Kidnappings and Ransoms | Scope of Risk

Kidnapping is the forceful taking away or transportation of persons against their will, or without the consent of their legal guardian. Kidnapping often includes some form of imprisonment by the captor. Kidnappings are typically associated with crime or political activists; however, they can also include instances where persons give up their freedom to religious groups (if deemed harmful), the detention of a spouse against his or her will, abducting a child during parental disputes, the abduction of a bride to marry the abductor (if against the will of her guardians), or holding hostage a person to force another to commit an act against their will (coercion). This section of the IMP is designed to outline the nature and complexity of a kidnapping and ransom event. The IMP is not designed to manage such a crisis, only to ensure first response measures are taken until the transition to specialist crisis managers can occur.

Kidnapping, detention, and extortion are now some of the fastest‐growing crimes against companies in the developing world, with around 15,000 reported incidents worldwide each year as of 2007. Kidnapping and ransom situations are highly specialized areas; they can be short‐term risk events or may last many years as captives are held for considerable amounts of time. There are two main forms of typical kidnappings: the commercial and the ideological. The commercial kidnapping is conducted purely for monetary gain; the ideological kidnapping is for political or religious reasons. In some instances, commercial and ideological rationales may overlap, with a commercial or criminal kidnapping being conducted as a means to sell captives onward to a religious or political group for financial gain, or where such groups kidnap persons to acquire funding for their cause.

Commercial kidnapping is the most common risk type and comes in various forms—from criminal opportunists who kidnap an individual from the street and make the person withdraw money from a cash machine, to fake kidnappings where families are informed that a member has been kidnapped and money is demanded for their alleged release. More organized kidnappings target wealthy persons; individuals or groups plan the kidnapping in detail, which often results in much larger release costs. It is in the interest of commercial kidnappers to release their captives after ransoms are paid in order to perpetuate the business opportunity within this criminal industry sector. Commercial kidnappings are usually shorter in duration than ideological kidnappings and more frequently result in the release of the victims. Political or religious groups might engage in kidnappings in order to make a public statement, to deter government or commercial activities, to effect the release of persons from detention, or to achieve other political or religious demands. In the worst cases, captives are killed publicly, with media releases to achieve a group's goal. Often demands are made of governments rather than corporations or families. Ideological kidnappings tend to have a longer duration, unless the planned intention is to kill the captive from the outset.

The speed and quality of decision making and the immediate actions taken in the initial stages of a kidnapping incident are likely to have a significant influence on the outcome for both the individual and the associated company. The immediate implementation of the IMP therefore can play a critical role in ensuring the safe return of the captive. A transition from the IMP activities to corporate risk management response will occur at a point when specialist kidnapping and ransom consultants can assume the management responsibilities for the incident. If operating within a hostile location, immediate notification of supporting Western or local military authorities might assist with the immediate recovery of kidnapped persons through roadblocks and quick response intercession, before the victim can be removed from the area. Key initial IMP actions taken after a kidnapping include:

§  Ensure hostage safety.

§  Use external governmental or military agencies (if appropriate).

§  Establish the company's negotiation policy.

§  Understand the ransom policy and parameters.

§  Carry out agreed policies and procedures with local authorities.

§  Ensure family support policies and measures are in place.

Companies should use only a trained specialist to undertake any negotiations with kidnappers, not general managers or corporate executives. It is important to determine a negotiation strategy in terms of whether to negotiate, make payment, or seek alternative solutions. This will be done outside of the IMP parameters. The involvement of external parties is also a factor that requires consideration, in terms of providing time for law enforcement investigation or requesting government or military support. The extent of control permitted by external parties is also an important consideration—some government agencies may impose restrictions on the involvement of other groups in the situation, and such restrictions, or indeed the participation of government, could in some instances undermine the victim's chances of safe release. In addition, often the kidnappers’ initial ransom demand is too high. It is invaluable to have experienced and trained professionals determine whether to negotiate in order to provide the company, and/or family, a measure of future protection by reducing the kidnappers’ expectations and demonstrating that no further funds will be available if the hostage is not released. For commercial kidnappings, the contingency planning policy should set a target settlement figure and the level of an initial offer.

It is important for companies to understand that it is not only the captive individual and family who are affected by a kidnapping and ransom situation; the future safety and welfare of other company employees, the reputation of the company, its ability to continue business within the kidnap environment, and the company's market image and employees’ image of the organization are also at risk. In addition, the manner in which a kidnap and ransom situation is managed may have adverse effects on the company's relationship with the host nation authorities. These requirements and considerations provide an introduction to some elements that the company's leadership should consider during a kidnapping and ransom event:

§  Verify the Kidnapping.: Company management should explore all alternative explanations, including confirming that the individual is not just late or lost and has not been in an accident.

