Risk Management: Preparing for Worst-Case ScenariosMay 1, 2017

Planners Face a Heightened Duty of Care Amid Growing Safety & Security Risks By
May 1, 2017

Risk Management: Preparing for Worst-Case Scenarios

Planners Face a Heightened Duty of Care Amid Growing Safety & Security Risks

IFMM-2017-0506MayJun-Risk_&_Crisis_Management-860x418

Large-scale terrorist attacks. Extreme weather events. Massive incidents of data fraud/theft. These are three of the top-five risks in terms of likelihood, per World Economic Forum’s Global Risk Report 2017. And while most meeting planners may believe they will never find themselves in the unfortunate position of responding to a huge crisis, increasingly they no longer have the option of acting on this belief. “When a crisis strikes an event, it is the meeting planner who is expected to know what to do,” says Brenda Rivers, JD, President and CEO, Andavo Meetings, Incentives and Consulting.

The Pulse Shooting and Hurricane Matthew

Rivers found herself at the intersection of two potential crises in planning a five-day annual summit at an Orlando convention hotel in fall 2016. Already set to attend were 3,000 executives and corporate sponsors when the Pulse nightclub shooting happened in June 2016. The city was in panic mode, with local law enforcement and national intelligence agencies on the lookout for possible repeat attacks. Registered attendees, too, began to panic, some asking for refunds prior to the summit. “If the event was cancelled, it could potentially mean a loss of over $1 million, not covered by event cancellation insurance, as well as the loss of annual sponsorship revenue critical to the operations of this global organization. Most important, to cancel the event would mean that fear would triumph over the mission of this organization,” says Rivers, who is certified by the Institute of Crisis Management Communications.

“Planners are increasingly anxious about their responsibility for crisis preparation, yet most lack anything more than security handbooks and checklists to guide them.”
— Brenda Rivers

The organizers decided to provide crisis management training for the event staff and implement a safety messaging campaign for the attendees, something Rivers specializes in providing through Andavo. “Led by the events team, mini-crisis scenarios were rehearsed with the C-suite and staff to cover event disruptions resulting from: fire, power outage, serious medical emergency, hurricane, bomb threat, protesters, guns in the meeting and active shooters,” she says. Ultimately, attendee fears were sufficiently assuaged that the event enjoyed record turnout. And while the group did not experience any type of terror attack, it was not so lucky with the weather: Hurricane Matthew struck in October during the conference. “The entire group was on lockdown in the hotels for 24 hours, and the program agenda had to be restructured. The team learned that response training for one type of crisis is transferable,” she says.

The social media crisis communication plan was the one sticking point, leading Rivers to conclude that a team should be designated specifically to that task months in advance of any event, “including decision-making authority, preapproved messaging for levels of severity, contact lists, press policies and social network monitoring during and after the crisis. Always remember to rehearse your social media response for different types of crises before you are caught in the panic and fear of the actual disaster.”

Rivers’ background in hospitality law already predisposes her to think in terms of meeting organizers’ fiduciary responsibility toward their attendees — and increasingly, the world around us does, too. A terrorist attack is, unfortunately, now a “foreseeable risk for an event,” she says. “Organizations must understand there is a heightened duty of care to protect the safety of event attendees, not just their own employees. Your events team must be trained to know what to do, how to get help, how to keep people calm, and where the evacuation routes are. Attendees expect to have safety procedures readily available to them; therefore, not to publish reasonable information could be a failure of duty of care. Integrating crisis management training into the meeting design will meet the duty of care for all foreseeable risks.”

Certainly, when it comes to internal safeguards, insurance and financial services companies are in the vanguard of risk management initiatives. But the situation becomes a bit murkier when it comes to offsite gatherings.

A Black Cloud

“I had a black cloud over my head, which always turned into a sunny day,” says Pete Dowling of his 13 years as managing director, operational risk management with AXA Equitable Financial Services LLC, where he landed after a 26-year career with the U.S. Secret Service. During his time at AXA, he chaired the Bankers and Brokers Roundtable, a consortium of the chief security officers of the world’s 20 largest financial services firms who share information and best practices with each other constantly in the wake of the September 11 attacks. “If it hits the fan again, we’re all in it together,” he says. He also handled eight crises for AXA, including shepherding them through two hurricanes, one of which caused an electrical fire, as well as a protest during a political party convention.

