CYA?
We were asked to help develop a protective protocol for the annual conferences of a law enforcement trade organization. For some organizations – the International Narcotics Enforcement Officers Association comes to mind – a high level of protection is critical: A gathering in one place of the major players in the counter-narcotics field presents a real opportunity for the bad guys, and a tangible risk for the participants. For the training organization we were helping, the risk was markedly less, but the exercise seemed not-unreasonable, if only as an exercise in due diligence. The process of implementing the protocol would be particularly straightforward for this organization, as, between the host agency and its training academy, we had virtually unlimited manpower to deal with a known low level of threat.
As it happens, this kind of protocol is relatively straightforward. You figure out the areas of exposure and the areas that need to be protected. This would include the area where the conference would be held, as well as ancillary areas, such as parking lots, for example, might be covered. In addition, if the entire facility were not being used for the conference, the areas above and below the meeting areas might need to be protected from bomb threats (although, in this case the likelihood of a bomb threat against this particular organization was somewhere between slim and none).
Once the area to be protected is determined, it needs to be secured and inspected before the event, and, once secured, kept secure during the event, with no unknown person or thing being allowed into the secured area. All attendees need to be badged (with photo Ids if there is a belief that there might be actual risk), as does all staff. When the event is over the areas that were secured no longer need to be secured, and everyone can go home.
The protocol was quickly drawn up, and clearly explained what needed to be done, how it needed to be done, when it needed to be done, and why it needed to be done. The protocol was immediately bounced back to us, because we had forgotten to put in a mechanism that would clearly allow blame to be placed if anything went wrong. It took us a bit longer to re-write the second protocol, but finally managed to produce a document that met management requirements, yet still gave an indication as to what needed to be done.
When the conference took place we were not entirely shocked to discover that, in fact, the protocol had not been implemented. Were we upset? Not at all! For a start, we knew that there was no special risk associated with this conference, and that, at worst, the membership faced no more than the normal risks of fire, theft, and other fairly standard hazards. Second, we deduced we had been asked to do this on the off chance that if there was a problem, the organization could transfer blame to the host agency.
One might ask if there would have been a benefit to actually implementing the protocol, and if that would have justified the cost? The answer is no, because the risk was so low. While the manpower was already in place, and there would have been no additional costs for having an officer or cadet at every door in a timely manner, there would have been some minor cost in verifying facilities staff and giving them badges (and verifying their use). Since extra protection – beyond what the hotel would normally supply for any meeting – was no more justified than it would have been for a bunch of Boy Scouts, taking no additional effort was probably the appropriate action.
The real question is whether we should have spent the time and money developing a protocol in the first place: That is to say, did the development of the protocol, without its actual implementation, demonstrate an exercise of appropriate due diligence on the part of the organization, which would have shielded it in the case of an actual incident? I suspect that while blame for not putting the protocol in place would have been attempted to be passed to the host agency, it wouldn’t stick. Failing the prior development of a risk analysis showing that there was no need for additional protection, it would likely be shown that by developing, but not implementing, a protective protocol, the organization failed to exercise appropriate due diligence in the protection of its members.