§  Brief Personnel.: The company should brief all likely recipients of a call from the kidnappers, ensuring that the communicator is ready to ask “proof of life” questions on receipt of the initial call. The company should choose a dedicated telephone to use for communications with the kidnappers.

§  Gather Information.: Companies should consider attaching a recording device to telephones to ensure that all instructions and information are received and evidence is gathered. If no recording equipment is available, the company should ensure that the person receiving or conducting any calls from the kidnappers makes full written notes as soon as possible afterward. Original tapes and letters sent by kidnappers may also be important evidence. Letters and envelopes should be touched only at the extreme corners and should be placed in plastic envelopes for photocopying and then transferred to normal envelopes and secured for eventual handover to police. Tapes should be copied immediately and originals secured. Transcripts and translations should be made as soon as possible.

§  Control Information.: The number of copies made of any information should be kept to a minimum, and strict security control should be applied by delegated company management. Permission should be given by appropriate persons before any material is handed over to local police or other authorities.

§  Initial Negotiations.: The initial response to the kidnappers should not include any commitment to, or comment on, monetary or other demands. The person who is in contact with the kidnappers should indicate that other management elements are en route who have decision‐making authority. At all times this person should be conciliatory with the perpetrators, as this allows the company time to establish an approach plan and also allows experts time to be deployed to the management location in order to best manage the incident. Proof of life will also be required to confirm the well‐being of the kidnapped employee.

§  Media Handling.: If the incident is known to the media, the company must monitor media reporting. Press inquiries should be referred to corporate headquarters for the public relations manager (spokesperson) to handle. If questioned, local managers might be authorized to admit that there is a kidnapping, stating that, because life is at risk, it would be wrong to make any additional comment. Companies should seek the media's understanding and sympathy in the matter, and request that they act responsibly, as it is in the best interests of the hostage and family. No details should be provided on the company's intentions or negotiation activities, contacts, liaison with law enforcement agencies, or the hostage, other than identity and any demands made by the kidnappers.

§  Family Liaison.: The family of any victim will be shocked and in need of advice, information, support, and administrative assistance from the company. Immediate support must be provided wherever they are located. A responsible party from the company must obtain the captive's information, health, and other medical details that may not already be known, as well as recent photographs. In exceptional circumstances, families may need to be relocated to friends or relatives, although the preferred solution is to move a friend or member of the company to stay with the family. The company should ensure that regular liaison and briefings are carried out by a manager trusted by the family. The representative should brief the family on the full facts and the likely sequence of events, while not being overly optimistic. The representative should avoid discussing rumors or speculation, or indicating that the incident is likely to be over in a short time. The company or external kidnap and ransom consultants should also warn family members of possible pressure tactics by kidnappers (e.g., threats or upsetting letters or videotapes from the hostage).

If personnel within a company are exposed to high levels of kidnap threat, some useful guidelines can be provided as part of a hostile environment training program. This can be in the form of risk avoidance measures, such as understanding what levels of threat an individual may be exposed to, knowing where safe locations and routes are to reduce the probability of kidnapping, reporting suspicious activity, varying schedules and routes, maintaining information security, and remaining vigilant when in high‐risk areas or situations. Personnel should be advised that the majority of kidnappers are seeking a reward and only view their captives as a commodity, bearing no personal ill will toward the victim, and that the majority of kidnappings are resolved without injury to the victim. If personnel are unfortunate enough to be kidnapped, some simple guidelines can improve their situation during the event, such as:

§  Hostages should not discuss religious or political matters, but remain neutral at all times.

§  Hostages should seek to personalize themselves by discussing family and loved ones.

§  Hostages should accept any food or water given, and be passive and non‐confrontational.

§  Hostages should rest as much as possible and be aware of their surroundings, noises, sights, and smells in order to provide information to authorities on release.

The IMP will support immediate kidnapping and ransom response needs, provide a critical flow of information to the CRT, trigger a corporate kidnapping and ransom response plan, and initiate the mobilization of specialist groups. The manager should refer to the Business Continuity Management Plan section relating to kidnapping and ransom, or typically contact the head of the corporate or country crisis response team directly if a kidnapping occurs. Incident managers should also consider the implications of the kidnapping in terms of the safety of other employees within the area or region. An increase in the company's overall security posture may be advisable under some circumstances if the kidnapping is potentially a precursor to additional threats.