“We have to sell a product that people don’t necessarily want to buy,” says Dowling, who now is special adviser to the CEO at Group Do Lists Powered by Centrallo. The “product” isn’t so much security solutions as it is planning for the worst case — no meeting planner (no person, really) is eager to think about, much less methodically plan for, a catastrophe. As such, Dowling made a point of developing trust with event planners, understanding their goals and working toward them as a team. Ultimately, he wanted to present an image of confidence and great preparation for planners and attendees, rather than coming off as a menacing presence.

“Advance preparation is always my mindset,” he says. “If you do a proper amount of preplanning, you don’t need a heavy-handed presence.” His preparation could include, for example, visiting the local precincts to ask: “If a cop was hurt, where would you take him?” and designating in advance a person to travel to the hospital with anyone who became injured or ill; staying in continuous contact with the U.S. Department of State when needed — as it was during a weeklong Paris meeting for top producers and their spouses during a period of significant rioting and arson in the French capital’s banlieues. Dowling’s CEO sent him overseas to suss out the situation and connect with his contacts there, and he followed each point in the itinerary, which included trips to the surrounding countryside, to determine where weak points might be.

To planners of meetings abroad, Dowling recommends getting in touch with the U.S. Department of State’s Overseas Advisory Council, which caters specifically to the needs of corporate travelers. He also recommends setting up a line of communication with the in-house security team. “If you know the security people in your company and you have a good relationship with them, sit down and have a cup of coffee and ask what you think we can do. Planners would be pleasantly surprised at the good coordination they can have.”

Who’s Responsible?

“Planners are increasingly anxious about their responsibility for crisis preparation, yet most lack anything more than security handbooks and checklists to guide them. Reading the security handbook is not preparation. If the organization’s response team does not know what to do in the first 10 minutes of a crisis, they are not prepared,” says Rivers.

Underlining the undisputed requirement to keep attendees safe is who, in an era of increased need for security, should foot the bill for reinforcements: “A conversation or dialogue between the event planner and venue should address whose responsibility is it to cover the costs for increased security,” says Stuart Ruff-Lyon, V.P. of events and education, RIMS, the Risk Management Society, and executive committee member of the board of directors of PCMA. “We wouldn’t walk into a city with union labor and try to do that on our own. People should consider the same approach with security. It takes some of the pressure off of us to not go it alone. As part of our RFP, we ask for an emergency plan, and cities have been taking it more seriously; they’ve hired additional people and experts in this area.”

Rivers notes that safety must be, rather than an add-on, “an integral part of the event design, along with food and beverage, budget, AV, speakers.” As she sees it, safety protocol should be spelled out in the hotel contract, complete with “force majeure language to address foreseeable crises such as threats of Zika, hurricane, bomb threats and active shooters.”

Balancing Safety and Convenience

The obvious drawbacks to a fully up-and-running crisis management system are twofold: diminished attendee experience and exorbitant price. “When people come to an event, everyone is carrying something. So do you want to screen all that like an airport situation, like TSA? People are paying to come to these things, and you don’t want to increase the fear level because people won’t come back,” says Michael Bou­chard, chief security officer, Janus Global Operations, based in Reston, Virginia. “So in the back of your mind, you’re always thinking: If I do these things, what will people say, what will their reaction be? If we can soften it in any way, we do.”

In practice, that can mean relatively unobtrusive measures such as circulating “observers” to check for suspicious behavior, asking for ID at the entrance as a protection beyond just the attendee badge and, perhaps, signs crafted in an event-friendly way indicating that bags may be subject to random search. IMEX Frankfurt had just such signs as well as metal-detecting wands, Ruff-Lyon notes, and a recent meeting in Nice even had metal detectors at every entrance. “Europe is probably a little ahead of us right now,” he says. “I think we will see more security screening at bigger conventions to ensure attendees are safe: a constant plainclothes police presence, metal detector or screening component.” RIMS has already added bomb-sniffing dogs in its loading area, he says.

As for the cost, the consensus is that pennywise equals pound foolish: The loss of trust, reputation or, at the most extreme end, life, always will be far greater than any funds spent on the front end.

