Share |

Risk management: tackling terrorism

It was every business owner's nightmare. A truck bomb with more than 800 pounds of explosives ripped through the Marriott Hotel in Pakistan's capital city, Islamabad, on 20 September 2008, killing more than 50 people, wounding hundreds more and leaving a crater 25 feet deep.

Bill Marriott (pictured), the second-generation patriarch of the family controlling the world's largest hotel group, expressed grief for the tragedy while vowing to keep Marriott's commitment to a global presence. "Our Marriott family is strong and it is clear to me that we have all come together to help our brothers and sisters in Pakistan in their time of need, and will continue to do so in the years ahead," he wrote in his blog three days after the attack.

It was not Marriott's first encounter with terrorism. A Marriott Hotel was part of the World Trade Center complex and was destroyed when the twin towers collapsed in the attack of 11 September 2001, though most of the hotel guests were safely evacuated. That same hotel had been damaged in the 1993 truck bomb attack on the World Trade Center. In 2003, a car bomb attack on a Marriott Hotel in Jakarta, Indonesia, killed 12 and injured 150.

"If you are American or Western, and if you are iconic, you are a potential target of Islamic fundamentalist terrorism," says David Cid, a former FBI agent and terrorism consultant who is now deputy director of the Memorial Institute for the Prevention of Terrorism in Oklahoma City.

The election of Barack Obama as US president may herald a new level of risk, experts warned, because Islamic terrorists historically have tested new presidents. The attacks in 1993 and 2001 came in the first year of President Bill Clinton's and President George W Bush's first term. This time, some fear, the attack may come not in the US itself, but against a close ally, such as the UK or Israel.

The high name recognition that often goes with a family-owned enterprise can actually make it more vulnerable. "You have a substantially higher risk," says Kevin Coleman, former chief strategist for Netscape turned cyber-terrorist consultant.

Coleman cites the example of the 1974 kidnapping of newspaper heiress Patti Hearst by the Symbionese Liberation Army, an urban guerrilla group whose chief claim to fame is that abduction and the subsequent appearance of Hearst as an active member of the group.

"Recognition is one of the underlying motivations of these groups," he says. "Name recognition gets them interested." Coleman says Paris Hilton, scion of the hotel family, for example, should be more worried about this threat than any of her problems reported in the tabloids. Name recognition is reinforced by the family connection itself, he warns.

Most companies have fairly well developed programmes for physical security, experts say, from deadbolts and video surveillance to offsetting driveways from direct alignment and crash barriers where appropriate. "Most security departments have a lock on that," says Cid.

But Coleman cautions that video surveillance could backfire. "Video monitoring doesn't dissuade people," he says. In fact, this expert says, terrorists actually want to be caught on video.

MIPT's Cid urges companies to train security personnel and other employees to look carefully for suspicious behaviour or appearances, which can be more effective in "target displacement" � encouraging would-be attackers to seek an easier target. "If they see people examining them carefully, they're going to turn around and look elsewhere," he says.

But this type of precaution works best when combined with what Cid considers the most essential weapon in guarding against terrorism � intelligence. "You want to have a close working relationship with the local security forces," he says, "to develop intelligence about possible threats."

In a foreign country, establishing a top-level relationship with government security forces and local police should be part of the initial set up, perhaps at the CEO-government minister level. Company security personnel should meet regularly with these government forces and get periodic briefings from them. "Sometimes it means just calling them up and asking them what's going on," Cid explains.

In this manner, a company may get some notice of whether there is an active threat. A truck bomb like the one in Islamabad, for instance, requires procurement of the explosives, the truck, reinforcement work on the truck and other activities that may come up on the intelligence radar of local security forces.

Even for domestic locations, this kind of relationship with local law enforcement can be a valuable source of intelligence. Cid says when consulting for a company in the US he would visit all the state, federal and local law enforcement offices in a 100-mile radius. "They'll either say, 'I have nothing to tell you,' or, 'There is something, but I can't tell you,'" he says, "or they'll say, 'There's this thing you should know about'."