Espionage or Information Security Breach | Scope of Risk

Commercial or industrial espionage includes the acquisition of sensitive commercial or government information through both legal and illegal means in order to steal, use, or acquire data that will give illegally gained competitive advantages in technological or brand capacity, or undermine another group's business activities or reputation. Espionage can be an unethical but legal act if information is gathered from discarded materials that come into the public domain. This may include riffling through the trash in order to find sensitive documents. Industrial espionage may also use both unethical and illegal means to gain information by theft of trade secrets, the use of bribery and blackmail, seduction and pretense, human and technological surveillance, and violence and intimidation. Industrial espionage may be undertaken by criminal groups, businesses, or governments, or in some cases by insurgent and terrorist organizations, and often occurs during a tendering or product development period.

Companies should identify which activities and individuals are most at risk from espionage and review the policies, procedures, and training in place to safeguard information and materials. The company should develop standard operating procedures to protect sensitive information through policies and physical and technological security measures. The IMP will provide the initial alert and response measures if an information breach is reported.

The risk of espionage can occur in any country or political state, within the West or in a newly independent republic (either a totalitarian state or freely elected democracy). In order to minimize the threat of industrial espionage, a company should advise personnel that there is always a risk, especially during business negotiation periods or when designing new products. As a result, any sensitive information or documents should be identified and protected; that is, staff should be advised never leave sensitive documents lying around—always keep them with you. Hotels and hotel safes can, and in some countries definitely will, be searched. Personnel should assume their hotel rooms, telephones, and in some cases long‐term accommodations are bugged with electronic devices. Personnel should seek to use their cell phones as opposed to the hotel phones, preferably on the balcony. Personnel should also assume their e‐mails will be intercepted; their content should be sanitized where possible.

Electronic files or documents should be saved on a secure hard drive that is Pretty Good Privacy (PGP) encrypted, and ideally only on company assets. An alternative to the hard drive of the laptop/desktop is an external hard drive, which itself should be secured when left unattended. File sharing should also be managed appropriately so as to ensure that only those personnel requiring and authorized to have such information have access. A need‐to‐know policy should be applied. Veiled speech or prearranged code words should be used on radio networks and when communicating by telephone so as to ensure operational security. When using the telephone to make calls that may include classified information when or relaying sensitive information, individuals must use their utmost capability to ensure they cannot be overheard by third‐party individuals.

Sensitive or classified information may be used by unauthorized persons to undermine an organization's business interests or project activities, or physically target facilities, supplies, or personnel. Information security should reflect the risks posed if such information were to fall into the wrong hands. Consequently, all potentially classified or sensitive documentation and notes should be disposed of by burning or shredding, and not be discarded in trash bins. This includes commercially sensitive information, personnel data, rosters, plans, schematics, telephone lists, reports, surveys, and schedules. Classified material may come in the form of documentation, data, slides, photographs, and communications traffic. All personnel should be aware of their surroundings when discussing sensitive or classified information on the radio networks (which are usually non‐secure) or by telephone (which is even less secure). Besides electronic forms of eavesdropping, impromptu or casual eavesdropping may also occur.

While industrial espionage generally takes the form of technological infiltration or physical searches, personnel should be aware that it may take the form of a personal interrogation. To this end, it is advisable to be wary of members of the opposite sex who wish to talk after several drinks, in either a seductive or a companionable manner. When traveling abroad, it is inadvisable to become inebriated in unknown company, as it may expose you to unnecessary physical risk. Personnel should decline a drink that they have not seen poured unless the dispenser is known and trusted.

Incident Management Plan Risk Assessments

While typically a function of the crisis response team (CRT), it can in some instances be useful for the incident response team (IRT) to indicate how a crisis event may impact the company from a grassroots perspective. This will feed immediate concerns and information from the source of the event, to supplement the data response materials forwarded during the initial stages of a crisis event. A basic IMP risk assessment of how the event may affect the company can prove useful to support risk mitigation at all levels at the early stages of a crisis. Such assessments may include:

Immediate Concerns

• Is there an immediate risk to personnel?

• Is there an immediate risk to the company's reputation?

• What risks are presented to resources or facilities?

• Is there a risk to third parties?

• How long before any of these risks occur—how much time is there?

Situation

• What is the cause or motive of the risk event?

• Is it likely to get worse?

• Are other (different) threats likely to occur?

• What happened, where, and when?

• What effects are to be expected in the best case, likely case, and worst case?

Complicating Factors

• What legal implications are there?

• What media interest has been shown?

• What environmental factors will hamper the resolution of the problem?

The IMP risk assessment should not be confused with the responsibilities of the crisis response team and specialist responders, who should conduct more comprehensive risk assessments and evaluations during and following the crisis. The IMP risk assessment is a tool designed to provide a local perspective of the problems and impacts likely to occur that might fall outside of normal reporting formats within the IMP. While not a component of the IMP, the company should also link risk assessments to any recovery plans so that when the situation has sufficiently stabilized the company can begin to plan the resumption of normal operations.

