Several recent manmade events, including the attack at Pulse nightclub in Florida and the Belgium airport terrorist bombing, highlight the vulnerability of the workplace. Workplace violence costs employers more than $120 billion a year, according to the National Institute for Occupational Safety and Health (NIOSH). As the chance of an onsite attack rises for employers, the focus on mitigation is increasing.
According to several security experts, most instances of workplace violence are committed by one person acting alone. So-called lone-wolf attacks are difficult to predict, because most terrorism models are used to predict larger, bomb attacks, said Charlene Chia, senior risk consultant with AIR Worldwide.
Tarique Nageer, terrorism placement advisory leader for Marsh’s Property Practice, said there has been an increase in frequency in attacks against civilian targets, including more lone-wolf attacks resulting in more deaths. The potential costs associated with lone-wolf attacks include property damage, business interruption, and employee injuries and losses.
According to Chris Flatt, leader of Marsh’s Workers’ Compensation Center of Excellence, workplace risk has increased as more attacks occur in less secure locations. “Terrorism is absolutely a workplace risk. We’ve seen many examples, unfortunately, of terrorist attacks in the last few years happening at or near workplaces, which includes the recent Orlando shooting. The victims there included both employees and customers of the nightclub,” Flatt said. “The San Bernardino (Calif.) shooting last December also occurred in a workplace setting. The Paris attacks in November included several people being shot in or near restaurants or bars in the theater, with employees there being among some of the victims.”
There has been a shift in terrorism toward attacks on softer targets, he said. “Of course, there still remains the risk of large scale attacks in major metropolitan areas, for example with the bombings earlier this year in Brussels, but we’re seeing more of these lone-wolf attacks in less secure locations including workplaces unfortunately.”
According to Flatt, the reauthorization of the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) in 2015 helped stabilize the workers’ comp market. The new bill is effective until Dec. 31, 2020, and increases the aggregate loss trigger from $100 million to $200 million.
Prior to the reauthorization, Flatt said employers shopping for workers’ comp coverage faced a difficult marketplace. “Workers’ comp insurers were being very selective in the risks that they would accept. In some cases insurers were being overly opportunistic in terms of how they were pricing coverage. Just simply, some were refusing to renew certain accounts.”
Flatt said even state funds, otherwise known as markets of last resort, were concerned that they could be flooded by a large number of employee concentration risks, pushing them beyond what their potential risk appetite is. The reauthorization restored workers’ comp insurers’ appetite for concentrated risk, he said.
“Once it was reauthorized, the appetite from the insurance market to cover terrorism in concentration risks and workers’ comp came back … to levels that we saw before the uncertainty about TRIPRA had cropped up. Even since then, we’ve really had a much more viable marketplace for employers,” Flatt said. “The majority of our clients are able to secure rate reductions year-over-year on the workers’ comp programs, which means really that they’re able to obtain workers’ comp terrorism coverage at competitive rates, as well.”
The first step to mitigating risk is to determine the exposures a business faces in the wake a violent attack in the workplace. Chia said AIR’s terrorism models can be used to evaluate workers’ comp exposures.
“Clients can now perform accumulation reanalysis from workers’ compensation exposures in the U.S. Instead of accumulating replacement values or insured values, the accumulation is now based on the number of employees at a given location,” Chia said. “This can be divided between the day, evening or night-shift. You can also create custom deterministic scenarios or run the probabilistic model to calculate your losses by injury type.”
Flatt said a key factor in workers’ comp modeling is large employee concentrations and associated loss potential. Insurers want to know the number of shifts at a location, whether campus settings exist and the maximum number of employees in a particular building at any given time.
“Insurers really want to understand with precision the risks that individual companies present to them, and from an employer’s perspective it’s not really just a matter of sharing payroll data,” Flatt said. “The bottom line here is that the better the employee and exposure data that you can provide to your insurers, the more credible your modeled output is going to be, and ultimately that will be reflected in your pricing and really the market’s appetite for your risk,” Flatt said.
Crisis management planning, the next step in mitigating risk, is meant to consider every type of crisis and risk that an organization faces, as well as what the senior level response to a situation will be.
“There are different thresholds for activation of the plan,” Flatt said. “Some smaller-scale incidents might not trigger the plan, but something like an act of terrorism or a workplace shooting affecting one or more of your locations certainly would. If an event meets this triggering threshold, the plan activates a crisis management team.”
That team should include representatives from different functional areas, Flatt said.
“The primary purpose of the team is to coordinate the organization’s response to the event. That includes communicating with and assisting employees and their families in the wake of the incident, working with law enforcement and many other actions,” he said, emphasizing the importance of having a plan pre-attack.
“The reality is once you’re in the middle of a crisis, nothing’s going to feel like normal day-to-day operations,” Flatt said. “When you get to the point that you’re dealing with an actual crisis, that shouldn’t be the first time you’ve thought about how you’re going to respond to it.”
The plan should encompass scenarios and procedures to address different forms of violence, including active shooter incidents or other types of terrorist attacks.
“Employees should complete awareness training on what to do when faced with these types of incidents,” Flatt said.
Jonathan Bernstein, a former U.S. Army Intelligence officer and owner of Bernstein Crisis Management, said research suggests close to 95 percent of employers are completely unprepared or seriously underprepared for a crisis.
“It’s not usually until they’ve had at least once significant crisis that they start getting better prepared,” Bernstein said.
The crisis management specialist routinely conducts vulnerability audits, which he described as broader than an insurance risk assessment, looking for red flags that indicate something might go wrong.
“Most of the time, there are huge gaps in preparedness for workplace violence,” he said. “Until the wheel squeaks hard enough and it applies to them very personally, they don’t even want to open the door to crisis preparedness because they see it as additional workload on top of their already busy workload. They see it as an expense versus seeing it as an investment … You can’t just have a policy. You have to have training to go along with it, refresher training on an ongoing basis and sanctions for not following the policy.”
Bernstein explained that there are four categories of professionals that can assist employers in becoming better prepared for the possibility of a terrorist or workplace attack:
Security experts conduct physical audits and educate human resources on early warning signs that may appear in employee records.
Human resources psychology experts provide information on the types of personalities to look for, warning signs and how to handle a person exhibiting potentially threatening behavior.
Crisis communications experts help with creating procedures to follow should a violent attack occur.
Strategists conduct initial vulnerability audits.
No matter how much work a crisis management plan may seem to entail, in the long run, it will save lives and protect property from damage, Bernstein said. If a business remains unprepared, the cost of the civil lawsuits resulting from an incident could close it down, he said.