The Facility Manager’s relationship with the terrorist is one of mutual support. The terrorist needs the sites under the control of the Facility Manager as targets; the Facility Manager can use the threat posed by terrorists to consider the measures in place, their effectiveness, relevance, and the documented and assumed responsibilities of the various managers on-site. The Facility Manager has two overarching responsibilities: to provide a safe and secure environment, and to minimise disruption to the tenants. These two responsibilities need to be done in an economical and profitable manner. The Facility Manager is the person best suited to ensure the site’s plans, policies, procedures and occupants are co-ordinated and effective.
The threat posed by organised groups and “lone wolf” terrorists is not new. Since the mid-Nineteenth Century, extremists have been committing acts of violence in managed sites: anarchists, ethno-nationalists, separatists, right and left wing activists, as well as religious and racist zealots. During, the terrorist decade of the mid-1960s-70s there were bombings, shootings, hostage takings, and other acts of violence across Australia. Since then we have had many incidents, some of which were political, some criminal, and some the result of mental illness. With the exception of the odd shooting in the bush, and attacks against private houses, they have all occurred in managed facilities. The intent and capability have always existed. What has changed and led to an increase in the national alert level is the loose association of aligned terrorist groups and individuals with the stated aim of committing public acts of violence.
Terrorist methods remain largely the same: bombings, assaults, murders, and hostage takings. The London underground was bombed in 2005 and in 1883; very little of what we are seeing today is innovative. Occasionally a new attack vector is tried, such as flying a plane into a building or bringing an explosive laden dinghy up against a warship, but the usual attacks are those which are easy to arrange and conduct: armed assaults, hostage taking and bombings, or a combination of these. Traditionally, targeting is of places where people work, meet, transit, rest and play – i.e. managed facilities. These may be commercial buildings, apartments or hotels, sporting venues, entertainment hubs, theme parks, retail centres, open air, or fully under cover. In each case, they offer the terrorist a location where people gather and where media will report the “propaganda of the deed”.
For the Facility Manager, terrorist attacks are low likelihood events, well below the probability of mechanical failure, contractual breaches, or tenant issues. But, a terrorist incident is a high consequence matter and the site-wide ability of the tenants to respond safely and effectively must be considered.
The Facility Manager may seek to devolve the responsibility onto tenants; however, the question of who co-ordinated the identification, assessment and response will probably return to the person responsible for the overall management of the facility. Most sites are multi-tenanted, including: caterers, retail, child care, carpark operator, other businesses, security and maintenance contractors, and possibly even the Facility Manager’s office. Having each tenant arrange their own emergency management system and security plans without some form of co-ordinated understanding of the capabilities, expectations and planned responses, can only lead to confusion and possibly death. Delegation to tenants may appear to absolve the Facility Manager of providing a safe and secure environment; however, site-wide co-ordination is likely to be raised in later inquiries. If the facility has only one tenant, then overall responsibility may rest with that organisation. Even a single tenant facility may be found to have a range of other organisations on-site. All tenants, including, or perhaps especially, small ones – such as a café or chocolatier – should be involved in site-wide discussions on safety, security and emergencies.
There are three key issues the Facility Manager should ensure are co-ordinated: prevention, detection and response. The roles and responsibilities for these functions vary from site-to-site between: the Facility Manager, the Security Manager, Safety/WHS Manager, and the Chief Warden. All of them have some responsibility for aspects of the preventative and response capabilities, but the Facility Manager has overall responsibility for ensuring that all activities on-site are co-ordinated. The Facility Manager should be aware of how many security, safety, WHS managers, and Chief Wardens are on-site, and whether each tenant has their own or any of these positions.
Prevention is primarily a security function, and is about protection from deliberate human action – in this case: violent attacks by terrorists. Other disciplines worry about mechanical failure, weather events, human stupidity, etc. If security staff are on-site, which is not always the case, they will be the frontline – expected to identify the hazard and step between it and the tenants and visitors. It is worth determining if on-site security has the contracted, or assumed, responsibility to assess incidents and to initiate a response that can result in thousands of people being moved and closing down the facility for hours.
