Identifying and Mitigating Internal and External Threats

With the increased frequency of workplace violence and specifically active shooter incidents, it is extremely important that organizations take the steps necessary to prevent, as well as plan for, such incidents. While there is no federal law explicitly pertaining to workplace violence, the Federal OSHA Act requires employers to comply with safety and health standards and regulations issued and enforced either by OSHA or by an OSHA-approved state plan. The Act’s General Duty Clause requires an employer to provide workers with a workplace free from recognized hazards that are causing or likely to cause death or serious physical harm to employees (29 U.S.C. § 654(a)(1)). Courts have interpreted the general duty clause to mean that an employer has a legal obligation to provide a workplace free of conditions or activities that the employer or the industry recognizes as hazardous and that is likely to cause death or serious physical harm to the employees where there is a feasible method by which to abate the hazards. Active shooter events are now considered a recognized hazard.

The primary resource for ensuring compliance with the OSHA Act and its General Duty Clause is the American National Standard for Workplace Violence Prevention and Intervention, which states, “No organization, large or small, public or private, for-profit or in the nonprofit sector, can assume that it will be immune to the wide range of disturbing, threatening, and violent conduct that falls within the broad definition of “workplace violence.” All organizations ultimately carry a responsibility, both for humanitarian and legal reasons, to protect employees and others who interact with the workplace to the fullest practical extent by taking measures to detect threats at the earliest possible moment, engage in effective intervention through careful Incident management, and mitigate consequences should violence erupt.”

Clearly, life safety is of paramount importance to every organization and it is why this article started with OSHA’s General Duty Clause. Additionally, while OSHA and the American National Standard for Workplace Violence Prevention and Intervention cover the, “wide range of disturbing, threatening, and violent conduct that falls within the broad definition of “workplace violence,” this article will focus solely on active shooter prevention and planning.

What is an “active shooter event/incident?”  An “active shooter” is defined by the US Department of Homeland Security as, “an individual actively engaged in killing or attempting to kill people in a confined and populated area.”  In most cases, active shooters use firearms(s) and there is no pattern or method to their selection of victims. Active shooter situations are generally unpredictable and evolve quickly. Typically, the immediate deployment of law enforcement is required to stop the shooting and mitigate harm to victims. Because active shooter situations are often over within 10 to 15 minutes, before law enforcement arrives, employers and individuals must be prepared both mentally and physically to deal with an active shooter situation.

Now that we’ve defined what an active shooter is and some characteristics of the event itself, let’s review some startling statistics regarding workplace violence and active shooter incidents.  The statistics were obtained from “The Bureau of Justice Statistics, Special Report, National Crime Victimization Survey, Violence in the Workplace, U.S. Department of Justice, December 2018; OSHA Workplace Violence Occupational Safety and Health Administration Department of Labor; and the Office of Victims of Crime Mass Casualty Shootings 2018.”

Active Shooter Prevention Infographic

Given this growing phenomenon, evidenced by these statistics and OSHA’s General Duty Clause, employers are increasingly being held liable by the courts after such incidents.  Following an active shooter incident, a number of workmen’s compensation claims can be expected. Additionally, there have been a number of negligence claims filed in the courts following these incidents against employers where litigants have raised concerns with the active shooter training provided or not provided, the security posture and infrastructure of the company/location, background screening efforts of the company and other similar claims.

With all that is at stake regarding active shooter incidents, considering the issue of life safety as the paramount concern as well as the impact to business operations and organizational reputation, financial and legal considerations, why don’t organizations, business and otherwise, do more to prevent, prepare and plan for an active shooter incident? Clearly, it is a complex issue with many divergent, yet interconnected personal, employment and social issues.  Gun violence, mental health, employer’s responsibilities and obligations to safeguard employees, employee privacy, Corporate Security (features and posture of organizations), coordination with local law enforcement and many others.  Despite the complexities listed related to the active shooter phenomenon, I think that the response most organizations provide is rather simplistic. Most organizations, despite the above referenced statistics, don’t think that they will be victimized.

Identifying and Mitigating the Threat (to prevent an active shooter incident)

The reality is that there are a number of steps that organizations can take, that require minimal effort and expense, which can drastically enhance your organization’s security posture (against both internal and external threats), which will, most importantly, lessen the chances of being victimized by an active shooter, and as a result, increase the safety and security of your employees as well as the resiliency and sustainability, and therefore the viability, of the organization.

