said Michelle Colosimo, director of Black Swan Solutions, “but look how quickly these events can [unfold]. You now need to leverage your own employees to make sure that they’re doing the right things to help keep themselves safe.”

In 2012, the City of Houston produced a 6-minute video called “Run. Hide. Fight.,” funded by the Department of Homeland Security. The video has become the standard training model endorsed by the FBI and DHS for teaching civilians how to protect themselves and others around them.

Other training models have gained traction, such as “Avoid, Deny, Defend,” but most have same underlying message at their core:

    * Escape if you can do so safely
    * If not, then get to a location that can be locked or barricaded, if possible
    * Fight back as a last resort, using any improvised weapon within reach

“You don’t have a means in place to be able to take down that gunman,” said Colosimo, “nor do you want to be encouraging employees to try to take down that

gunman. So what are you doing to help educate and train them? Because it’s really up to the employee to make the right decisions.”

Some risk managers may find upper management squeamish about the phrase “active shooter training,” because their perceptions have been shaped by stories in the news about unannounced active shooter drills that traumatized employees.

The goal of drills is not fear, it’s understanding, said Mike Payne, organizational resilience manager at iJET International.

“You want to walk everybody through and talk everybody through what the expectations are, where the decision points are, and how to effectively respond.”

Jay Hart, director, Force Training Institute

Jay Hart, director, Force Training Institute

“This kind of training is very easy to get wrong. It’s very easy for it to be fear-based,” said Jay Hart, director of Force Training Institute. “I’ve noticed that’s what a lot of executives struggle with.”

Those same misperceptions may tempt some to provide training without drills, but that strategy is ill-advised, experts said, because in an emergency, there’s no accounting for how people might respond without a frame of reference.

Most will revert to habit – perhaps attempting to exit the building via their normal exit route, even though that route might be in the line of fire. Others may simply freeze in place.

“When chaos strikes and fear takes over, we’re typically not thinking clearly,” said John Stevens, senior vice president at Keenan.

“I think you’d be amazed by how many people would just sit at their desk and process that information.” agreed Ahrens. Drills help people move past that paralysis by ingraining the right behaviors and turning them into reflex or “muscle memory.”

“[They have to] go through the motions, pretend something is happening — make sure they actually have to take those steps necessary to protect themselves, kind of like a dry run,” said Colosimo.

“Give them all of the tools and the means necessary.”

Drills are important not only to help employees refine their instincts, she added, but also to identify potential flaws in the emergency response plan.

Advertisement



“It may look great on paper,” she said, but when you actually test it, you may find that some escape routes are obstructed or that a particular route didn’t lead where you thought it would.

Keep in mind that there’s always the potential for some employees to react negatively to whatever training you provide. But Ahrens suggested putting it in perspective.

“You have people saying, ‘I can’t believe you showed us that, that training was over the top.’ But if they remember it during an incident, I think it’s worth the couple of people who don’t like it.”

Far-Reaching Repercussions

While employers are no longer burying their heads in the sand about workplace shooter risks, most are still a long way from being truly prepared.

Mike Payne, iJET International

Mike Payne, iJET International

“People are putting plans in place,” said Colosimo, “and maybe [some are] training people. But when you get to the drill level, specific to active shooters, those numbers are still low. And that’s what needs to change.”

Risk managers may still be struggling to get the buy-in they need, and the problem doesn’t necessarily revolve around the bottom line. Taking steps toward active shooter preparedness can involve some uncomfortable decision making, explained Payne, so “by not having a background in handling those types of risk decisions, it creates a level of denial. And while that is a response, it’s not the preferred one.”

To help the C-suite move past reluctance, experts recommend framing the language in terms of safety as well as presenting the bigger picture and the potential impact to the business.

To help the C-suite move past reluctance, experts recommend framing the language in terms of safety as well as presenting the bigger picture and the potential impact to the business.

While the frequency of an active shooter incident may be less than any other risk that a business faces, stressed Stevens, “the severity and the magnitude of the circumstance become greater than anything else they face because you’re dealing with human lives.”

In the aftermath, the fallout would likely be a tangle of workers’ comp and liability claims related to fatalities and potentially catastrophic injuries. Property damage could be extensive in some situations, and many organizations could face significant business interruption expenses. In addition, questionable security procedures or a failure to respond to threats made prior to an incident may expose employers to a Pandora’s box of employment liability actions.

