by Robert Landells

Post-Event Recovery

Terrorist attacks have wide-spread and devastating results to any organisation. It is therefore cogent to construct an effective rescue and recovery plan following such an attack.

There will likely be significant numbers of casualties, especially civilian. Also, significant damage to buildings and the infrastructure. The more complex and sophisticated the attack, the likelihood of larger casualty numbers and damage to the organisation there will be.

When a terrorist attack happens, we instantly have a ‘major incident’, which may result in crisis. The initial event, in this context the attack, is referred to as the ‘bang’, where there is an initial surge in information; which must be made sense of. The ability to operate productively under high-pressure, ‘VUCA’ (volatile, uncertain, complex, ambiguous) task environments whilst communicating effectively are key qualities of an effective rescue and recovery plan. This is even more so in the 21st centaury where communication is now expected to be instantaneous and global via our existing world-wide telecommunications, cyber and satellite networks. It is therefore paramount to ensure a ‘holding statement’ is ready to deploy as early as reasonably practicable after the attack.

The establishment of a Common Operating Picture (COP) so that all key personnel e.g. Other agencies; Stakeholders; C-Suite Executives; Incident Commanders (Gold Level); Mangers (Silver Level) and those on the ground (Bronze Level) can communicate with ‘common’ tongue and ensure real-time information is being exchanged to all relevant bodies. Establishment of an interoperable environment, especially for the ‘on-the-ground’ personnel from different agencies is also vital when dealing with an attack to ensure the best possible outcomes in the shortest timeframe.

When constructing an effective rescue and recovery plan, one realises that current, ground truth intelligence is of greater value than any command decision done at distance, especially when time delays are present and vital decisions need made that may impact critically on the organisations’ operations; image; supply chain; intellectual property; data etc. This includes dealing with media messages and controlling the flow of information outside the organisation. Any delay or failure in communication may evolve the initial ‘bang’ into a wider geographical event. This would highly likely result in the integration of key leaders from other agencies. The organisations’ Crisis Management Team (CMT) must always be able to act as the ‘gateway’ to other networks and maintain the (rich) COP as much as is reasonably practicable.

This fact paves the way to recognise the importance of the nature and content of any communications, especially when releasing the ‘holding statement’. Information is collaborated, validated and graded into utilisable intelligence. The intelligence fed to the CMT will allow a ‘triage’ of assessment (of the intelligence) so a hierarchy of significance and impact can be constructed and thus able to form a viable response. Only then can a ‘Win’ scenario hope to be revealed and implemented. Without comprehensive, current and relevant intelligence the CMT must resort to Recognised-Primed Decision (RPD) i.e. previous experience and judge (instinctually) whether the decision being made has a positive or negative impact.

Terrorist attacks cannot be accurately planned for and have no clearly defined solutions due to multidimensional dynamic shifts i.e. there is no planned scenario for a true terrorist attack or crisis. These ‘No Win’ situations are known to the CMT as ‘Black Swans’ or ‘Wicked Problems’. They involve rapidly degrading conditions and high time pressure for response. Also, they usually involve parallel crisis; are trans-boundary; are multi-jurisdictional and if so, have no ‘Single Point of Responsibility’ (SPoR).

The CMT must also strive towards instilling a culture of terrorism awareness within the organisation. Having authority to routinely run ‘live-drills’ at an undisclosed time, e.g. 03:00 am on a Sunday morning to audit the effectiveness of a Terrorism Management Plan (TMP), is vital to identifying and correcting any planning failures. A culture of appreciation towards terrorism management and assigning specific duties to staff within the organisation will help build a higher degree of resilience i.e. the organisation will be able to absorb, adjust, return and learn from the attack more smoothly; evolving into a Highly Reliable Organisation (HRO).

Contingencies and operating fastidiously and assiduously to maintain critical functions are vital to ensuring business continuity. The (ultimate) goal of the CMT is to ensure the organisation “survives and thrives” in a potential crisis. As Dr. Rubens states1:


“Every day you do not have a crisis, is one day closer to the day you will…”


Business Continuity Planning (BCP) and Business Continuity Management (BCM) are synonymously related and vital to ensuring business resilience. While BCP has traditionally focused on planning ‘failover’, identifying key decision makers and critical function redundancy, this is only part of the picture. A comprehensive continuity plan is only effective if implemented rapidly and managed fastidiously, hence, the need for BCM. This may involve a specialist led team; which aids to avoid Single Point of Failure (SPoF) occurrences. The CMT should be intimately involved with BCP and BCM. As intimated throughout this short essay, the CMT should also be integral to disaster recovery protocols; business continuity testing scenarios; crisis communication channels; employee welfare and establishing a culture of appreciation surrounding business continuity.

Hitherto, I have made effort to describe an overarching strategy and approach to constructing an effective rescue and recovery plan. Looking closer at the rescue phase, we must ensure internal and external emergency services receive real-time intelligence and that this intelligence is also easily accessible. Internal emergency services commence with trained first aiders, who may need access to information such as staff blood types, allergies, and medical needs. External emergency services largely consist of ambulance, fire and police but may involve specialist agencies e.g. CBRNE. Details on the staff members emergency contacts will also need shared with authorised personnel to update the families of those affected. Health and mental health resources may need accessed to assist those affected in the immediate and wider community.

There will come a point where a terrorist incident must transition from a rescue to a recovery phase. At this point, when responders are focused on recovering fatalities, evidence gathering or sanitising the locus, it is no longer appropriate to allow responders to work without adequate protection. This also has important ramifications for other aspects of locus control, such as PPE supply and enforcement. As time passes, some hazards decline e.g. the respiratory PPE due to initial dust and smoke may no longer be required to the same degree but constant vigilance, resources, communication and support remains paramount and ubiquitous. The establishment of cordons utilising the principles of Security-In-Depth (SID) (territory and boundary) and a appointing a ‘Scene Commander ‘ (SC) become paramount. The SC should be an adept crisis professional who can remain clam under pressure. Social conformity theory dictates that ‘behaviour breeds behaviour’ and therefore portraying confidence and calm will resonate positively and reassuringly with all those effected.

Lastly, evidence shows that when releasing updates, the ‘holding statement’ and any other announcement is best issued by an authorised third-party who is less directly affected by the emotional impact of the incident2.




  1. D. Rubens, Corporate Risk & Crisis Management Lecture Slides (2020)
  2. European Interagency Security Forum, Managing the Message (October 2013)