Skip to content

Incident Management

Effective incident management is critical to mitigating the impact of incidents at your organisation, site or premises and ensuring a swift and effective recovery

Last Updated 28 April 2022

Well planned and rehearsed incident management practices and measures can save lives, minimise harm and reduce the overall impact of a terrorist attack on or in the near vicinity of your premises. Having a thorough and tested incident management plan is also something you can promote to deter potential hostiles from targeting your site. 

CPNI have produced a number of guidance documents to assist organisations through the phases below. They focus on building relationships and key outputs in place as soon as an incident occurs and highlight the immediate actions an organisation’s command and control may take during an attack with the primary objective to save lives.

In order to save lives, minimise harm and lessen the overall consequences of a terrorist attack on or in the near vicinity of your premises, it is vital to be prepared.  There are several important but distinct phases to consider:

  • Incident response (IR) deals with the immediate impact of an incident. It is a relatively short term phase that focuses on escalation and activation, ensuring people and the environment are supported and made safe wherever possible.
  • Incident Management (IM) refers to how the organisation will manage the consequences of the business interruption at the scene through command, control, coordination and communication. (IM covers who is in charge, how to keep stakeholders informed, escalation processes, coordination of resources, etc.)
Responding to Terrorist Incidents – Developing Effective Command and Control is a guide that provides information on how to prepare those working in an SCR for dealing with a terrorist incident.  It is focussed on the period where an attack has been discovered and the immediate aftermath of the attack (i.e. Incident Response and Incident Management).
  • Crisis Management (CM) is about your arrangements to manage strategic, complex and unprecedented events. It is rarely standalone and will require integration with other disciplines. 
Crisis Management for Terrorist Related Events a communications toolkit designed in partnership with the Chartered Institute of Public Relations (CIPR) to help PR and communications professionals mitigate the harmful effects of terrorist incidents on brands, businesses and communities. 
Communication Technology – Interim guidance to assist organisations prepare for a terrorist incident identifies how systems can improve communications within and between organisations and businesses responding to terrorist incidents.
Unattended or Suspicious Items - Steps to Take!  CPNI have produced a film which introduces steps security staff within organisations should take once an unattended bag has been identified on their establishments. Further guidance regarding planning and delivering effective premises searches can be found on the building and area search page. Also, businesses and organisation can maximise safety and security using existing resources. See, Check and Notify (SCaN) training empowers staff to correctly identify suspicious activity and  what to do when they encounter it.

Good situational awareness is paramount for a security officer. You must always be on the lookout for anything that is out of the ordinary. Being vigilant can save lives, and your presence could be enough to deter any potential hostiles and prevent any loss of life.

All right?

I've just done my shift in the coffee shop, and somebody's left a bag just on the bench opposite.

Right, okay.

Thanks.

Thank you. Charlie seven to control. There's an unattended bag down opposite Bruno's Cafe, under one of the benches. It's a rucksack, black and blue. Can you see it?

Charlie seven, this is control. Yeah, I can see it. Did you see who left it? Over.

Control, I didn't. I'm going to check it out now.

Charlie seven, okay. I'll try to see who left it. We have an unattended bag, screen five under the bench, black and blue rucksack. Tony's going to go check it out. I'm going to see if I can find who left it.

Okay. Can you cover our screens please?

When dealing with an unattended item, it is important to confirm if it is suspicious or not. Has it been left by accident or has it been placed with malicious intent. You can use the HOT protocol to aid with this confirmation. H, Hidden. Has the item been deliberately concealed from view, is its placement different to what you would expect of a forgotten or misplaced item? If so, it may have been hidden on purpose.

Control. I can't identify an owner at this point. Have you've been able to see who left it yet?

Charlie seven, still looking. Is there anything suspicious about it?

O, Obviously suspicious. Is the bags appearance different to what would be expected? Is it oversized or over stuffed? Does it look too heavy or has it been altered in any way? Are there any visible wires, circuitry boards, batteries, tape, or putty like substances? All of these factors must be considered before upgrading an item from unattended to suspicious. You must be cautious. Any item that appears benign at a distance, may be found to be dangerous when handled or opened. You must ask yourself, do you think this item poses an immediate threat to life? If yes, you must act.

Control, it's big, it's definitely overstuffed, no visible wires though and I can't see any gas coming out of it either.

Charlie seven, it's definitely not someone's shopping bag?

Control, no way. Looks like a backpackers bag. Doesn't look right for in here.

T, Typical. Is the item typical of what you might find in this location?

Excuse me, you haven't seen who was with that bag have you?

Is it likely that someone would've forgotten to take the item with them? Lost property is often found in locations where people congregate, or wait before moving to a new location.

Charlie seven, okay. Well we've got who left it now. It was left by a female, white, twenties or thirties, short blonde hair, navy hoodie, black baseball cap.

Control, there's no one like that here.

She's definitely pushed it under. Look, she's looking around waiting until no one's looking, and then she's left it. It wasn't forgotten.

I agree. Okay, I'm calling it suspicious. Clear the area and I'll call the police. See if you can find her as well.

Okay. Charlie four, Charlie seven, you need to clear the area. We're calling the police, treating this as intentional and suspicious. Remember you need to be at least 15 metres away from the bag before using your radio.

Copy that control, over. Can you please leave via the nearest exit.

The four C's. Once a package is confirmed as being suspicious, it is important to clear the immediate area. All messages to the general public should be clear, loud, authoritative, and with necessary pauses.

Can you please leave by the nearest exit, come on, keep going straight through the door please thank you.

Security staff must not touch the item, and evacuations must start as a priority. People must be moved away from any potential danger, as soon as possible. You must call 999 and clearly explain why the item is being viewed as suspicious.

This is the control in the Hamilton Shopping Center. We found a suspicious bag that's been confirmed as left unattended. Now we have established who left it, but they seem to have left the building. We're establishing a security cordon and evacuating the building.

A cordon must be erected to demarcate the area. Cordons can be the presence of security officers at all access points or, depending on your site, a temporary cordon may need to be erected. Barrier tape should be held in easily accessible areas. A cordon is a malleable tool. It should be reinforced as the incident progresses, and should change in response to any new information gained, beginning 100 meters away from the item. Security staff should try to keep themselves out of sight of the suspicious item. If possible, shielding behind something substantial. Windows and skylights, must be avoided. Once cleared, it is integral to control access to the cordoned area. Members of the public should not be able to approach the area until it is deemed safe. It is of utmost importance for the safety of your site and its people, to remember these simple protocols. HOT, hidden, obviously suspicious, typical. The four C's, confirm, clear, communicate, control. Acting fast will save lives.

Subtitled Version

  • Business Continuity & Resilience (BC) are the arrangements you should develop in order to maintain critical and urgent business activities to a pre-determined level i.e. what work your business must continue to do to survive the disruption from a terrorist attack. Consider a range of impacts that could disrupt your business, including the unavailability of your building (through loss of utilities or evacuation), people (colleagues and suppliers) and equipment (machinery and IT). Then plan how you would continue critical parts of your business during disruption.