The Limits of Response Preparedness

If your people are running, hiding, or fighting, the prevention window has already closed.

Walk through most enterprise security programs and you will find the same investments. Badge systems. Run-Hide-Fight posters in the break room. Annual drills. Tested mass-notification systems. Trauma kits staged at the exits. None of these are wrong.

But every one of them activates after the line has already been crossed. By the time they trigger, the attacker has already chosen the time, place, and method. The organization is executing a response. It is not preventing an event.

Response capability is necessary; it is not sufficient. Most organizations have built the necessary half and called the work finished.

The investment is real. The intent is real. Security magazine’s annual benchmark reporting has consistently ranked workplace violence as the top concern among surveyed security leaders since 2021. The gap is not awareness of the threat. The gap is where resources land in the timeline, and how soon they activate.

The Four Failures

When workplace violence prevention fails, it almost never fails because the warning signs were absent. It fails because of four structural breakdowns. Each one is a leadership problem dressed as a security problem.

Recognition failure

Employees do not know what is reportable. Behavioral changes get filed under bad week, difficult personality, or stress at home. Without training in what a baseline looks like and what meaningful deviation from that baseline means, the first filter in the system is closed. People see things they have no frame for, and they do nothing.

Reporting failure

Recognition without reporting is useless. Even when employees register an anomaly, they often stay silent. When concerning behavior was observed, the FBI found that bystanders did nothing 54 percent of the time. Behavior was reported to law enforcement in only 41 percent of cases. The barriers are consistent: fear of overreacting, fear of damaging a coworker, loyalty, the assumption that someone else will handle it. Zero tolerance applied to actual violence is non-negotiable. Zero tolerance applied to concerning behavior is where the system breaks. When employees believe a report about something unsettling will trigger automatic termination instead of proportionate intervention, they stay silent to protect the person they are worried about. The hard line becomes a reason for silence.

Connection failure

Warning signs are rarely absent. They are missed, minimized, isolated, or never routed to the right people. A supervisor documents a grievance-driven outburst. HR logs a performance concern. Security flags an after-hours access attempt. A peer hears something that does not sit right and says nothing. Each one is a fragment of the same picture. Without a mechanism to surface and fuse them, every fragment stays below every individual’s threshold for escalation. The failure is not access. It is architecture.

Leadership failure

Leadership failure occurs when prevention exists as policy but not as practice: written programs without operational cadence, training without reinforcement, and threat assessment teams that exist on an org chart but rarely convene. Reporting culture follows leadership behavior. When leaders do not visibly own prevention, employees learn that silence is safer than escalation.

Targeted Violence Is Rarely Sudden

These failures matter because the underlying premise of most response-first programs is wrong. Targeted attackers rarely snap. Most follow a pathway, and the pathway is observable.

The pathway is long. FBI research on active shooters found that 77 percent spent a week or longer planning their attack, and 46 percent spent a week or longer in active preparation, acquiring weapons, conducting surveillance, and rehearsing. The intervention window is rarely narrow. Most often, it is months wide.

The pathway is visible. The average active shooter displayed roughly four to five concerning behaviors observable to the people around them. The information was not hidden. The failure happens downstream of the signal, unconnected, unreported, or unrecognized.

The pathway is communicated. Fifty-one percent of active shooters in the FBI sample leaked their intent to commit violence to a third party before the attack. Among attackers age 17 and younger, that number rises to 88 percent. Leakage is not a rare anomaly. The signal was sent. The architecture to receive it was missing.

Even in the rare cases where planning compressed to under 24 hours, the research still identified at least one concerning behavior preceding the act, and most of those cases also had an identifiable grievance. “Out of nowhere” does not appear in the documented case record.

Every day between a first observable warning and a violent act is a day of potential intervention. The point of recognition is not prediction. It is creating time. Time creates options. Options prevent escalation.

Baseline and Anomaly: A Language for Leaders

Recognition is a skill. It can be taught. And it does not belong to the security department alone.

The people best positioned to notice deviation are the people who define the norm: supervisors, peers, and HR. Recognition cannot live in the security silo. It is a core leadership expectation.

The legal and ethical line matters. A leader trained to treat “hygiene” or “mood” as standalone escalation triggers has been given a legally fragile framework. A leader trained to recognize observable behaviors that deviate from the established workplace norm, and to route those observations through a defined process, has been handed a defensible risk management practice. The frame is the deviation, not the diagnosis.

Trained observers learn to track behavioral shifts away from the workplace norm, grievance fixation expressed at work, communication anomalies, and escalation patterns over time. But the categories matter less than the contextual judgment that integrates them. No single observation predicts violence. The work is reading observations in combination, and the difference between a flag and a pattern is almost always context.

