Even before COVID-19 created the social and economic challenges we are currently working through, brick and mortar business owners large and small understood a basic concept that most of the world wasn’t thinking much about: whenever people gather in close proximity, risk is present. The duality here, of course, is that human nature craves connection, but it also endeavors to avoid risk. Or it chooses to ignore it.

Unfortunately, many of the risks business owners face can be unseen, both for themselves and their customers, and those risks can’t be ignored. Regardless of the type of business, the moment the doors open, unique security-related policy and procedure challenges await. The best businesses implement their security-related policy and procedure measures seamlessly – they become part of the experience. This experience is created by design to ensure the health and safety of those both rendering services (staff) and those transacting payments (customers). If insurance teaches us anything, though, it’s that too often ignorance is bliss until reality hits. And if the security design is bad, the claim is worse.

As restrictions are slowly lifted and businesses around the world contemplate re-opening, every owner – from the small neighborhood grocery store with one door to the 100-floor commercial city building with 15 exits – should be using their time right now to examine what re-opening in the current normal looks like. Any measures that have been developed previously to keep customers, employees and visitors safe may need to be re-established or, at a minimum, revisited to conform with current recommendations from both scientific and governmental authorities.

It can’t be stressed enough, though: revisiting (or in some cases rethinking) security-related policy or procedure isn’t something that happens just because a huge reality event like COVID-19 creates global upheaval.  Practicing good habits requires consistency, and it’s with that in mind that our team is currently sharing a series of insights, stories and applicable tips on security that any industry can use over on the Lowers & Associates LinkedIn page.

To provide some guidance for those reevaluating their security measures or that are specifically focused on re-opening, I’ve created a list of 10 suggested actions ANY business can take to remove risk and eliminate potential for loss at any time.

1. Reassess security resource allocation based on operational need and risk.

If you have a business portfolio with multiple locations, consideration should be given to the specific business environment, nature of the threats, existence of any unusual circumstances, and the capacity of local law enforcement to respond.

2.Limit the number of entry/exit points for employees and visitors.

Tightly control ingress and egress for safety and security optimization. Examine operational feasibility before implementation.

3. Consider the reception area.

If security personnel are employed at the location, what role will they now play at the reception area to assist in the enforcement of new practices?

4. Access control measures and mechanisms dependent on fingerprint or a punch code require new safety protocols to be implemented.

This includes visitor management software and the use of tablets for registration.

5. CCTV coverage designed for cash handling or robbery identification should have expanded focal points to include more than just a face shot.

With the use of face masks becoming more frequent for the foreseeable future, at least one camera angle should include the entire body, including shoes. (criminals typically do not ditch their shoes after committing a robbery)

6. Re-evaluate security post orders.

The post orders must reflect any new duties performed and have a sound rationale for deviations. It is possible that actual security posts change based on organizational necessity. Examine any vulnerabilities that exist and how to overcome the risks.

7. Provide written notice to all employees if the security policies or procedures are being altered.

Even if these changes are temporary, this is necessary to ensure expectations are clear.

8. Initiate and document COVID-19 safety training.

Specifically, for security personnel and/or designated employees working the “front lines” of your business. This can expand to all staff as a general safety bulletin and acknowledgement.

9. Expand workplace violence policy (e.g. domestic violence prevention and response) to include all employees working from home.

Work with the Human Resources Department to provide “hotlines” or other resources available should assistance be required. In addition, identify and assess potential insider threats, as more employees and contractors are working remote.

10. Develop a brief but informative training program on basic techniques to de-escalate aggressive behavior in the workplace.

This is especially important for those business that are “customer facing” (e.g. retail/hospitality) or for businesses with a large number of on-site staff and visitors.

Active shooter incidents have become a new normal in our society. As of Sept 24, 2019, there had been an average of 1.24 mass shootings per day in 2019, killing 377 people and injuring another 1,347 victims.

“Run. Hide. Fight®” has been the mantra of training set down by the Department of Homeland Security. We are instructed to run and escape if possible; hide if escape is not possible, and fight as an absolute last resort. While this run, hide, fight mantra offers a lot of value to give people a course of action and to help them feel more confident and prepared in the event of an active shooter scenario, there is more to the equation when it comes to prevention and preparation. It’s time to face this fact.

Here, we look at three recent incidents that should serve to remind organizations that there is much more to consider.

Historic District in Dayton, Ohio

In the early hours of August 4, 2019, a 24-year old gunman with an AR-15-style assault rifle and 250 rounds of ammunition killed nine people and injured another 27 in the Oregon Historic District of Dayton, Ohio. The perpetrator was killed by police within 32 seconds of the first shots. A search of the shooter’s home uncovered evidence of his obsession with violence and that he had expressed a desire to commit a mass shooting.