When looking to first identify and then mitigate the potential threat of an active shooter there are two areas of focus, internal and external threats. We must first look at our own organization, our employees, the existence or absence of policies which may increase our own risk of such an incident. It is possible, and unfortunately frequent, that an active shooter can be an active or former employee, or someone affiliated with your organization (spouse of an employee, relative/friend of an employee or former employee, etc.). Additionally, it is possible that an organization’s processes or lack of a process may be contributing to the risk. Organizations can proactively manage and mitigate these internal risks with the following approaches;

  1. Thorough pre-employment background screening of employees, contractors and vendors
  2. A Workplace Violence Prevention and Response Policy
    • Zero tolerance for threats and/or acts of violence, bullying and harassment (social media, etc.)
    • Confidential reporting mechanism (non-retaliation policy for reports in good faith)
    • Investigative response for such allegations
    • Consistent and firm discipline
  3. Managers/HR trained to recognize potential workplace violence indicators
    • Early identification and intervention of abnormal or aberrant employee behavior is key
      • Sudden changes in demeanor
      • Depression or withdrawal


  1. Comments about suicide or hurting oneself or others
  2. Comments about firearms in conjunction with violent crimes
  3. Disregard for work quality or company policy
  1. Internal cross functional team or external resource to address #3a
  2. Engagement of Employee Assistance Program (EAP) to assist employees
  1. Process/approach for employee terminations, layoffs, etc.

As you can see, the key is Management’s proactive awareness and engagement (through policies and actions) with employees on the above items (#1-4).  Identifying and addressing these employee matters consistently, thoroughly and preemptively is critically important to mitigating potential internal threats.

On the other hand, organizations must also be aware of, and proactively manage, external risks.   Clearly, there are more variables and unknowns when it comes to the risks posed to the organization externally.  As such, organizations rely on proprietary or external Security resources, the organization’s security policies, posture and infrastructure, and in many respects, their relationship and coordination with their local law enforcement agencies, particularly as it relates to active shooter preparation, planning and response. However, unlike traditional law enforcement, which is predominantly reactive, Corporate Security services are expected to identify and mitigate risks preemptively, before an incident can negatively impact an organization’s employees, operations and/or reputation. The four “D’s” of prevention is a basic corporate security, crime and loss prevention tenet which outlines the objectives of preventing any loss, particularly external risks of active shooters.  The four “D’s” of Prevention are as follows;

Four D's of Prevention

This is primarily done through the development, application and ongoing management of a cohesive enterprise-wide security program.  As stated by Lawrence J. Fennelly in The Handbook of Loss Prevention and Crime Prevention, Third Edition, “The greatest protection of an organization’s collective assets is provided when a comprehensively designed security system integrates an appropriate mix of electronic, physical and procedural security measures.”

I certainly agree with Fennelly, however for the purpose of this article and the management and mitigation of external threats to an active shooter incident, I will focus my attention on the most impactful physical, technical and procedural security measures.

  1. Access Control (employee identification/visitor management)
    • Access control features and policies regulate the flow of people, vehicles and materials into, out of, and within a protected facility. Having the ability to properly manage and control access to a location, property or building is a fundamental security concept that, when managed thoroughly, can greatly reduce risk to an organization.
    • Being able to differentiate, identify and manage authorized personnel from unauthorized personnel at the earliest point in the screening process and at an appropriate distance from a “protected space/area” is critical to controlling access and increasing security.
    • Some of the simple ways to implement and manage access control is by having separate entrances for employees versus visitors, requiring all employees to wear an identification badge while at work, requiring visitors to register in advance and wear an expiring visitor badge while on company property.
    • There are also numerous technological options (card access proximity systems, biometric options, keypads, etc.) that can support access control objectives.

Clearly, there are a number of organizational and Security considerations that must be evaluated when creating and implementing an access control policy.

  1. Physical/Technical Security (physical security modalities, CCTV, Card Access) Physical and technical security measures are important components to an organized, cohesive enterprise security program.
    • Physical security features include, but are not limited to; fences, bollards, gate arms, doors and locks, etc.
    • Technical security features include, but are not limited to; card access readers, closed caption tv cameras (CCTV), Pan/Tilt/Zoom (PTZ) cameras, intrusion detection alarms, environmental/ condition alarms, etc.

Dependent on your organization’s risk profile, some of these features, or a combination of them, may be appropriate in coordination with the rest of the enterprise security program.  

  1. Crisis/Emergency Management Advance planning and preparation are key considerations when it comes to crisis management. An emergency management plan describes the actions to be taken by an organization to protect employees, the public, and assets from threats created by natural and man-made hazards.
    • Every business, large or small, public or private, should have some form of an emergency management plan. Organizations need to have an established crisis/emergency management plan that provides the framework and structure to manage emergency events. Failure to do the necessary planning could seriously impact an organization’s ability to minimize loss of life, loss of assets and business downtime, should an event occur.
    • It is important that the organization take the following steps in the creation of their crisis/emergency plan;
      • Define what a crisis/emergency is for the organization
      • Establish an Emergency Response Team (ERT) with appropriate members of the organization

Establish a protocol for communicating with executive leadership

  • Develop plans for the organization’s response to a crisis/emergency
  • Conduct training for the ERT and the broader organization

