A risk assessment will help you decide on the threats you might be facing and their likelihood. You should identify your vulnerabilities and the potential impact of exploitation.
Identify the threats
Ask yourself the following questions:
• what is the current security climate like?
• is there anything about my organisation, building or staff that might attract terrorist attack?
• are we associated with high-profile individuals or organisations that might be terrorist targets?
• could we suffer collateral damage occur from an attack on a high-risk neighbour?
• do we have anything terrorists might want to further their aims, e.g. materials, plans, technical expertise or access to other premises that might be targets?
Decide what needs protecting and identify vulnerabilities
Priorities for protection should fall under the following categories:
• people (staff, visitors, contractors, customers)
• physical assets (buildings, contents, equipment, plans and sensitive materials)
• information (electronic and paper data)
• processes (supply chains, critical procedures) – the actual operational process and essential services required to support it.
You know what is important to you and your business. You probably already have plans in place for dealing with fire and crime, procedures for assessing the integrity of those you employ, protection from IT viruses and hackers, and measures to secure parts of the premises. Review your plans on a regular basis and if you think you are at greater risk of terrorist attack – perhaps because of the nature of your business or the location of your premises – then consider what others could find out about your vulnerabilities, such as:
• information about you that is publicly available, e.g. on the internet or in public documents
• anything that identifies installations or services vital to the continuation of the business
• any prestige targets that may be attractive to terrorists, regardless of whether their loss would result in business collapse. Consider whether there is an aspect of your business or activities that terrorists might want to exploit to aid their work. If there is, how stringent are your checks on the people you recruit or on your contract personnel? Is your staff security conscious?
Identify measures to reduce risk
An integrated approach to security is essential. This involves thinking about physical security, information security and personnel security (i.e. good recruitment and employment practices).
There is little point investing in costly physical security measures if they can be easily undermined by a disaffected member of staff or by a lax recruitment process.
Many of the security precautions typically used to deter criminals are also effective against terrorists. So before you invest in additional security measures, review what you already have in place.
If you need to introduce additional security measures, then make them more cost-effective by careful planning wherever possible. Introduce new equipment or procedures in conjunction with building work. In multi-occupancy buildings, shopping centres, high streets or business parks, try to agree communal security arrangements. Even if your neighbours are not concerned about terrorist attacks, they will be concerned about general crime and your security measures will help protect against crime as well as terrorism.
Review your security measures and drills
You should conduct regular reviews and rehearsals of your security plans. This will help to ensure that they remain workable and up to date. You should be aware of the need to modify them to take account of any changes in your business. For instance, new building work, changes to personnel or revised health and safety procedures could have an impact on your plans.
Make sure that your staff understand and accept the need for security measures. Security should be seen as a common responsibility and not just something for security professionals. Make it easy for staff to raise concerns or report observations