Terrorist risks: how can employers prevent and respond?

With the fall of Daesh, some might have thought the terrorist risk had disappeared. The attacks in Christchurch and Utrecht remind us that this is not the case. Just like with any other risk, the principles of precaution and foresight apply to employers.

However, the Occupational Health and Safety Code imposes even stricter obligations: every company is required to establish a multi-year risk prevention plan, which, in our view, should clearly include the prevention of terrorist risks today. It is also important to note that the obligation to prevent risks applies not only to the employer but also to the entire hierarchy.

Material measures
Minimum material measures for access control (badges, security gates, etc.), using surveillance services, or even internal or external private detectives, searches, information collection, etc., must be implemented. These measures will also vary depending on the company's activities or situation, i.e., its sensitivity to the terrorist risk.

Of course, this involves complying with specific, often complex legislation related to surveillance cameras on and off the workplace, security services, worker searches, and, of course, the handling of personal data collected. Not to mention any obligations to inform workers.

For companies most exposed to risk, crisis management and response drills, similar to those for fire emergencies, should be considered.

Documents and legal tools
As we mentioned in our previous article, the company’s work regulations, code of conduct, recruitment policy, and/or whistleblowing policy should incorporate a terrorism section and, in any case, provide the necessary legal tools.

The work regulations will include the definition of misconduct and serious reasons, the powers of control for security personnel, searches, the implementation of occasional telecommuting, monitoring, and the handling of personal data.

The code of conduct will outline a policy of philosophical and religious neutrality, rules for suspicions and detection of suspicious behaviors, a reminder of individual obligations, etc.

The whistleblowing policy will focus on the obligation to report abnormal behaviors.

And it is important to adequately cover the management of external companies, subcontractors, and their personnel with appropriate policies and service contract clauses.

Business continuity plan
If prevention fails, the company must be prepared to react appropriately in the event of a terrorist attack. A business continuity plan detailing the measures to take and the "correct reactions" should be integrated into the overall risk management plan. Securing and evacuating the premises, emergency communications, providing first aid, closing the company, notifying workers inside and outside the company, and providing psychological support should all be included. Additionally, measures for anticipating transportation or premises blockages, including telecommuting, should be considered.

In this context, an emergency database with contact information and other useful data will likely be a valuable asset.

What about mobile workers?
For companies employing mobile workers or those seconded abroad, an additional section should be put in place to assess risks and, if necessary, delay, suspend, or cancel trips, with all the potential consequences.

It is important to remember that an employer who does nothing exposes themselves to liability, both to their workers and third parties.