Consider two employees who, on a checklist, would generate the same documentation. The first is withdrawn at work, has missed several meetings, and snapped at a coworker last week, and is six weeks into a difficult divorce his team knows about. That is not a threat profile. That is a human being having a hard year, and the leadership response is human, not procedural.

The second is also withdrawn. He has also missed meetings. He has, over the past two months, expressed escalating grievances toward a specific supervisor by name. Security flagged him for an after-hours access attempt that he had no business reason to make. A coworker mentioned, in passing, that something he said in the parking lot left her unsettled but she could not say exactly why. No single one of those observations clears the bar. Together they describe a pattern that warrants a structured assessment, today, not next month.

The work of a leader is not to memorize warning signs. It is to know the workplace norm well enough to register the deviation, and to know the architecture well enough to escalate it. That is pattern recognition, not checklist profiling. There is no demographic profile, and the research is consistent that mental illness is not the explanatory variable. Only 25 percent of active shooters in the FBI sample had a diagnosed mental illness prior to the offense. The frame is deviation from norm, not categorical labeling of “troubled” individuals.

Five Questions Every Security Leader Should Ask About Their Prevention Program

1. Do we have a standing, cross-functional threat assessment team with a regular meeting cadence, or do we convene only after an incident?
2. Do our supervisors know specifically what behaviors warrant escalation, and do they know what happens after they escalate?
3. When an employee reports a concern, do they receive any acknowledgment or follow-up, or does the report disappear into a process they never hear from again?
4. Has our organization defined what “reportable” means in concrete behavioral terms, or do we rely on individual judgment with no shared framework?
5. When we audit our prevention investment, how much goes to recognition and early intervention versus response and recovery?

Prevention Is a Leadership Mandate

“See something, say something” is reactive. It places the burden entirely on the individual. “Know your people” is proactive. It positions recognition as something leaders own, embedded in how the organization operates every day, and it sits squarely inside the duty of care every employer owes the people it employs.

That phrase needs guarding. “Know your people” does not mean intrusive management or ambient suspicion. It means supervisors understand their teams well enough to notice meaningful change. It means leaders build reporting systems that are clear, safe, and trusted. It means HR, security, legal, and operations are not waiting for a crisis before they speak to each other.

Five actions follow. The infrastructure scales. A Fortune 500 may stand up a formal multidisciplinary team with a charter and a dedicated coordinator. A 200-person company may run the same function with three people meeting monthly. The mechanism matters more than the headcount.

Build the cross-functional infrastructure

Stand up a multidisciplinary team of security, HR, legal, and behavioral health or EAP, with a mandate, a meeting cadence, and a documented review process. At minimum, that team needs an intake process, case documentation standards, defined escalation thresholds, and the authority to recommend intervention options before termination or law enforcement referral becomes the only available path. Without documented case management, concerning behavior becomes conversation instead of continuity.

Equip supervisors for threshold judgment

Supervisors have the most daily contact with the people most likely to generate early signals. They need to know what behaviors warrant escalation, what the escalation process is, and what happens after they use it. This is not a one-hour annual click-through. It belongs in scenario-based discussions during routine management training, alongside performance management and communication.

Reframe reporting as risk recognition, not accusation

Employees who do not report are not indifferent. They are operating in a culture that has not given them clear thresholds, safe channels, or confidence that a report will be handled in proportion to what it is. Changing that requires concrete leadership behavior: a quarterly all-hands message that walks through anonymized examples of reports handled well, a standing prompt in supervisor one-on-ones, visible reinforcement when an employee does raise a concern. A policy memo will not do it.

Close the feedback loop, within legal limits

When employees report a concern and hear nothing back, they stop reporting. Closing the loop does not mean disclosing outcomes; privacy, defamation exposure, and HR confidentiality obligations all preclude that. It means three things the law permits: confirming the report was received, confirming it was reviewed by the appropriate function, and explaining the general process without identifying individuals or outcomes. “Thank you for raising this. The threat assessment team has reviewed it and the matter has been routed appropriately.” That is a closed loop. Silence is not.

Use early intervention, not zero-tolerance expulsion

Rigid terminations, while they look decisive, frequently backfire. Removing someone without support strips the coping structures and can become the triggering event itself. Early, proportionate intervention preserves options. The triage is straightforward: a supervisory conversation when the issue is performance or interpersonal friction without a target; an EAP referral when the underlying driver is personal crisis or behavioral health; a formal threat assessment review when grievance fixation, leakage, or pattern behavior is present. Expulsion eliminates options. Intervention preserves them.

The pre-attack pathway is observable. Leakage is common. The timeline is long. The signals are visible to the people in daily proximity. The gap is not in the data. It is in the discipline to surface it, the culture to report it, and the architecture to connect it before response is the only remaining option.

The signals are almost always there. The question is whether anyone built the system to see them.