The organization Childhood Preparedness, which provides resources for early childhood professionals with emergency preparedness planning, response, and recovery, formed the following takeaways from both the Dayton shooting and the El Paso shooting, which happened in the same weekend.

Lessons Learned:

Active Threat Training Saved Lives: Dayton law enforcement agencies received previous training in active shooter response, and their quick action saved countless lives.

Citizen Training Is Important: The key to citizen survival in both the Dayton event and other mass shootings was to quickly identify the sound of gunshots.

Running Is Always an Option: In this situation, running was, in fact, a good idea. Running from the gunfire to a safe location away from the shooter helped save some lives. However, some individuals froze and needed to be prompted by others to run. Individuals who chose to lay on the floor suffered multiple injuries and were trampled by others running from the area.

Stop The Bleed Training Can Help: Participants at the scene aided first responders by treating the wounded with basic first aid, CPR, and even applying tourniquets, such as belts, to the wounded. Tourniquet use is a crucial element of Stop The Bleed Training, which teaches bystanders how to stop severe bleeding before professional medical help arrives on the scene.

Townville Elementary School

On September 28, 2016, in a small town 40 miles outside of Greenville, South Carolina, a fourteen-year-old opened fire at Townville Elementary School playground, shooting three students and a teacher. One of the students, a six-year-old boy, later died, as did the shooter’s father, who had been killed earlier in the day by his son. The suspect was apprehended by a volunteer firefighter after his gun jammed on the playground, just 12 seconds after he first pulled the trigger.

Dr. Joanne Avery, Superintendent of the district, candidly shared her experiences in dealing with the immediate response to the shooting and its aftermath, in a School Safety Webinar sponsored by Raptor entitled, Lessons Learned and Changes We Made After an Active Shooting.

Lessons Learned:

Quick Response is Crucial:  The majority of active shooter events, 69%, end in five minutes or less and 67% are over before the first police arrive. “Speedily moving towards engagement with the shooter should be the primary guideline when teaching active shooter response tactics,” according to the FBI’s report, A Study of Active Shooter Incidents in the US Between 2000 and 2013.

Shooters Do Their Research:  Active shooters study and learn from past events in order to inflict the largest amount of damage. “They want their events to be deadlier” and that “they’re on the clock…so they try to get as much damage done as quickly as they can.”

Rural Areas Are Not Immune:  The majority of school shootings have occurred in semi-rural and rural areas, which means it can take between 12 and 15 minutes for first responders to arrive.  Dr. Avery says this is one of the reasons her school was chosen by the shooter.

Create a Drill Calendar:  Have regular active shooter response training with employees and (in the case of schools) students. Create different types of scenarios (e.g., lockdowns, times of day, types of weapons used, outside vs inside).

Know How to Lock Down: You need to be able to have things in place to inform people within the building about the shooter’s whereabouts and a clear evacuation plan. In some situations, training on how to confront the shooter may be warranted.

Dr. Avery stresses that “the first action that anybody should make if they see an active shooter on campus is…to shout ‘lockdown’, call the front office, and then call 911.”

Las Vegas Country Music Festival

On October 1, 2017, between 10:05 and 10:15 p.m., a shooter opened fire from his suite on the 32nd floor of the Mandalay Bay Hotel on a crowd of 22,000 concertgoers at an outdoor music festival. Firing more than 1,100 rounds of ammunition, he killed 58 people and wounded 422; a total of 851 people were injured during the panic that ensued. The shooter, a 64-year-old man, was found dead in his room from a self-inflicted gunshot wound. His motive remains officially undetermined.

In July 2019, the Las Vegas Metropolitan Police Department released a comprehensive After Action Review report about the event, which included a set of 93 recommendations to prepare for the future.

Lessons Learned:

Plan Ahead with Partners: Work with local government and community organizations, including neighboring police, fire, hospital, and coroner officials, to be better prepared and have a more coordinated response.

Become Less of a Target: Responding officers should remove reflective vests so that they are less of a target to shooters.

Have Trauma Kits On-Hand: For large scale events, have more trauma kits on hand available to paramedics and other responders.

Secure High-Rise Buildings: Secure high-rise buildings that oversee open-air crowds and train more officers to stop a shooter in an elevated position.

If we’ve learned one thing from these devastating incidents, it’s that preparation is key. Whether it’s understanding the sounds of gunfire, having trauma kits on hand, or even being prepared to attack and take down a gunman, these actions save lives. Acting quickly and decisively means all the difference.