REDUCING VULNERABILITY THROUGH MITIGATION ACTIVITIES

Mitigation activities or controls are any actions taken to permanently eliminate or reduce the risk of hazards to human life, property, and function. The four basic mitigation activities are as follows:

1. Deterrent controls reduce the likelihood of a deliberate attack and/or dissuade would-be attackers by making a facility less desirable as a target.

2. Preventive controls protect vulnerabilities by making an attack unsuccessful or reducing its impact.

3. Corrective controls reduce the effect of an attack.

4. Detective controls discover attacks and may trigger preventive or corrective controls.

Combining Risk Assessments and Mitigation Initiatives

A more sophisticated method of conducting risk analysis and assessing mitigation initiatives is a failure modes and effects analysis (FMEA) (Electronic Industries Association 1971). Developed by the U.S. military in 1949 as a reliable evaluation technique to determine the effect of system and equipment failures (U.S. Armed Services 1984), FMEA systematically identifies potential system failures, their causes, and the effects on the system’s operation. It is most often used to proactively assess the safety of system components and to identify design modifications and corrective actions needed to mitigate the effects of a failure on the system.

The FMEA process can be a valuable tool in improving internal preparedness for response to emergencies or disasters of any sort and has been endorsed by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO). When the analysis is extended to include an assessment of the failure mode’s severity and probability of occurrence, the analysis is called a failure mode, effects, and criticality analysis (FMECA).

An example of the FMECA process applied to routine hospital operations might be patient admissions through the emergency department. To admit a patient, a number of functions must occur: an accepting physician must be identified and contacted, initial orders must be provided to the accepting floor or ward, administrative and clerical work accompanying the admission must be completed, a bed and the nursing staff must be prepared to accept the patient, and the patient must be delivered to the floor or ward. A defined failure might be the inability to admit the patient within one hour of the determination that admission is warranted. By analyzing the processes involved with getting the patient admitted, failure modes can be identified (e.g., inordinate delay in preparing the patient’s room), and the root cause of these failure modes can be further elucidated. If the cost of the failure mode is sufficient (e.g., patient or staff dissatisfaction), procedures may be modified, additional staff may be hired, or other actions may be taken to improve this process.

RISK MANAGEMENT AND Weapons of Mass Effect

The actual risks from the use of such horrific weapons by terrorists against the American population are difficult to determine. Most communities face a much greater threat from unintentional anthrogenic or natural disasters. Traditional events—those due to accident, nature, or human error—can be predicted or at least anticipated based on historical records, and the magnitude of the consequences can be estimated. For instance, the existence and location of floodplains are known, as are areas prone to tornadoes or hurricanes, and local emergency planning committees are aware of the locations and quantities of highly toxic materials. Armed with such information, engineering and administrative controls instituted as an outcome of previous disasters have greatly lessened the consequences of these events.

The key elements of effective risk management are threat and vulnerability assessments. These processes, discussed in greater detail in Chapter 3, form the backbone for risk assessment. Risk assessment drives mitigation initiatives to prioritize actions to reduce either the probability that an event will occur or lessen the consequences should it happen. Modeling and simulation are powerful tools to identify community or facility vulnerabilities to a wide range of potential threats but do little to determine the actual threat.

The WME threat is based on terrorist motive, opportunity, and availability of the weapons or agents. Little need be said concerning terrorist motivation to do harm against the United States and its citizens. Although the United States is the most open society in the world, difficulties in gaining entrance to the nation while harboring significant caches of these weapons lessen, but do not eliminate, the opportunity. It is only the lack of the availability of such weapons, or the skills and resources by which to produce them, that keeps the overall threat low. Advances in science may work against these odds in the future, however. It is generally presumed that terrorists will have the greatest difficulty in obtaining or fielding those weapons that produce the greatest threat: nuclear or biological weapons. Chemical-warfare attacks and the use of radiological dispersal devices are considered to pose an intermediate threat, and the use of conventional explosives or the intentional release of toxic industrial materials poses the greatest threat.

It is equally difficult to measure the threat against a specific community or organization. Most terrorist attacks historically were targeted against governments, the military, or industry. Although these organizations and entities remain high on terrorist lists, a trend has developed over the last decade toward attacks against the civilian population. This shift is in keeping with the prime motivation of terrorists to create terror. Although the random sniper attacks near Washington, DC, in fall 2002 did not use WME, the effect was the same: a population significantly affected by fear. Finally, extremist organizations within our borders, such as religious cults or single-issue terrorists, may target organizations traditionally not prone to such attacks. One can only imagine the overall effect on its citizens if hospitals in small towns across the United States were targeted for explosions in a random fashion over several weeks or months.