The level of preventive security obviously relates to the function of the site. The general nature of the facility may be open to the public, have highly controlled access or, in most cases, a combination of both with some public areas and some access controlled sections. The site’s protective environment is also dependent on its image: is it a family friendly venue with a discreet security posture or one with a highly visible, deterrent security presence? When considering protection, it is not possible to determine which tenants are likely to be targets. Some may obviously be at greater risk than others, but the presence of visible security measures may drive the terrorist to attack easier and less obvious tenants – such as the recent incident at a café in Martin Place in Sydney.
The reality is that for most facilities, particularly those that seek to be opening and welcoming, it will be difficult to prevent someone from entering public areas and committing acts of violence. For sites that have access control systems, preventing unauthorised entry through a combination of good security policies, procedures and practices supported by technology, should prevent incidents in the secure areas. Of course, this does not stop the “trusted insider”, who has been granted access, from causing harm.
Detection is the primary factor in minimising the effects of an act of violence. Detection relies heavily on staff, particularly those who deal with the public. The staff may work for the Facility Manager, for one of the sub-contractors, or for one of the tenants. The Facility Manager is in a position to co-ordinate awareness and response training with or through the security manager(s), the emergency manager(s), and the Chief Warden(s) for the site. The Facility Manager and other managers need to foster an environment that encourages and does not belittle staff for reporting people, items or incidents that they think are out of place or do not fit. The key is staff being aware of the normal environment and knowing what to do if they see anything they think is out of the ordinary. They need to know to whom they report, how, and what to say.
Incidents that may be out of the ordinary are groups or individuals acting in a furtive manner, appearing to conceal items, wearing inappropriate clothing for the season or event, people who seem inordinately interested in back-of-house areas or how the site works, and of the security and emergency response plans. Actions that raise suspicions may not be the prelude to a terrorist act, it may be the planning or conduct of a range of criminal activities. In all cases it is worth noting and reporting.
A factor the facility Manager may wish to consider is when are they to be advised of an incident. Should the Facility Manager be told when an incident is first reported, during or after the assessment, when the emergency services arrive, or after they have been evacuated?
An appropriate response is fundamental to protecting both lives and business operations. Response should not always equate to an immediate evacuation, the concept of “better safe than sorry” is a fallacy. There is nothing safe in moving thousands of people in a way that they are not used to – unless they are being moved away from a hazard. If an evacuation is initiated when there is no hazard, the tenant’s business will be severely disrupted, and the responsible manager’s judgement called into question. If the site is not evacuated when there is a hazard, people will die. The difficult part is determining whether the incident does pose a hazard.
Even for tenants that have been identified as potential targets and allocated additional security, such as the publishing office in Paris, a determined terrorist may still attack the site, and adjust their planning and weapons to exceed the protective measures.
Management of an incident, particularly a terrorist initiated one, requires accurate information from those who observed the initial event, objective assessment, and implementation of the appropriate response. If there are multiple security providers on-site, comparing their contracted responsibilities and individual response plans is worthwhile, if not essential. It may be that the plans are in conflict with each other. The chain of authority for initiating an evacuation needs to be identified, defined and documented.
Questions that need to be addressed include: who is responsible for assessing the incident; who has authority to respond, particularly if the response includes closing down the site; what are the tenants’ expectations; what are the contracted responsibilities; and what are the legal and ethical responsibilities, particularly of the Facility Manager?
There are specialists with a wealth of knowledge to assist in developing appropriate, site specific policies, procedures and practices. There are also those of less skill. We are seeing a new group of “talking heads” appearing on media outlets, offering advice on terrorism and security. Managers, and particularly Facility Managers, should recognise that security is a management discipline with its own body of knowledge, research and literature. When seeking security guidance, managers should apply the same criteria they would for any other management advisor: appropriate qualifications, relevant security management experience (not just law enforcement or military experience), internationally recognised certifications, membership of appropriate professional associations, relevant professional indemnity insurance, and applicable State/Territory licences. It is unwise to expect suitable advice on managing the protection of life, business, profitability and reputation from anyone without the appropriate skills, qualifications, certifications and experience.
To ensure the site has prevention, detection and response capabilities appropriate for the functions and image of the site, the Facility Manager should ensure that “someone” reviews the co-ordination, communication and co-operation between the parties. Ideally this could be the site’s Chief Warden but probably the best positioned, experienced and relevant person to do so is the Facility Manager. If it is not the person responsible for managing the facility, then who is it?