Every active shooter scenario will be different, but the point is that organizations must have some level of preparedness for each phase of a shooting event – before, during, and after. Those strategies should include:

• reducing the likelihood of a workplace shooting through comprehensive risk mitigation (e.g., threat assessments, training, physical security);
• having response plans in place in the event of an active shooter scenario (e.g., evacuation routes, communication with law enforcement); and
• managing the aftermath of an event (e.g., employee support, public communications).

Once in place, plans must be continually updated, drills practiced, and changes communicated regularly.

Keeping your employees, customers and other stakeholders safe and your business protected is a 24/7/365 endeavor. To learn more, download our latest whitepaper, “Coming to Grips with the Known-Known of Active Shooter Incidents.”

A perfect storm of human errors — six of them to be exact — caused the biggest nuclear accident to date, the Chernobyl disaster in 1986. An IT mistake prompted 425 million Microsoft Azure users to experience 10.5 hours of downtime. Lack of communication between maintenance crews caused what would have been a simple fix to, instead, lead to the crash of a 1.4 billion dollar stealth bomber.

While there are many sources of enterprise risk, probably the most dynamic and difficult to contend with are those driven by or otherwise impacted by human capital — that is, people. The fact is, most risks start and end with people. The decisions people make, how they perceive situations, how closely they follow policies and procedures… these and other human-driven factors can significantly influence how risks are identified, managed, and addressed.

In our work in the realm of human capital risk, we see many areas where people have the potential to positively or negatively impact the organization from a risk management standpoint. Unfortunately, when people fail, they sometimes fail in big ways. Here are some of the places where human capital risk can rear its head, causing damage to people, brands, and profits:

1. Cybersecurity

Staying secure goes beyond technology (think servers, network, firewalls, etc.); it requires the aid of humans to maintain that secure digital environment. And while most employees get some degree of IT security awareness training in the course of their jobs, mistakes still happen.

IBM estimates the average number of records lost to data breaches annually to be 25,575, and the average cost per breach of USD $3.92 million. Social engineering, malware, and phishing attempts continue to pay dividends for the fraudsters who deploy them. We all know we’re not supposed to click on that link or divulge sensitive information over the phone, but still, people do it. Lapses in judgment, failure to follow a process, having a sense of overconfidence or the feeling that it won’t happen to them, whatever the reason, humans have the ability to sidestep even the strongest cybersecurity protocols.

2. Occupational Fraud

Risk doesn’t always stem from human error; sometimes it’s the result of deliberate actions by employees. Common types of occupational fraud include asset misappropriation, corruption, and financial statement fraud. In 2017, these types of fraudulent activities resulted in $7 billion in losses, according to ACFE’s 2018 Report to the Nations.

When the workplace lacks internal controls, fails to have separation of duties, or neglects to invest in data monitoring and technologies that could flag anomalies, unscrupulous employees see their opening.  Bookkeepers set up fictitious employees in payroll systems in order to cut checks, executives find ways to alter records and financial statements, and line workers take home company property for personal use. These incidents have a median per-loss cost of $114,000, as noted in the ACFE Report.

3. Physical Security

Check with most workplaces and you’ll find they have certain security protocols in place or at least policies that address physical security. Visitors may be asked to check-in at a front desk, employees might be required to wear ID badges, and doors might be required to be locked at all times.

Unfortunately, over time, employees become complacent and policies become outdated. People forget, or simply choose to ignore, the basics they’ve been taught. They leave doors propped open, inviting strangers to come in the building. They neglect to report a broken lock or missing lightbulb. They forget to keep up their annual emergency exit drill schedule. Or, they fail to log off a computer just as someone else decides it’s okay to let a guest circumvent the front desk sign-in because they “know this person.”

These small, but meaningful, errors in judgment often mean the difference between a workplace that remains physically secure and one that opens itself to the risks of theft, data breaches, or even active shooter situations.

4. Workplace Violence

Workplace assaults resulted in 18,400 injuries and illnesses and 458 fatalities in 2017. Assaults range in severity from threats and verbal assault to stabbings, rape, and intentional shootings. In fact, mass shootings at workplaces, schools, and public venues have become the new norm with an average of at least one happening per day in the United States.

We can’t always know which employees are at high risk for engaging in workplace violence, but experts have begun to identify the behaviors that often precede events like these. They include the inability to focus, crying, social isolation, threatening behavior, concerning posts on social media, or complaints of unfair personal treatment. A sudden change in behavioral patterns, or in the frequency or intensity of these behaviors, is also a red flag.

5. Negligent Hiring and Retention

Exercising due diligence in hiring is the best line of defense against negligent hiring and retention lawsuits. Background checks, of course, are the first course of action in rooting out applicants who might disproportionately introduce risk into the workplace. Gathering criminal background records, doing drug testing (as appropriate), and verifying references and credentials are all critical to mitigating your hiring risks.

