Associated Risks: A Perhaps Not-So-Obvious Threat

by David Pounder and Omar Tisza

This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Reportdistributed to members on 11 July 2019.

There are threats not inherent in day-to-day activities or related to direct threats routinely confronted by an organization. For example, most faith-based organizations (FBOs) may never encounter a hostage situation, an extremist demonstration, or a major sport championship parade. Nonetheless, these types of incidents or events may pose indirect threats to FBOs in proximity to such activity.  

While many FBOs occupy standalone buildings, many houses of worship, other faith-based and charity facilities are adjacent, co-located, or otherwise in proximity to other organizations that are also widely accessible to the public. These relationships to other facilities and organizations constitute a risk from potential indirect threats that FB-ISAO refers to as “Associated Risk.” Examining these associated risks allows organizations to look beyond just the direct threats, and consider risks that emanate from potential incidents that bring other, perhaps less likely, or asymmetrical, threats with them. Planning for associated risk requires close coordination with local partners, awareness of local events and activities, and making appropriate risk-based decisions to minimize impact or effectively responding to the threat.

What Are Associated Risks?

Associated risks are potential unwanted outcomes resulting from an incident, event, or occurrence in nearby proximity, that may not be connected to the specific organization or location. In many instances, the associated risk stems from the impact of threats against people, places or event that are actually the intended target. While the direct threat may be to something specific, the associated risk is to everything and everyone that may be associated with the target.

  • Associated Risks can occur in instances when an entity becomes a “second-hand” target by way of an attacker’s intended target, or when the second-hand target, or incident, is located in close proximity of the intended target.
  • Associated risks are not typically planned for and may not be identified during normal planning and preparedness efforts.

Keeping abreast of local events and maintaining close coordination with local authorities and neighbors will help organizations recognize and prepare for associated risks.

Indirect Threats; Associated Risks

From protest events to celebratory parades, in recent months there have been several instances in which facilities were impacted from an associated risk, as opposed to a direct threat to their business or location. Types of such activities could include:

  • A protest taking place in proximity to an FBO, charity, or other non-profit facility. Such events could escalate and include acts of violence, vandalism, threaten uninvolved personnel, or otherwise indirectly impact a facility. A recent demonstration in Portland saw multiple assaults reported and items that looked like milkshakes, but actually contained quick-dry concrete, thrown at demonstrators and officers.
  • A shooting incident, criminal or a mass shooting event, may occur in proximity to an FBO, charity, or other non-profit facility, or (as was the case in the recent Odessa shooting spree) may implicate a large area and cause massive confusion. Such events may be particularly impactful to organizations during peak service or business hours, and lead to necessary decisions on evacuations, sheltering in place, or otherwise responding to protect people.
  • Sports celebrations, holiday, and other notable parades can be proud times for a city but the festivities around the victory can cause physical damage to local establishments, and parade routes can disrupt normal day-to-day operations. Whether real or not, extremists or ardent supporters on either side of an issue could use such events to promote their agendas or show their disapproval, creating an possible associated risk for FBOs.

For FBOs, the above incidents may not immediately present a risk or indicate a threat, but that often depends on the location of the organization, its members or other visitors, and a number of other factors that may extend beyond the FBO, charity, or other non-profit facility itself. Maintaining situational awareness of these types of events and the potential spill-over impact will be beneficial to overall organizational preparedness.

Mitigate Associated Risks

  • Coordinate with local law enforcement and neighborhood partners. These valuable relationships need to be established in advance of any threat or incident and are a vital part of incident response planning. Keep in touch with local law enforcement and fusion centers for potential threat updates and upcoming events that may represent potential targets for attacks.
  • Review local activity and events. Maintaining situational awareness of community activities and incidents allows organizations to consider potential threats and make risk-based decisions.
  • Develop appropriate incident response. While it is difficult to anticipate every possible associated risk, organizations should still develop response plans that will enable more effective response to an evolving threat and make real-time decisions. This could include evacuating the immediate area, shutting down business operations, or alerting employees to remain at home.
  • Convene key personnel when appropriate. Once events are identified that could cause associated risk, it will be important for the organization to coordinate and assess the potential impacts.
  • Communicate, communicate, communicate. Last, but certainly not least, if operational changes are required, these need to be communicated to employees so they can comply or respond accordingly. For example, an organization may choose to work from home when there are big events near the office. This requires a direct communication channel to employees.

David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues.  Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations.  He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA.  Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.

Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!