Nobody wants to think about the risk of active shooters — yet all the time, we do just that.
You can see the results on Google Trends. Online searches for "active shooter" hovered at a low level for many years, until they started creeping upward in late 2012: the time of the Sandy Hook Elementary School shooting. Interest has gone up ever since, punctuated by spikes immediately after whatever latest mass shooting hits the news.
People think about active shooter risks a lot. Which means corporate compliance officers need to think about them, too.
Even in a disciplined, professional frame of mind, that’s not easy. Search for "active shooter risk assessment" or "active shooter policies and procedures" on Google and both return millions of results.
That’s an overwhelming volume of information. Compliance officers trying to figure out wise policies, procedures, and controls — because businesses have to do that, even for something so macabre — have every right to feel lost about where to start.
To add some structure, remember that every active shooter incident has three phases: before, during, and after. Compliance officers should take a risk-based approach to all three. That’s how you understand the active shooter risks specific to your organization, and then remediate them as best you can.
At this phase, begin by asking: How might an active shooter event happen at our business? Lots of useful answers can arise from that simple question.
For example, you might reassess your company’s physical security: does every location have enough exits, or properly secured doors? You might reassess your organization’s approach to internal reporting: how could employees raise concerns about coworkers? You might arrive at uncomfortable questions about employee monitoring: once we have a concern, how do we manage that employee?
Reducing a risk is about developing strong policies to prevent the risk, and that always involves a few key elements.
The goal here is to reduce the risk that a shooting might happen, so a few other questions also emerge. First, do you have people with the right expertise discussing the issue? Not every company has ex-security professionals on staff, so you might want to find outside consultants. Not every manager understands the delicate privacy issues around workers’ mental health; maybe you need HR, legal, or both to craft the right policies.
Companies also need to understand practical matters around local law. In Texas, for example, a private business can prohibit consumers from bringing firearms onto the premises, if you post a clear, conspicuous sign announcing that. So if that’s the policy your national business wants, do local managers know it? Do they enforce it? Do you know they do?
At an abstract level, all these steps should feel familiar to compliance officers. Reducing a risk is about developing strong policies to prevent the risk, and that always involves a few key elements:
- Assemble the right team to discuss the risk and your policy proposals intelligently
- Understand what you want to do and what relevant laws, rules, and regulations allow you to do
- Create the right mechanisms to enforce your policy, whatever that might be
Compliance officers have been taking those three steps for anti-bribery, data privacy, antitrust, and countless other risks for years. Fundamentally, active shooter risks are no different.
Law enforcement recommends three steps during an active shooter event: run if you can; hide if you can’t; fight if you must.
That’s easy to preach when there’s no shooter present. The question is how to train employees so they’ll remember to do it when there is.
Companies will need to decide what sort of training to offer, and to whom. Would you stage mock shooter events? How realistic would you want those drills to be? Do managers get more training than others?
Companies also need to provide systems and tools to help employees respond. Multiple marked exits are one example. So are alarms at a reception desk, evacuation maps or signs in visible locations, emergency broadcast or text messaging systems to alert groups of people spread across a large facility, and so forth.
Would you stage mock shooter events? How realistic would you want those drills to be?
Again, compliance officers can use prior experience to focus your thinking. For example, the Justice Department’s guidance on effective corporate compliance programs talks about the importance of training for “gatekeeper” employees.
Sure, we usually think of anti-bribery risk and training for supervisors or accountants when we mention that guidance — but the principle still applies. Customers and clients will look to employees during a crisis, and employees will look to managers. So compliance officers can fit that gatekeeper principle to a crucial question: how much training do we give, and to whom?
After an active shooter, a business has two objectives: to help employees recover from such a jarring, tragic disruption; and to resume “normal” operation as quickly as possible.
Some of that, compliance officers can anticipate. You can have policies about providing counseling for employees suffering from PTSD, or even tactical procedures for supervisors to find all workers or report anyone unaccounted for. Businesses can buy insurance for civil litigation that might arise after a shooting.
Still, for all of this planning — recovery depends on the fortitude, empathy, and leadership of employees.
Companies can also design critical systems so people can run them from other locations or on other devices. With the rise of cloud-based technology providers, that isn’t hard to do technically. Companies still need to assure they have procedures to implement them practically, perhaps with key employees injured, hospitalized or killed.
Still, for all of this planning — recovery depends on the fortitude, empathy, and leadership of employees. I’m not quite sure how one plans those things. A strong, respectful corporate culture helps, and people say tragedy brings groups together.
Personally, I hope I never find out whether that’s true. And whatever preparations you put in place at your organization, I hope you never find how well they really work either.