Items specific to an active shooter situation/response plan; (*Example Active Shooter Response Plan included at the end of the article)

  • Again, pre-planning is critical
  • Develop a system for communication to the entire organization to inform everyone of an active shooting event, use a “code word” to broadcast to the organization regarding the impending danger

Depending on the circumstances, a lockdown or shelter in place strategy may be the best option to protect employees instead of evacuating

  • If lockdown is not an option and you hear shooting in your work area, look for cover or protective shelter. Consider escape, a quick exit or retreat from the scene if the opportunity presents itself (it’s a judgement call)
  • Active shooters usually stay to fight until dead, seriously wounded, or out of ammunition
  • Prompt notification to law enforcement

Security Policies and Procedures

Security policies and procedures are different and yet they both provide the guidance and structure needed to deliver security services in the manner expected by management.

  • Policies indicate management’s position, statement, purpose or direction. Essentially, a policy indicates what management would like.
  • A procedure, on the other hand, are the detailed steps management requires its employees to follow to achieve the desired results. Essentially, a procedure indicates how management wants something done.

Policies and procedures are complimentary documents and should be created with this in mind.  There are many benefits of written and codified Security policies and procedures.  Among the benefits include consistency in performance, reduction in decision time and enhancement of controls.  Additionally, the existence or absence of a written policy could be a significant factor in a legal matter.  The security manual should act as the repository of all written policies and Standard Operating Procedures (SOP’s) that pertain to the security function. 

It is critically important that these security features (physical, technical and procedural) work in concert with one another and within the overall security program by assisting the organization in monitoring the workplace, building activities, conditions, employees and visitors, comings and goings, as well as the surrounding environment.  All suspicious activity in and around the workplace must be reported. The security program should facilitate the preemptive identification of relevant hazards and risks with adequate time and distance for professionals to respond, intercede and mitigate the risk.

For example;

  • Unknown persons attempting to enter or entering the building without proper ID.
  • People that appear in the wrong place or seem lost
  • People that appear overdressed for current weather conditions
  • People that are loitering, watching, photographing, videotaping employees, building, operations, etc.
  • People acting in a disorderly manner that alarms or disturbs others

When these coordinated programs, policies, procedures and security features are implemented and running in concert to identify and mitigate both the internal and external threats of an active shooter, as well as other threats/risks, the Security of any organization is increased exponentially.  If these measures fail to prevent an active shooter incident and one occurs the organization must have a plan in place in which everyone (employees, visitors, contactors, etc.) is aware of and has been trained on. The proactive implementation of a response plan, as soon as an active shooter incident is identified, that employees have been trained on and have exercised will minimize loss of life and the organizational impact.

*Example Active Shooter Response Procedures

  • The first employee to identify an active shooter situation: As soon as possible, should call the Company emergency number and announce a prearranged code (i.e., “Code Red”) (with the location of the incident) and a physical description of the person(s) with the weapon, and type of weapon, if known.
  • The emergency operator upon notification will: Provide a public announcement “Code Red” (and the location)” on the public address system.
  • The emergency operator or any employee who is at a location distant from the active shooter, such as in a different area or floor, will contact 911.
  • The phone call to 911 (from the area where the caller is safely concealed) should provide the following information to the police:
    • Description of suspect and possible location
    • Number and types of weapons
    • Suspect’s direction of travel
    • Location and condition of any victims

Potential Responses- In response to an active shooter event, there will be three potential courses of action; Run, Hide, Fight. The following guidelines identify these courses of action:

  1. Run- If there is an accessible escape path, (avoiding the shooter) attempt to evacuate the premises, following these recommendations:
    • Have an escape route and plan in mind
    • Evacuate regardless of whether others agree to follow
    • Leave your belongings behind
    • Help others escape, if possible
    • Prevent individuals from entering an area where the active shooter may be
    • Keep your hands visible
    • Follow the instructions of any police officers
    • Do not attempt to move wounded people
    • Call 911 when you are safe
  1. Hide- If evacuation is not possible, find a place to hide where the active shooter is less likely to find you, with the recommendations listed below. The hiding place should:
    • Be inconspicuous
    • Be out of the active shooter’s view
    • Provide physical protection if shots are fired in your direction (e.g., locating into a bathroom and locking the door, staying as low to the floor as possible and remaining quiet and motionless)
    • Not trap yourself or restrict your options for movement
    • To prevent an active shooter from entering the hiding place lock the door and blockade the door with heavy furniture
    • If the active shooter is nearby lock the door and;
      • Silence cell phones and/or pagers
      • Turn off any source of noise (i.e., radios, televisions)
      • Hide behind large items (i.e., cabinets, desks)
      • Remain quiet and motionless
  1. Fight- If it is not possible to evacuate or hide, then consider self-defense, with these recommendations:
    • Remain calm
    • Dial 911, if possible, to alert police to the active shooter’s location
    • If you cannot speak, leave the line open and allow the 911 dispatcher to listen
    • Take action against the active shooter and only when you believe your life is in imminent danger, attempt to disrupt and/or incapacitate the active shooter as follows:
      • Acting as aggressively as possible against him/her
      • Throwing items and improvising weapons
      • Yelling
      • Commit yourself to defensive physical actions