Everyday Threats

A retired Marine who has worked with the U.S. Department of Defense and with financial services and insurance companies, among others, George Taylor is a member of the Global Business Travel Association Risk Committee and V.P. Global Operations for iJET International, an integrated risk management provider. For meeting planners, he has found, “The average threat is illness, car accident or crime.” Establishing where the nearest hospital is, liaising with local police to determine where pickpockets might be lurking, designating someone to step in if the event planner is taken ill: these are just a few of the precautions that have become routine.

Still, having worked in hotspots around the world, he is hardly one to downplay the potential for a crisis. “Venues need to be chosen less on price and more on safety and security” is his opinion on the matter. Ideally, an event planner and an embedded security person should “have an integrated effort to actually choose the location,” he says. Failing that not-always-feasible scenario, he recommends, as do all security professionals, that planners do a risk-based analysis that answers three basic questions: “What do I have to protect? What do I need to protect it from? What do I have to protect it with?”

Cyber Risk

Event planners also need to be on guard for cyber threats, particularly corporate espionage and data/identity theft, both of which become increasingly sophisticated almost in lockstep with the increased sophistication of technology. A successful infiltration needn’t even be high-tech: At what Bouchard calls “soft targets” — venues with little security that are unarmed — it can be sufficient for an unauthorized attendee to simply walk in with a hazily acquired badge.

“Risk management is not just crisis management — crisis management is one component,” says Ruff-Lyon. It’s also about managing cybersecurity, both within the venue and along the supply chain. A site security assessment should include, along with the more routine safety checks, considerations such as how easy it might be to record a private session or penetrate a secure event, and whether it’s worth it to confiscate attendees’ phones and, if so, how do so graciously.

“What kind of safety do vendors have?” Ruff-Lyon suggests planners ponder. He notes that even benign elements such as PowerPoints and other presentations can be encrypted and attacked. “We need to understand on a basic level, when we outsource registration, what measures they have in place so attendees won’t be breached.”

Rivers also gives special mention to the need to “involve your IT team and the hotel network team” in determining what information third-party apps might be collecting and what their privacy policy is, and finding out whether a vendor is carrying cyber fraud insurance to protect attendees. “Engage a cyber fraud consultant to analyze your network configuration, encryption for online and offline services when transferring data to mobile devices, document tracking and secure privacy filters on laptops to secure data from roving eyes,” she recommends.

‘Think Like the Bad Guys Will’

“It’s only a ‘crisis’ if you haven’t planned for it,” asserts Bouchard, who is retired from the Department of Justice, where he managed the Bureau of Alcohol, Tobacco, Firearms and Explosives’ efforts at the Pentagon after the 9/11 attacks and was one of the three incident commanders during the Beltway Sniper Investigation. Once you’ve already addressed the scenario in theory, if it happens, it’s simply “an incident that you have to deal with,” he says.

For him, risk assessment is not only about intelligence-gathering but asking about the risks: Can I do anything about them? Are they important enough for me to have to do anything about them?

“Planners aren’t thinking outside the box, but they need to think like the bad guys will,” Bouchard says. Given the nature of his industry, where kidnappings are not uncommon, he has learned to think in this way, and standard practice for returning executives is to have their computers scrubbed in case a foreign agent has tried to infest it with something.

And while most insurance and financial services meeting executives won’t need to contend with this eventuality, they still can institute tighter controls over their proprietary information. For example, Bouchard recommends never leaving company-sensitive information on the laptop itself; instead, he recommends storing it in on an encrypted thumb drive that stays with the attendee at all times, then having the IT department scan the laptop once back in the office.

Wi-Fi and videoconferencing, too, can be remarkably easy targets, with a password that is “whatever the conference name is in lowercase. Anyone can just jump in on it. Be a little more creative with passwords,” Bouchard recommends. He also notes even something as simple as putting up signs reminding attendees that their connection is not secure can go a long way toward increasing awareness. He also recommends planners monitor social media about any controversial topics that may be broached during the event.

Although it’s a truism in event planning, still, security professionals emphasize that only through a physical walkthrough of a venue with an eye toward security can planners really learn what a hotel’s crisis plan is. Taylor says, “You can do simple things: look at CCTV coverage, how doormen act, and make determinations and feed that to the coordinator.”

Bouchard concludes: “You really can’t make the threat go away; you just have to manage it. If something bad does happen, you need to have a plan ready and people available.” I&FMM

Back To Top

CIT_POPUP