The high school shooting in Oxford, Michigan that claimed the life of four students in November 2021 brought with it a sobering truth: active shooters and other violent events are at the forefront of security leaders’ minds.

The more often mass casualty incidents hit the news, the more conversation they generate about safety. Such discussions often lead to action, as businesses of all sizes reexamine their security protocols or look to hire trusted private security professionals to help them prepare for crises, protect their people from harm and prevent these kinds of events from happening inside their factories, hospitals, stores or other workplace facilities.

While unfortunate and tragic, such events are an occasion for organizations to assess how they can improve the ways they protect lives and property. There are lessons to be learned by senior leadership as they compare their security and crisis planning to the events in the news and adjust accordingly. These situations also give outside security firms a chance to demonstrate their expertise and value.

In addition to loss of life, mass casualty incidents can also expose employers to costly and dangerous litigation. Security officers can’t always stop a shooter before they inflict damage. This means employers with in-house security teams or outside security firms may be held liable under certain circumstances. While a secondary concern, significant reputational damage is also at stake for the organization that operates the site where such events occur.

Let’s take a look at six steps security leaders and enterprise stakeholders can take before, during and after a crisis to better protect themselves, manage risk more effectively, and reduce liability.

1. Weigh the Consequences

Even under the best circumstances, the security industry is prone to significant staff turnover. Given current labor market shortages, this reality has been exacerbated. Organizations need to weigh the pros and cons of recruiting and retaining an in-house security workforce. In-house security increases insurance rates and risks, adds labor and training costs, and increases the company’s licensing, regulatory and background screening burdens — especially for businesses operating in more than one state or region.

2. Perform In-Depth Training and Risk Assessments

All security officers must receive proper training in active shooter and other crisis events. Security staff must know the post orders and any other written response, emergency management and crisis policies and procedures, as well as be ready to act. When security officers don’t follow a policy or procedure, it can open the company to liability and create risks to the people and property they are tasked with protecting.

In addition to training, organizations should perform regular reviews and audits when it comes to their risk assessment and emergency management plans to assess the effectiveness of all training and procedures. Tabletop drills are another effective tool.

It is important to perform a thorough, annual risk analysis of all company locations and properties. Any security flaws or significant risks found should be documented and flagged for discussion with security directors and appropriate stakeholders so they can be addressed proactively and in a timely fashion.

3. Follow Orders as Written

True moments of crisis are where training pays the biggest dividends. Security officers should know the crisis protocols of the organization and be well-trained to follow them step by step in the moment. While “run, hide and fight” is the standard protocol for individual survival during an active shooter situation, all security officers must consider and follow their post orders during a crisis.

Following written protocols won’t prevent all injuries or casualties. No emergency plan can. However, doing so can help mitigate both human and financial loss in a crisis. It will also help reduce liability in such situations.

4. Know Your Organization’s Risk Tolerance

Security leaders need to hone in on their organization’s unique risk tolerance with internal and external stakeholders, such as insurers. Historically, companies operating venues such as sports arenas, concert halls, shopping malls and fast-food restaurants carry a high-risk label, according to insurers.

But in the last 10 to 15 years, as crises like the Oxford school shooting and the January 2022 hostage situation at a Texas synagogue have increased, the high-risk label has expanded to include schools, places of worship and anywhere large groups of people gather.

Places with higher incidents of crime, such as those with a history of assaults or 24/7 drive-throughs and convenience stores, may also fall under the definition of high-risk.

Low-risk facilities typically include office buildings, high-end apartment complexes, industrial facilities, or any place unlikely to be a target for violence or hosted gatherings. Government buildings are considered low risk by most insurers because security officers within those buildings must undergo extensive screening and training.

Knowing your organization’s risk assessment and tolerance will aid safety and security leaders in crafting appropriate mitigation strategies and response plans.

5. Carry the Proper Insurance Coverage

Nearly every employer carries general liability coverage. However, there are nuances in coverages that stakeholders and security leaders must understand to protect the organization from unnecessary risk. A typical general liability policy limits bodily injury to “reasonable force,” which may be adequate for many organizations, but if security guards are employed, broader coverage may be needed.

Many insurers of the security industry expand this coverage to “physical force,” which is more encompassing and leaves less uncertainty in the event of an alleged assault involving security or other staff. This is especially true when using armed security, as courts rarely view the use of a firearm as “reasonable force.”

It’s an important consideration for security leaders to advise their organization’s insurer whether security staff is armed or unarmed, and, ultimately, the organization may decide to cancel or exclude such programs or teams from coverage.

6. File Claims as Soon as Possible

Insurers typically require insureds to file any claims promptly after a crisis or other incident — even in the event of a mass casualty or active shooter incident. The sooner the insurer receives all claims, the earlier and better they can react in the days and months that follow while preserving information about the incident while it is still timely.

In turbulent times, organizations and security leaders can rely on their security teams to keep employees safe and prevent tragedy. By following these principles and creating a solid risk management strategy, organizations can ensure security teams focus on what matters most: protecting lives.