An easy mistake organizations can make is not preparing for difficult-to-imagine risks, such as terrorist threats. Such events, though a lower probability for many organizations compared with other risks, could present more catastrophic, irreversible outcomes.

“Just because an incident is unlikely, it doesn’t mean that it will not materialize. If it has a severe enough impact, however improbable, businesses should still consider the level of mitigation they want — and not simply hope it won’t happen,” says Nick Doyle, Managing Director, Head of EMEA, Security Risk Management at Kroll. “This often happens when organizations rationalize likelihood, which can lead to poor assumptions being made. Poor assumptions, in turn, lead to inadequate plans, which lead to vulnerabilities in a company’s risk exposure."

Unlikely events are often dismissed using basic or ill-informed risk processes that may result in confirmation bias, according to Doyle. “This is where you essentially convince yourself that something unlikely to happen is never going to happen. This is a dangerous assumption,” he says. “Few people thought Russia would invade Ukraine, and few people thought airliners would be flown into office buildings or that there would be a global pandemic that would radically change international economics and the way we conduct our lives and conduct business. Put simply, businesses need to readdress how they manage their physical risks to avoid the next improbable event halting operations.”

 Proactive mitigation must consider both the types and motivation of potential threats, along with strategies — such as processes, procedures and technologies — to identify warning signs.

Enterprises generally look at three sides when assessing and managing security risk exposure, Doyle says, and for terrorist threats, this is no different. These are:

• The security and safety of their employees, visitors and others associated with their operations;
• The continuity or ability to continue their business activities without interference;
• The protection of their assets, which may be physical items or intellectual property, including the knowledge and experience of their employees.

Proactively planning for physical threats such as terrorism is especially important for facilities in certain countries, in urban areas or within specific risk profiles. One practical, yet critical, consideration for proactive terrorism mitigation or other disastrous event mitigation is hardening the perimeter around locations and controlling access at the earliest point of entry, Doyle says.

Another important consideration for proactive threat mitigation is evaluating the existing programs and procedures the company has in place for identifying potential threat actors. By evaluating existing plans and procedures, security leaders can determine if the organization is already proactively identifying persons internally and externally that may directly or indirectly negatively impact operations. Existing plans or procedures can be perfected or new plans can be put in place.

Identifying the “how” or, in other words, the technologies, people and processes in place that will work to identify the signs of potentially suspicious activity will help organizations establish a clear roadmap of mitigation and response. For insider threats or terrorist threats, processes may include evaluating patterns of behavior, such as attempts to gain unauthorized access to systems or areas.

“These then need to be carefully monitored, and if necessary, acted upon,” Doyle says.

For a truly holistic approach to risk mitigation, organizations must look beyond the physical location of a facility and consider “the environment in which businesses are situated, the environment in which visitors and employees work, but also the environments through which they pass and, to some extent, the environments in which they live,” Doyle says.

Intimately understanding those overlapping environments, as well as understanding the individual organization’s level of risk tolerance of unwanted impacts, will help security leaders arrange operations, locations and activities in a way that minimizes exposure to threats — even the unlikely — while simultaneously mitigating potential incidents. 

For more articles on risk mitigation, terrorism mitigation and proactive risk strategies, visit:

• Risk mitigation for domestic terrorism and radicalization
• It starts with you: How to mitigate risks from the C-suite
• Emergency preparedness and natural disaster planning