“In the world we live in now,” said Ahrens, “courts aren’t going to recognize ‘We didn’t see it as a risk.’ ”

As if that wasn’t enough, some businesses could find themselves in violation of workplace violence prevention laws, which are on the books in several states. And many companies may not even be aware of their obligations under OSHA.

While there is no federal workplace violence standard, OSHA asserts that it has the authority to cite employers for failing to take steps to prevent workplace violence under the General Duty Clause, which requires employers to keep workplaces “free from recognized hazards likely to cause death or physical harm.” Courts have generally agreed.

In addition, some say, there are multiple OSHA standards related to emergency action plans and job hazard training that can be interpreted to apply to active shooter training. Those claims have not yet been legally tested. But if the frequency of incidents continues to climb, it may only be a matter of time.

Reputational harm is also a very real possibility — not just among customers, but among vendors. Some companies may choose not to do business with a company it perceives as having lax security measures. Not least of all is the company’s reputation among both existing and prospective employees.

“If you have a workplace where people don’t feel safe, they’re not going to come to work,” said Colosimo. “If they don’t come to work, your productivity is gone.”

Insurance recovery may not be as straightforward as some assume. In the wake of a workplace shooting, business interruption losses may or may not be covered depending upon policy wording.

Workers’ compensation typically will cover costs related to injuries or fatalities that occur at work. However, a targeted, personal attack on an employee with a clear motive that is unrelated to the workplace — such as an attack by a jilted spouse — could negate some workers’ comp claims because it falls outside of the “scope of employment.”

Workers’ comp costs can wreak havoc on employers and insurers. The California death benefit of $250,000 for a single dependent survivor was multiplied many times over for those that died in the San Bernardino attack. But those that survive such an event with catastrophic injuries can potentially cost 10 times that amount over the long-term.

Advertisement




Until recently, there were no insurance products designed specifically for the risk of gun violence. But Willis Towers Watson now offers active shooter insurance. The coverage was intended for universities, but the company is now fielding inquiries from hotels, hospitals, and other institutions.

The policies, underwritten by Beazley, an affiliate of Lloyd’s, can cover up to $5 million of liability against claims that the company didn’t take the necessary precautions to prevent a mass shooting. It also covers the “on the scene” costs of a shooting incident, as well as any counseling or consulting expenses needed after the event.

What companies need to guard against is being lulled into false assumptions about the scope of the problem. After 911, there was a similar spike in interest in protecting workplaces from violence, noted Colosimo.

But eventually the interest waned, as the media moved on to fresher territory. Her hope is that it won’t require more incidents like San Bernardino to keep risk managers focused on what needs to be done.

“We’ve got to keep the momentum going because this isn’t stopping,” she said. “People have to be prepared.”

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Liability

Fresh Worries for Boards of Directors

New cyber security regulations increase exposure for directors and officers at financial institutions.
By: | June 1, 2017 • 6 min read

Boards of directors could face a fresh wave of directors and officers (D&O) claims following the introduction of tough new cybersecurity rules for financial institutions by The New York State Department of Financial Services (DFS).

Advertisement




Prompted by recent high profile cyber attacks on JPMorgan Chase, Sony, Target, and others, the state regulations are the first of their kind and went into effect on March 1.

The new rules require banks, insurers and other financial institutions to establish an enterprise-wide cybersecurity program and adopt a written policy that must be reviewed by the board and approved by a senior officer annually.

The regulation also requires the more than 3,000 financial services firms operating in the state to appoint a chief information security officer to oversee the program, to report possible breaches within 72 hours, and to ensure that third-party vendors meet the new standards.

Companies will have until September 1 to comply with most of the new requirements, and beginning February 15, 2018, they will have to submit an annual certification of compliance.

The responsibility for cybersecurity will now fall squarely on the board and senior management actively overseeing the entity’s overall program. Some experts fear that the D&O insurance market is far from prepared to absorb this risk.

“The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters,” warned Fitch Ratings in a statement. “If management and directors of financial institutions that experience future cyber incidents are subsequently found to be noncompliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies.”

