​When a disaster occurs, crisis and continuity plans are thrown into flux, no matter how soundly they have been written or practiced by a business. In the case of a terror attack, the added stress of violence and shock pose serious challenges for companies as they scramble to ensure that employees are safe. And on many unfortunate occasions, employees must deal with the painful loss of coworkers and friends. 

Such was the case for many businesses around the globe during the events of November 13, 2015, in Paris, France. A staggering 130 people lost their lives in a series of gun and bombing attacks around the city, and hundreds of others were wounded. All 11 attackers were operating under loyalty to the Islamic State of Iraq and Syria (ISIS). It was Europe’s worst terror attack in 11 years. 

Parisian businesses and companies operating in France faced a monumental challenge in the wake of the events, and had many more questions than answers. When should they reopen? Should they ban travel? How should they handle executives who were traveling abroad? Did they need to hire more security officers? How should they communicate with stakeholders and the media?

The following is an inside look at what companies in Paris did after the attacks to resume business as usual. Then, experts relate how businesses can apply best practices when building and activating crisis and continuity plans. ​

RESPONSE

The impact of the attacks in France were far-reaching, but Parisian businesses faced a unique struggle in the wake of so much bloodshed. The events took place on a Friday, which gave some companies a small window to get their bearings. But the question of how to carry on with business as usual in spite of the disruptions loomed large. 

Nicolas Le Saux, CPP, chair of the ASIS European Advisory Council, tells Security Management that security representatives from some of those companies came together after the deadly attacks to plan and discuss business continuity. 

He says that when various parties reached out to the ASIS council for advice on business continuity, a lightbulb went off. “We realized over that weekend—actually Saturday—that we lacked information on how to restore business as usual,” according to Le Saux, who is also an ASIS regional vice president. “So we started to talk to each other….if you do it the right way and you share good ideas, best practices, you might be able to get things moving back on track more rapidly.” 

Council members began conducting weekly conference calls to address the vast array of challenges companies faced in restoring continuity. Participants included ASIS chapter representatives, members of the CSO Roundtable, and various security professionals from around the United Kingdom and other parts of Europe. The first call, which took place just days after the attacks, brought in 40 participants. Some calls included representatives from law enforcement and the French Minister of the Interior.  

“Everyone was trying to establish what the other businesses were doing,” says Le Saux. “Should they ban international travel, should they send their American staff back home? We realized that every one of us needed to know what the other was doing.” 

Le Saux, who is a past chair of the ASIS France Chapter, explains that if a security executive pleads a case to the CEO on his own, that’s one thing. However, “It’s very different if you say, ‘I had a conference call this weekend, and this is the same positon that all the other organizations in Paris are taking.’ That worked very well,” he notes.

For example, banks were not sure whether it would be appropriate to reopen the first business day after the attacks, which would be a Monday. While all decided to remain closed Monday, there was discussion on whether to reopen on Tuesday. Two CSOs from major French banks were on the call, and they together made the decision to begin conducting business again on Tuesday. “Because they reopened, every other bank reopened as well,” Le Saux notes. “This is the power of the idea that, if you have five big banks and two of them decide to reopen on Tuesday, the others will follow suit.” 

The question of outfitting security guards with bulletproof vests was also raised, especially since businesses were being contacted left and right about these quick-fix solutions. “What you get after a crisis like this is everybody and his dog trying to peddle stuff to security providers,” Le Saux points out. After much discussion, participants decided against outfitting security with such vests because they might make patrons and other staff members anxious. 

Many businesses were also considering hiring additional security staff. In France, security personnel have to obtain special licensing from the state, which makes it costly for the organization bringing them on. 

Le Saux says that members of the nation’s licensing board were actually on the call during the guard discussion, and they pointed out that there were a limited number of guards available, far fewer than would be required for full staffing. “Rather than putting pressure on security firms to get more guards, running the risk of obtaining unlicensed people and, therefore, poor security or even worse, we were able to convince members on the call to take a different approach.” 

Participants on the call suggested sealing off multiple entrances to a business and placing more security personnel at the door or doors they decided to keep open. 

