The ISIS Threat and Corporate Risk
Maureen Nevin Duffy, 18-03-2016
Recent terrorist incidents have signaled a “watershed moment” in the way corporate risk is managed, and in the risk function itself, according to Bill Udell, managing director, crisis and security consulting at political risk and security consulting firm Control Risks. Since the November 2015 Paris attacks, “terrorism has gone from something to worry about to something that's happened,” says Udell, who previously ran the firm’s Iraq business, providing threat assessments and intelligence, and served as a CIA analyst and operations officer focused on the Middle East.
The attacks hit “soft targets without symbolic value in locations considered benign,” Udell says. “There were definitely soft targets in Iraq, but the old Al Qaeda used to go for symbolic value” — Western-owned hotels, for example — as opposed to indiscriminate attacks. “That's the pivot ISIS has done on an international scale.”
And that is cause for a new and closer look at corporate liability and the traditional “duty of care,” as managements must consider a wider scope of exposures to be anticipated, monitored, screened and avoided. In Udell’s view, 9/11 marked the start of “contemporary corporate security,” including, among other things, new protocols for identifying and protecting high-level assets. These programs have only been intensified since Paris — and the December mass shooting in San Bernardino, California.
“The pivot toward quantity rather than quality in targeting raises new challenges, opening up the board of potential at-risk locations to anywhere that large groups congregate,” Udell wrote in November 30, 2015 Forbes column. “A well-funded group that is willing and able to indiscriminately kill civilians throughout the world represents a new challenge for corporations as well as police, security forces and intelligence agencies.”
Details in the Data
Ironically, the explosion of threat data currently available to corporations has expanded their legal exposure. There is liability where events are “reasonably foreseeable.” “You can imagine a situation where an attack had occurred in an otherwise benign area,” Udell explains in an interview with GARP Risk Intelligence. “And later on it turns out that the company actually had access to some little piece of thread of information that would have actually told them that, but they didn't have the infrastructure to process it.”
Udell, who holds an M.A. in Middle Eastern Studies from Harvard University and speaks Arabic, stresses the need for everyday procedures and alertness: “We must react to Paris by baking security concerns more thoroughly into everyday business operations.” Some of these are common practices, like requiring a photo ID to enter a building, that, he says, have grown lax or are not consistently applied. “Security directors really need to take a fresh look at threats,” he says. Such solutions as threat intelligence feeds, travel security and workplace violence programs, access controls, crisis management plans, threat assessments and monitoring are in place. “But directors have to make sure people are using them right.”
Udell has high praise for the threat assessments of the U.S. State Department’s Overseas Security Advisory Council. “It’s a very good starting point. Companies should review its threats and warnings,” he suggests, by using the intelligence to inform action plans and interacting with the OSAC staff directly. “There's just so much raw data that comes into companies,” Udell observes. “Whether government data or private information, for them to be able to sift through it and make it applicable to travelers and their people is quite a hill to climb for many companies.”
Foreign and Domestic
Companies with a lot of traveling employees or significant numbers of expatriates abroad may rely on private threat and intelligence-feed data or even bespoke services, he says. Control Risks’ travel security service, a joint venture with International SOS of Trevose, Pennsylvania, recommends using internal analytical programs (in 2015, the partners launched a travel risk map for managing medical and security risks).
Most large companies, says Udell, have 24/7 operations centers receiving data, but they still turn to his firm for analysts or a point of contact for sifting through the data and relating it to their company's specific needs. Meanwhile, “the U.S. is looking at a domestic threat much more complex and harder to identify and grasp and get ahead of,” says Udell. When, previously, there was a general understanding of reasonable foreseeability, “you could have been safe if you were just talking about places that were traditionally seen as high threat. The issue now is that ISIS has opened up the book on what is considered high threat.” Now, the consultant adds, “What is foreseeable needs to be reassessed. There is a new and open book. Directors have to look at risk through a new lens.”
Organizing for Prevention
Domestically, “mass shootings are not new,” says Udell. “But the radicalization element is.” His to-do list for directors includes: workplace violence prevention programs, identifying at-risk employees and mental health issues; and being aware of threats and incidents that in years past may have been glossed over and not reported up the chain of command. Risk directors, he notes, are taking cues from the U.S. government’s “see something, say something” campaign and working with police on how to react to active-shooter situations. “Fitting all of these under a crisis management umbrella in a sense results in the least disruption for the corporation,” Udell suggests.
Aside from human safety, companies must grapple with structural damage and business disruption, which are ISIS objectives. While the insurance industry is working through what Udell calls “an industry conundrum” on how to address things that can happen anywhere, it is offering coverage. But, “in the U.S., you can't buy insurance against business disruption due to terrorist threats.” That leaves a huge gap, given some security forces’ current willingness to lock down entire cities.
In reaction, Udell sees a gradual movement among corporations toward private security measures.
Terrorists’ aim is to “make us grind to a halt,” says Udell, and there is a “fear element that extends beyond the actual threat.” Although “radicalization is still rare, people are scared by the sort of mysterious external element to it. ISIS’s strategy is to break that innocence down. To inject fear is quite a victory for them.”
- PSD-2: Dreiging of kans?
- Digitale incassostrategie en klantbehoud
- Bankiers: Als de robot persoonlijk wordt ...
- Digitization of the banking services is naturally allowing for the usage of A.I.
- Allianz: "Nieuwe aansprakelijkheidsrisico’s en claimcultuur tegen bedrijven creëren risicovollere omgeving voor bestuurders"
- In 4 stappen naar het beste risicoadvies
- Schroders: Markten slaan andere toon aan over Trump - wat is er aan de hand?
- Top bedrijfsleven en Internal Auditors vinden elkaar op belang van kansenmanagement