Law Enforcement Response- The police will arrive to respond to the emergency; follow these recommendations:

  1. Comply with the police instructions. The first responding officers will be focused on stopping the active shooter and creating a safe environment for medical assistance to be brought in to aid the injured.
  2. When the police arrive at your location:
    • Remain calm and follow officer’s instructions
    • Put down any items in your hands (i.e., bags, jackets)
    • Raise your hands and spread your fingers
    • Keep your hands visible at all times
    • Avoid making quick movements toward officers, such as attempting to hold onto them for safety
    • Avoid pointing, screaming and/or yelling
    • Do not stop to ask officers for help or direction when evacuating, just proceed in the direction from which officers are entering the area or to an area to which they direct you
    • Notify Company representatives that you have evacuated the premises
  3. When the police arrive, the following information should be available:
    • Number of shooters
    • Number of individual victims and any hostages
    • The type of problem causing the situation
    • Type and number of weapons possibly in the possession of the shooter
    • All necessary Company representatives still in the area as part of the company’s emergency management response
    • Identity and description of participants, if possible
    • Keys to all involved areas as well as floor plans
    • Locations and phone numbers in the affected area

Post-Incident Action- When the police have determined that the active shooter emergency is under control, the emergency operator will provide a public announcement that the emergency is over by using a prearranged Code (i.e., “All Clear”).

Police Investigation- After the police have secured the premises, the Company will arrange to have designated management representatives participate in the law enforcement investigation of the incident, including identifying witnesses and providing requested documents.

Run, Hide, Fight Video- Below, please find the link to the “Run, Hide, Fight” video originally created by the City of Houston, Texas and the Department of Homeland Security (DHS) which has had nearly three million YouTube views.

Link to the video:

According to Dr. Steven Albrecht in his August 25, 2014 Psychology Today article, “The Truth Behind the Run, Hide, Fight Debate,” the viewership suggests many have taken the time to watch the video that now serves as the national protocol on what to do when an armed assailant enters a public or private business with the intent to do harm. The Run, Hide, Fight video is one of many training responses from agencies in the US government tasked with keeping employees safe, including OSHA, the Department of Labor, and the FBI, who often investigate workplace, school, and college and university shootings. 

In essence, the Run, Hide, Fight response and the accompanying video is a simple concept: if you can get out of the building safely, avoiding an armed assailant and not hurting yourself in the process then run out and away as fast as you can.  Take as many people with you as is safe, avoid going to any of the usual “staging areas” (parking lots, open concourses) like you’d do for a fire drill or a gas leak, and call 911 when it’s safe to do so. 

The Hide part is a bit tougher but just as life-saving: leave your desk or work area, leave your stuff except for your cell phone, and run to the nearest “safe room” in your building.  Once inside, with as many people as will fit, lock the door, barricade it with whatever heavy objects you can find, stay out of the door frame, spread out inside the room, stay low, and be quiet.  If you can call out to 911 from this position without making noise, do that.  The safe room is not a bulletproof chamber; it’s a break room, rest room, locker room, storage closet, utility room, training room, or supervisor’s office that can be locked, preferably without windows and off the main hallway where the shooter may pass.  The purpose of hiding in the safe room is to keep you and others barricaded and out of sight until the police can arrive to engage with the bad guy or bad woman with the gun(s).

The third response is the least desirable but may be necessary to keep you and your colleagues alive: Fight Back.  Almost any room in an office building, store, church, or factory will have something in it you can use for protection as a weapon: a fire extinguisher, chairs, tools, desk objects or even heavy books.  Brave and heroic people have done extraordinary things when faced with the possibility of death involving a shooter who has breached the safe room.  Many people who did not see themselves as capable of protecting themselves or others with force have done so when called upon and saved lives. 

As they say, an ounce of prevention is worth a pound of cure. There are a number of considerations when attempting to prevent an active shooter incident.  The idea of first identifying and then mitigating both internal and external threats is critical to managing those respective, identified risks, both internally and externally, with an eye towards never having an active shooter incident.  Whether it is the development of internal policies and practices to preemptively identify certain employee behaviors, proper background screening procedures, the implementation of physical and technical security measures or a combination thereof, these efforts can go a long way to preventing an active shooter incident on your premises.  If, however, such an incident does occur an organization must also be prepared with an appropriate crisis management plan, including robust training and communications as well as exposure to the Run, Hide, Fight concept and response.