“Because we were able to talk among ourselves, especially those working in the defense industry who had a lot of pressure from their managers to implement that kind of idea, they were able to come back to their bosses and say ‘look, we had this conference call over the weekend and we did a canvas of these 40 security managers and CSOs and we all think it’s a bad idea, and here are the reasons why.’”

Interest in these information-sharing sessions has only been growing. Security executives from the United Kingdom invited Le Saux to participate in a session in early December put on by London First, a nonprofit organization for business leaders. They discussed the impact of the French attacks on businesses across Europe, and Le Saux says that after the session he was flooded with requests from people wanting to participate in the weekly calls. 

“It’s extremely rare [in Europe] to share information, especially for security,” he says, “and that’s probably one of the outcomes from this tragedy, it’s actually forcing people to mutualize and cooperate….We have to stick together, and cut time and costs if we can, to be able to face the challenge.” ​

PLANNING

Like many of those on the conference calls, businesses in Paris found themselves activating their crisis communications plans after the attacks. In a statement, Disneyland Paris announced it was temporarily closing “in light of the recent tragic events in France and in support of our community and the victims of these horrendous attacks.” Similarly, the Eiffel Tower announced it would remain closed the Saturday after the massacre. The Louvre said it planned to reopen Saturday with additional security, but the French Ministry of Culture ordered it to remain closed to observe a national day of mourning. 

“It’s amazing how an event like [Paris] exposes your continuity planning vulnerabilities,” says Dr. Robert Chandler, a crisis communications expert who has authored several books on the topic, and is professor of communications at Lipscomb University in Nashville. “It’s all the little details that it’s hard to think about until you’re right in the middle of it and you look at the confusion, the questions that people have.” 

Chandler’s advice to companies: plan for an entire lifecycle of a disruption, from the first time news of the event is received to anywhere from a few days to a few weeks later. This applies to crisis planning, communications, and business continuity practices. “So whether you’re running a corner bakery or a major international amusement park, the question is, are you prepared to keep all of this stuff as coordinated as you possibly can to manage the disruption, and address the uncertainty and anxiety among all of your target audiences?”

Communication. Issues surrounding communication arise in everyday business practices, Chandler points out, even among well-meaning individuals. So those problems are only amplified by a crisis. “Even in the best of times we have misunderstandings,” he says. “Throw in a little bit of fear, a little bit of adrenaline, a little bit of active-gunman panic and, poof, now I’m misunderstanding everything, I’m not even focused, I’m not hearing what you’re saying.”

Chandler, who studies the effects of stress and hyper-stress on the human brain, explains that cognitive capabilities become narrowed in a crisis, making everything harder to manage. And on top of that, he says the actual communication method affects how messages are perceived and acted upon by the recipient. “Your actual decisions are different depending on the modality, the duration, and the preparedness you have to communicate,” he notes. For example, sending an e-mail may be the best method to communicate with executives who tend to be near their desktop throughout the day, but phone calls could be better suited for lower-level employees who are more mobile. “You have personnel who are probably out and about, you have grounds crews, you have people in business meetings,” says Chandler. “Reaching people and getting them to pay attention to a message will vary based on where they are…whether they’re high-mobility or low-mobility employees.” 

Businesses can plan for the types of messaging they want to use and map out a framework for disseminating that information beforehand. He recommends planning for both “push” and “pull” communications. “Push communications capabilities are your ability to reach out and tag and touch and communicate with someone,” says Chandler. A mass-notification application that sends a text message, e-mail, or automated phone message is an example of push communication. 

On the other hand, a pull communication is when stakeholders can obtain information on their own volition. These pull communications are planned in advance, and can go live on a website in the event of an emergency. An 800 number can be available for callers to access information, for example. Having both push and pull communications that are well-planned in advance is a critical step for communicating with employees, vendors, suppliers, and other stakeholders.  

When writing any crisis communication messages, Chandler recommends applying the 3-3-30 rule: three short sentences that convey three key messages in 30 words or less. “You might not write it down to the granular, but you should have talking points,” he notes. 

