(similar to the New York City program “if
you see something, say something”). Do
not wait for a call that a bomb is on the
premise, ensure that your facility is always
“clean.” [Suspect that this would work well
for public areas but less for storage areas.
This also does not address issues of out-of-sight items in closets, desks, etc. but can
help establish the credibility of the caller.]
Who does the search? Generally,
responding emergency personnel are firemen, policemen, and medically trained
staff. One cannot assume that any of these
emergency personnel are trained in bomb
threats or authorized to survey/search/
remove an explosive.
Where does the liability reside if harm
comes to a bomb searcher, be it a government employee or a member of the organization? Many companies have policies
that the safety of their employees comes
before plants and equipment. Having an
employee conduct a search for a bomb is
implicitly in violation of such a policy.
A common reason for staff to perform the
search is that they will know if anything is
different or out of place. This concept would
imply that each department or section of the
building supply a searcher. A limitation of
this concept is the search would be visual.
Staff would not be checking inside cabinets,
bags, or other containers. One comment
made the distinction between common
(and presumably public) areas versus more
secure locations. The common areas would
have fewer personal items, packages, or
equipment, and suspicious items would be
more likely to stand out.
If management determines that the
organization will conduct the search, what
training to the searcher will be provided?
The searchers should be volunteers: how
will the searchers be selected? Will there
be enough volunteers? Will the searchers
be compensated? If the organization is
large enough, should a bomb search be the
physical security staff’s job description? If
organization searches, what is the risk that
evidence will be contaminated for future
Once an organization has gone through
the first pass at addressing the issues and
understanding its threats, risks, control
gaps, and potential strategies/procedures,
then it can circle back and determine what
the next steps should be. Should it cease
the activity prompting the threat or poten-
tial for such a threat? Should it work to
improve controls such as physical security
access? Should it accept the risk?
The net result may be a custom plan
for each organization. To get to that plan,
BC managers must address each issue and
build a consensus among senior management. The BCMIX discussion proved to
be a great learning experience; putting that
learning into practice is the next step.
Tom Ryan was the global business continuity manager for RBS Sempra Commodities
and is currently consulting with Datalink