The other key then is to have a plan on what to do with actionable intelligence. What specific measures should a company take to strengthen security when the threat level is believed to be higher. In a hotel, for instance, vehicle checks might take place at a distance from the entrance or access to floors might be limited.

Early reports about November's terrorist attacks in Mumbai, for instance, suggested that Indian authorities had advance warning of the threat, including specific hotel targets, but that hotel owners were reluctant to keep special security measures in place. The two hotels involved, the Taj Mahal and the Oberoi, are owned by the Tata and Oberoi families respectively and cater to Western tourists.

Tata group chairman Ratan Tata acknowledged in an interview with CNN that the special security measures undertaken due to the warning were eased shortly before the attacks, but he added that they would not have prevented gunmen from entering the hotel since the measures were focused on the front entrances, not the back.

The type of reaction plan a company devises depends on the types of threats and threat level the facility is exposed to, and that in turn depends on the location. "If the main threat is theft and vandalism, that's one thing," Cid says. "If it's radical Islamic fundamentalists, that's another."

And Islamic fundamentalism is by far the number one concern regarding terrorism, Cid says. "It's so far up the scale, that it obliterates everything else," as far as potential threats are concerned.

Consultant Coleman says that while Al-Qaeda is the top threat, Hezbollah, the Lebanon-based Islamic group, poses a terrorist threat that is only slightly less serious.

Large companies will want to use more advanced techniques to counter terrrorism, such as threat assessment and scenario planning.

Threat assessment, with the aid of a counter-terrorism consultant, helps identify possible risks, some of which may not be evident. "If you're not looking for specific threats, you won't see them," says Cid.

He cites the example of an assessment he did for a large electrical cooperative in the US. He found that one of the cooperative's clients was a logging company that had been attacked seven times by the Earth Liberation Front, a group that practices economic sabotage to protect the environment.

The threat to the electrical cooperative was the facilities that provided electricity to that company. The assessment must include not only company operations, but look at suppliers and customers as well, he says.

Such scrutiny, Cid concedes, takes time and is difficult to do well. "It's not really a science, not really an art – it's just making judgments," he says.

Scenario planning, which is part of business continuity planning, needs to go beyond the standard threats like power or computer outages, natural disasters, labour unrest or network failures, says Coleman, to include possible terrorist actions like car bombs, suicide bombers, and even bio-terrorism.

"Scenario planning is not about predicting the future, it's about exploring it," Coleman says. "If you are aware of what could happen, you are more likely to be able to deal with it."

For many family-owned companies some of the counter-terrorism measures, especially some of those mandated by the US government, are too onerous and not justified by the perceived level of threat.

Santa Holding, a wholesale distributor of petroleum in Connecticut, chafes under some of the requirements. "Because we are in the petroleum business, we are the subject of an extraordinary focus when it comes to this terrorism business," says John Santa, vice-chairman of the family-owned company. "The Department of Homeland Security is always getting in our face with mandatory requirements – it gets pretty bizarre."

Santa relates that even for himself to drive one of the company trucks he has to keep valid not only a commercial driver's license, but a Hazardous Materials Endorsement and a certified identification card that requires him to travel halfway across the state to renew because he must have his fingerprints taken each time. This is a considerable hardship for the drivers employed by the company, he says.

Santa, who mentors other family-owned businesses on strategic and governance issues, thinks the government would be more effective in countering terrorism if it encouraged energy conservation and reduced US dependence on imported oil.

"We have to stop using so much oil," he says. "We're engaged in terrorism because we're extracting resources from Middle Eastern countries."

As for his own company, Santa says they are more concerned about providing service for their customers and don't need the distraction and restrictions of a surfeit of government rules. "We don't see terrorism as a real threat," he says. For his family's and business' sake, it is hoped he is right.

Click here >>