In a board meeting, the military general asked the airline's CEO, "Why is the pilot's food being labelled?" "Because that's the way we always do it," the CEO responded. "Well then stop doing it," the military director said. "If I'm a terrorist, I might have trouble getting through the cockpit door, but you're putting a red flag for me on how to poison the pilot and take down the plane."
In that exchange, the new military director on the airline's board of directors I was advising proved his value.
I am currently advising another board whose company is a target for a terrorist attack. Many other companies in transportation, utilities, defense, property development and financial services could take a page from below.
Here are six areas for boards to focus on to prepare for a possible terrorist attack.
1. Military experience on the Board. Military leaders have logistics, supply chain, tactical and international theatre experience domestic directors lack. Their contacts include the intelligence community. They think differently and understand evil.
2. Intelligence gathering. Boards should commission multi-lingual analytics from terrorist websites and chat-rooms, where the company, industry or executive is mentioned. There should be governmental relations on the board's competency matrix. Boards want to know about unknown unknowns, or emerging risks that can be catastrophic (the black swan), or interdependent risks that rapidly interact. Risk registers don't capture this dynamism yet. Proper intelligence gives boards and management teams a heads up.
3. Scenario planning. Good boards in sensitive industries are insisting on disaster recovery, catastrophic event planning, mock dry runs, and schedules so if or when it happens, the company is ready. There is even off-site functioning if the office is blown up.
4. CEO compensation. In a disaster that happened involving property destruction and death (another board), I was called in to recut the CEO's compensation. It went from financial short-term to include risk, relations, internal controls, and crisis management metrics. The compensation committee has enormous often unused control over behaviours and you reward what you pay for.
5. Communication. The CEO should have media training to prepare for scenarios, and respond to journalist questions. When the event happens, it is too late if you don't have this. Opinion crystallizes in days if not hours. The CEO profile for succession planning should include communication, intelligence gathering, and political linkages.
6. Invest in enterprise risk management (ERM) and information technology (IT). Risk management is often immature, cyber threats are significant, and good ERM is bottom up to include focus groups and integrated real-time IT. There are vulnerabilities that are missed without good ERM. Without being explicit, there are vulnerabilities at universities, cities, shopping malls and events that will surface in good ERM.
The bombers in Boston capitalized on police that were not there, inadequate crowd control at the finish line, and unattended unchecked bags. New York is much better at this now. Cameras, K-9 dogs, screening, monitoring, crowd control and escorts are all about choices. Management can choose not to do something. Boards can DIRECT that they do. This deters potential targets.