Contingency planning. In the event of a major disruption, basic but important questions arise from employees directly or indirectly affected by the incident. Chandler, who was in Europe for a series of conferences during the Paris attacks, experienced this with many of the clients and coworkers he was in contact with. “The questions people were literally asking,” Chandler notes, “were ‘If I can’t go to this meeting, do I go to my normal shift, do I go home? And if I go home, do I get paid?’ I know this sounds like a minor issue in the middle of a catastrophe, and I don’t want to downplay that—but they were real questions.”

He says that business contingency plans should start with the company’s employees—where employees should report to work, how they report to work, and the best way to adjust their schedules and shifts. Having an alternative site where mission critical operations can be conducted is also crucial. 

Next there should be plans in place for dealing with inventory if shipments or deliveries are disrupted. Again, he emphasizes that effective communication plans are critical in all of these scenarios. “You can have the most brilliant inventory supply chain management policy that’s ever been invented,” Chandler notes. “But if you can’t talk to anybody or let them know or activate them or reroute them…you’re not really managing the event.” 

In the case of the Paris attacks, it became critical for U.S. companies to pay attention to messages coming from embassies and agencies like the U.S. Department of State, says Tom Blank, a former acting administrator of the U.S. Transportation Security Administration and now a consultant at Gephardt Government Affairs.

He adds that having secure transport available for executives may be advisable in the event of an emergency. “Traveling executives should have drivers that are arranged by their security consultants, and reliable vehicles that should be checked, [so they don’t have to] rely on local taxis or local transportation vendors.” 

Blank notes that establishing a relationship with a local security consulting firm, one that is knowledgeable about the economic, political, and cultural climate, can help companies prepare for unexpected incidents. “In one part we’re talking about resilience, which is getting back to normal as a way of defeating or thwarting the bad guys, but the other side of the coin is preparation,” he says.

A system should also be in place for employees to be accounted for in a timely manner. “Recovery has to be built into your emergency plans,” says Dr. Michael J. Fagel, a crisis management expert and editor of Crisis Management and Emergency Planning: Preparing for Today’s Challenges. “Whether it’s repatriation, or maybe a toll free number where people call you and you say, ‘I’m okay I’m home now’…. It’s a networking system where you are able to escape and report back to security managers.” 

The media. The death of an employee is a company’s worst scenario, and having to discuss it publicly with the media is tricky and sensitive. After the Paris attacks, several organizations found themselves with just this daunting task. 

The first step in dealing with the media on such sensitive topics is understanding your audience, Chandler says. If employees are hurt or killed, he recommends concentrating on common sensibilities: focus on the people involved, focus on the consequences, and express both sympathy and empathy for those involved. “The way you talk to the media should come from your own sense of values,” he says. “That this is not a pretend thing, but that you genuinely feel compassion.” 

He adds that such statements should say what the company is doing in response, why they’re doing it, and that they are committed to seeing those tasks through. He emphasizes that media statements are not the place to start shifting the blame. “When the Gulf oil spill happened, nobody cared that BP was blaming a subcontractor and who the subcontractor was blaming—people just wanted to know what’s being done to fix the leaking oil and who’s taking responsibility.” 

In the case of any incident, businesses should carefully adhere to policies, laws, and regulations when divulging information to the media. Still, they can use those opportunities to stay on message. For example, under healthcare privacy laws hospitals can’t always share specific information on patient conditions. “If a reporter asks about a specific patient’s condition, a hospital can say, ‘federal law says I can’t tell you this, but let me tell you what we do for patients in our hospital,’ and you get back to your messaging.” 

On alert. Ultimately security managers must plan for the worst, says Fagel, because there is no silver bullet for stopping attacks on a place of business. “I do not have an answer on how to prevent these types of attacks—I just don’t know,” he concedes. 

He emphasizes the importance of moving swiftly when an emergency does occur. “The key is early notification. Whatever the event might be, as soon as one of your people finds out that there’s something untoward going on, they need to activate the emergency plan,” he says. “And the emergency plan can be the phone call, it can be the notification, but what it needs to do is invoke the emergency plan itself.” 

And all the preparation that goes into crisis planning is only effective if the plans are well practiced. “Your plans will fail if they’re not practiced, and they will fail if they’re not bought into by all the people at your organization,” says Fagel. “If you don’t practice, plan, and prepare, the system will fail.”