D&O Challenge

Judy Selby, managing director in BDO Consulting’s technology advisory services practice, said that while many directors and officers rely on a CISO to deal with cybersecurity, under the new rules the buck stops with the board.

“The common refrain I hear from directors and officers is ‘we have a great IT guy or CIO,’ and while it’s important to have them in place, as the board, they are ultimately responsible for cybersecurity oversight,” she said.

William Kelly, senior vice president, underwriting, Argo Pro

William Kelly, senior vice president, underwriting at Argo Pro, said that unknown cyber threats, untested policy language and developing case laws would all make it more difficult for the D&O market to respond accurately to any such new claims.

“Insurers will need to account for the increased exposures presented by these new regulations and charge appropriately for such added exposure,” he said.

Going forward, said Larry Hamilton, partner at Mayer Brown, D&O underwriters also need to scrutinize a company’s compliance with the regulations.

“To the extent that this risk was not adequately taken into account in the first place in the underwriting of in-force D&O policies, there could be unanticipated additional exposure for the D&O insurers,” he said.

Michelle Lopilato, Hub International’s director of cyber and technology solutions, added that some carriers may offer more coverage, while others may pull back.

“How the markets react will evolve as we see how involved the department becomes in investigating and fining financial institutions for noncompliance and its result on the balance sheet and dividends,” she said.

Christopher Keegan, senior managing director at Beecher Carlson, said that by setting a benchmark, the new rules would make it easier for claimants to make a case that the company had been negligent.

“If stock prices drop, then this makes it easier for class action lawyers to make their cases in D&O situations,” he said. “As a result, D&O carriers may see an uptick in cases against their insureds and an easier path for plaintiffs to show that the company did not meet its duty of care.”

Advertisement




One area that regulators and plaintiffs might seize upon is the certification compliance requirement, according to Rob Yellen, executive vice president, D&O and fiduciary liability product leader, FINEX at Willis Towers Watson.

“A mere inaccuracy in a certification could result in criminal enforcement, in which case it would then become a boardroom issue,” he said.

A big grey area, however, said Shiraz Saeed, national practice leader for cyber risk at Starr Companies, is determining if a violation is a cyber or management liability issue in the first place.

“The complication arises when a company only has D&O coverage, but it doesn’t have a cyber policy and then they have to try and push all the claims down the D&O route, irrespective of their nature,” he said.

“Insurers, on their part, will need to account for the increased exposures presented by these new regulations and charge appropriately for such added exposure.” — William Kelly, senior vice president, underwriting, Argo Pro

Jim McCue, managing director at Aon’s financial services group, said many small and mid-size businesses may struggle to comply with the new rules in time.

“It’s going to be a steep learning curve and a lot of work in terms of preparedness and the implementation of a highly detailed cyber security program, risk assessment and response plan, all by September 2017,” he said.

The new regulation also has the potential to impact third parties including accounting, law, IT and even maintenance and repair firms who have access to a company’s information systems and personal data, said Keegan.

“That can include everyone from IT vendors to the people who maintain the building’s air conditioning,” he said.

New Models

Others have followed New York’s lead, with similar regulations being considered across federal, state and non-governmental regulators.

The National Association of Insurance Commissioners’ Cyber-security Taskforce has proposed an insurance data security model law that establishes exclusive standards for data security and investigation, and notification of a breach of data security for insurance providers.

Once enacted, each state would be free to adopt the new law, however, “our main concern is if regulators in different states start to adopt different standards from each other,” said Alex Hageli, director, personal lines policy at the Property Casualty Insurers Association of America.

“It would only serve to make compliance harder, increase the cost of burden on companies, and at the end of the day it doesn’t really help anybody.”

Advertisement




Richard Morris, partner at law firm Herrick, Feinstein LLP, said companies need to review their current cybersecurity program with their chief technology officer or IT provider.

“Companies should assess whether their current technology budget is adequate and consider what investments will be required in 2017 to keep up with regulatory and market expectations,” he said. “They should also review and assess the adequacy of insurance policies with respect to coverages, deductibles and other limitations.”

Adam Hamm, former NAIC chair and MD of Protiviti’s risk and compliance practice, added: “With New York’s new cyber regulation, this is a sea change from where we were a couple of years ago and it’s soon going to become the new norm for regulating cyber security.” &

Alex Wright is a U.K.-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at [email protected]