As a preliminary step, the Facility Manager should review the site’s Emergency Plans, actually read them and walk through them. Are the plans really applicable to the site if they are of the “insert client’s name here” type, with only the diagrams having changed from any other site? Do they reflect what will happen? Do the plans address the actual tenant base; does it include the Child Care Centre; kitchen areas; critical assets; secondary hazards (those things normally on-site and safe until acted upon by an event such as a fire or explosion); what will happen if surrounding buildings also evacuate to the same location? Do the plans actually offer guidance to the Chief Warden or is the plan littered with “Warden makes wise decision here” type statements? Having contracted and paid for Emergency Plans does not mean the resultant product is suitable for the facility.
There are a number of instances where simple compliance with AS3745 “Planning for emergencies in facilities” may not provide appropriate levels of co-ordination, management or safety. If the incident, say a hostage taking or mass shooting event, is external to the building, do the emergency plans adequately address how to “Shelter In Place (SIP)” until a safe response can be identified? Shelter in place gets passing mention in AS3745. In relation to SIP, Facility Managers have a critical role as they are the ones most likely to know where the strongest and most secure areas of the facility are to be found, and how long people can stay in the building – particularly if water or sewerage are cut off. Do the plans provide sensible and relevant guidance on what to do if there is an armed assault, knifing, hostage taking, unattended item, or a post-blast incident?
Communication between parties is critical, not only during an incident but prior to one. Do the various tenants know what is expected of them, do they share information on security measures, and the responsibilities of their wardens and security managers/supervisors, whether they be in-house or contracted? What are the threshold levels for the various tenants to initiate an evacuation? For some, particularly government tenants, an evacuation can be called on a much lower level of confidence that there is a hazard than for corporate tenants that are aware of the financial cost of disrupting the site for three hours or more. If one tenant evacuates, is it expected that others will? What happens if some tenants decide to evacuate and some to shelter in place? How do tenants advise the Facility Manager and Chief Warden that there is an incident? In some new buildings Warden Intercommunication Points (WIP) phones are being designed out, which raises questions over how Area Wardens will be advised of specific response actions if the requirement is not for a full evacuation. What is the Facility Manager’s responsibility for ensuring that all tenants can be advised of the appropriate response as determined by the relevant site-wide authority?
The Martin Place hostage incident of December 2014 raises a number of interesting points. Why surrounding buildings kept staff on-site rather than evacuating them away from the hazard, particularly once it was believed that the gunman was acting alone? What communication systems were in place to advise staff to keep away from windows overlooking the incident, and how was this enforced? Were all tenants, including small ones, contacted and advised of the appropriate response? Was there a Chief Warden for each site, or were tenants responsible for their own decisions as to the appropriate response? Were there safe egress routes that did not expose tenants to the hazard as they evacuated? If not, what alternatives were available? Was security of the site maintained once it was evacuated? Were there plans for the reoccupation process? For government and others with classified or sensitive information, did the emergency plan include the security of hard and soft copy data, and how was this verified? For sites with potentially hazardous areas, how were they managed during the evacuation and how could this have continued over a period of days?
Co-ordination of those involved in providing a safe environment – including, prevention, detection and selection of an appropriate response – may be left to the contracted emergency service planning and training contractor, if it can be demonstrated that the provider did deliver appropriate procedures and training that addressed a wide range of incidents and that all tenants attended and were involved in the planning and training. Otherwise, the Facility Manager may need to suggest that co-ordination meetings with flow-down training and information sharing to all on-site may be of benefit.
As well as the tenants, there are others concerned with the reputation of the site as a safe and secure facility – owners, the organisation with signage rights, insurers, emergency services, regulators, and neighbours.
A factor that will affect the assessment of an incident is where the Facility Manager is geographically located: on-site, in a different building, or even a different city to the particular facility. In which case, who has the local responsibility for providing the safe and disruption free environment?
Facility Managers should be willing to challenge security, emergency and safety reports that fail the “common sense” test, and to send them back to the provider requiring them to be rewritten to reflect the needs and operating environment of the specific facility.
The Facility Manager has a responsibility to ensure that the safety of tenants and visitors is protected through co-ordination of security and emergency management policies, procedures and practices. Knowing that they have a relationship with terrorists, no matter how unwillingly, the Facility Manager cannot be complacent.