Beyond background checks, organizations need to have effective fraud detection methods in place. This is particularly relevant considering 96 percent of fraud perpetrators had no prior fraud conviction, and fraudsters who were employed for more than five years stole twice as much, $200,000 vs $100,000 for newer employees! They need to understand the elements of human risk that can be an early indicator of fraudulent activity, including employees who live beyond their means, are experiencing financial difficulties, or have an unwillingness to share job duties.

Manage Your People, Manage Your Risk

Humans are, well, human. They introduce a spectrum of risk into any workplace, from purposeful criminal behavior on one side to unintentional, garden-variety mistakes on the other.

Managing those risks is an ongoing challenge, particularly when it’s difficult to pinpoint the precise human factors that contribute to failures. If you’d like help identifying those areas in your organization that are most susceptible to the human element of risk – whether it’s your cybersecurity program or your hiring processes — request a meeting with a risk management professional.

People are often referred to as the greatest asset of an organization. While this may be true for your organization, the greater truth is, people also represent an organization’s greatest risks. The actions, inactions, and mere presence or influence of people, present a potential for loss across the spectrum of business activities.

Perhaps no source of risk is more perplexing, hurtful, and damaging than those caused by intentional harmful acts. Consider just a handful of startling facts:

1. 30% of business failures are due to employee theft.

Employee theft costs businesses an estimated $50 billion a year and is rising at a rate of 15 percent per year, according to the U.S. Department of Commerce. The Commerce Department and the American Management Association say that 30 percent of new business failures are due to employee theft and it is believed that 75% of employees steal from their employers at least once. (source)

2. Organizations lose 5% of revenue to ‘fraud from within.’

According to the Association of Certified Fraud Examiners (ACFE), occupational fraud is fraud committed against the organization by its own officers, directors, or employees–an attack against the organization from within, by the very people who were entrusted to protect its assets and resources. In its 2018 Report to the Nations, the ACFE projects that organizations lose 5% of their annual revenue to fraud. Of these cases of fraud, corruption represents one of the most significant fraud risks for organizations, with 70% of such cases perpetrated by someone in a position of authority (managers and owner/executives).

3. Workplace violence is the fastest-growing category of murder in the U.S.

According to OSHA, every year, 2 million American workers report having been victims of workplace violence. The Center for Applied Learning reports that workplace violence incidents have tripled in the last decade and is now the fastest-growing category of murder in the United States. And according to the Bureau of Labor Statistics (2016), fatal work injuries involving violence and other injuries by persons or animals increased by 163 cases to 866 in 2016; workplace homicides increased by 83 cases to 500 in 2016; and workplace suicides increased by 62 to 291. This is the highest homicide figure since 2010 and the most suicides since data collection began in 1992.

4. One in five American adults have experienced sexual harassment at work.

A CNBC survey found one-fifth of American adults have experienced sexual harassment at work. By age group, 16 percent of those ages 18 to 34 said they have been victims, while 25 percent of 50- to 64-year-olds say they have been. What’s more, according to a 2003 EEOC study, 75 percent of employees who spoke out against workplace mistreatment faced some form of retaliation.

5. 80% of active shooter incidents occur in the workplace.

The Center for Applied Learning reports active shooter incidents tripled in the last eight years, with an event occurring in the U.S. once every three weeks; furthermore, workers are now 18 times more likely to encounter workplace violence and an active shooter situation than a fire. According to FBI statistics, of 160 active shooter incidents in the United States between 2000 and 2013, over 80 percent (132) occurred at work.

Where there are people, there are risks. The actions taken by employees and even subcontractors representing your organization have a direct impact on the productivity, safety, and success of your organization. When those actions turn bad, either through negligence or intentional acts, the damage to people, brands, and profits can be significant. What are you doing to identify, prepare for, and mitigate your human capital risks?

Sadly, the number of active assailant incidents continues to increase, with 40 incidents in 26 states over the past two years. It is more important than ever to consider the risk for your organization, institution or business.

OSHA requires companies to maintain a workplace safe from violence under the General Duty clause. One way to prevent or mitigate a potential loss is to be prepared.

With a thorough understanding, some preventative measures, and some rehearsing, your organization can apply this best practice of preparedness to be better able to effectively predict, prevent, and respond to an active shooter situation on your premises.

Knowledge is power. This is not something to avoid out of fear. With our latest SlideShare presentation you can learn more about the incidents and the perpetrators as well as the steps to being as prepared as possible.

Let us promote safety together. Take action today by reviewing the presentation here:

… Continue reading