< Back to Blog

Plans are nothing; planning is everything

April 17, 2024

The Chairman of the Manchester Arena Inquiry, The Hon Sir John Saunders, last week published Volume Two of his report into the death of the 22 victims of the terrorist attack on 22nd May 2017. His report, “Volume Two: Emergency Response”, is the second of three and examines the emergency response following the attack at the Manchester Arena.

One of his main findings is that “Robust procedures are necessary to counter the threat of a terrorist attack. The purposes of those procedures and the necessity of following them must be understood by those carrying them out.”

I have written in the past around this subject, most recently when Lord Harris presented his report on London’s preparedness for a terrorist incident similar to that suffered in Manchester. I have also written on how inadequate video camera coverage perhaps aided one of the bombers in his preparation.

Sir John’s inquiry may provide limited comfort to the families of the 22 people who died and 91 seriously injured in the tragic event in Manchester. The revelation of poorly prepared emergency services and their inadequate response to the events that night makes for sombre reading. “The evidence I have heard revealed that a great deal went wrong in the emergency response to the attack on 22 May 2017,” said Sir John. For example, the police did not have an up-to-date plan of the Manchester Arena complex, so did not know where everything was. The British Transport Police gold commander on the night of the attack was based in the south of England. For their part, the emergency services have offered a full apology for their failings.

Looking back to move forward

For many years I travelled abroad extensively for small and large corporations. I booked my own flights and hotels and, other than immediate colleagues knowing where I was, there was no central mechanism to confirm where I, or any of the other thousands of employees travelling the globe, were at any point in time. The 9/11 attacks changed all that. In the following years, many companies, especially larger corporations adopted much more stringent travel regulations, to protect their employees and themselves. For example, all travel being booked through a company ‘portal’ so that managers knew exactly where their people were in the case of a disaster event; with a disaster recovery and contact plan in place should the worst happen, to warn, track or trace employees and families.

Incidents like 9/11, the London or Manchester bombings remind us why all organisations need procedures to handle emergencies, and in the aftermath of these attacks protocols are understandably reviewed. But over time, too often they are forgotten, misunderstood, or ignored. Worse, as the Manchester inquiry shows, even when procedures are in place, those who play a role in security may not talk to each other and don’t understand each other’s role.

Looking to the bigger picture

A security installer might have put an advanced video surveillance system in place for an organisation, but unless there is a solid layer of procedures that govern how the insights created by the system are handled, it’s utterly useless. What’s the point of using artificial intelligence to alert users to incidents – even sometimes before they happen – if procedures aren’t in place and no one really knows how to react.

Let’s take a scenario. A video system alerts a school to a suspicious intruder on campus, what is the agreed response? An audio alert, or an investigation by an individual? In which case, who? Should they be accompanied? When would managers be informed of the incident? Should the individual tasked with confronting the intruder use body worn video? Where are the body worn video cameras kept, and who has access to them? At what point in an escalation of events are evacuation or lockdown protocols instigated? Do all staff know those protocols, or does this knowledge rest with a few senior managers?

Consider a simple “Identify-Protect-Detect-Respond-Recover” framework.

How often is electronic security only focused on the first three pillars. Do we or the end user have a clear plan for pillars four and five i.e. “what happens next / what if?”

Electronic security is a highly effective deterrent, and a tool so useful in protecting people, property and assets that is it is relied on by organisations of all sizes and law enforcement agencies alike. But the tool is only as good as the policies and procedures that dictate the responses required.

If an installer ‘fits and forgets’ a video surveillance system, they are doing their customer no service whatsoever. Yes, they may leave site with an operational system and all boxes ticked. But whether those cameras are protecting a stadium, a concert venue or a commercial office, a ‘tick box’ approach is not enough. As we have seen from the inquiry into Manchester last week, so many things are critical to the effective operation of security systems, and having protocols in place and ensuring everyone knows what they are, is critical.

The security industry must do more

We as an industry are part of the solution, but it frightens me to see how siloed we often are on ‘our’ approach.

We must all re-ask ourselves; do we spend enough time looking at those wider parts of the system, addressing the actual risks, or do we simply sell in a certain number of cameras, an intruder system, or some access control and then sail off into the sunset?

Should we be doing more to understand and discuss procedures, roles and responsibilities around the solution supplied, to ensure real value and enhanced security for the end-user? Are we really comfortable that the information and data from our solution are accessible to the right people, and drive the right decision-making and outputs?

I am sure we could all do more. The industry often talks of wanting to be seen as more professional. In which case, many need to step up and treat our customers’ risks – and our role in managing those risks – more seriously and more holistically.

For their part, end users need to have a very clear idea of the purpose of their security system, how it is going to be used, by whom, and how those involved at every level will interact based on the information provided by that technology. Electronic security is not just about the number of doors secured or cameras fixed to walls. It should be coordinated towards a common objective which should form part of the security risk profile. And it needs to be well understood. Processes are pointless if they are not understood by all, as the quote from President Eisenhower at the top of this blog makes clear.

If your organisation could use help understanding and managing the risks that affect it, contact Reliance High-Tech on info@reliancehightech.co.uk.